comment on

you can change their password over the phone, else they have to come to the NCC

The challenge we had was we were a company that had 25 (later 53) locations around the country. Some of the people we supported were mobile users and could be literally anywhere.

Blind callbacks were the preferred method of verification.

Caller: My name is Sid Down and I need my password reset

HD: OK Mr. Down I see you are a mobile user, can I call you right back on your Cell Phone?

Caller Errrmmm... I don't have my cell phone handy and I'm not in the office... can you call me at (555) 555-1212?

HD Mr. Down please call us back when you are either in your office or have your cell handy. We don't have (555) 555-1212 as an authorised callback number for you at this time.

Caller (trys another approach) WHO THE Expletetive Deleted IS YOUR MANAGER!?!?! I WANT MY PASSWORD RESET NOW!

HD I understand your frustration Mr Down and want to help. I will conference your manager into this call as well as my own manager. Perhaps your manager can vouch for your identity.

Caller ****CLICK!******

This is a sanitized version of a conversation that actually took place hetween m help desk and a caller.

A person was looked up in the corporate contacts list and could recieve a callback on one of up to four numbers that were prearranged. There was a security question they were asked (e.g. "What is your dog's name?") that was pre-arranged and then the password would be reset.

In addition an email was sent to a special mailing list "security-managers" so that an eye would be kept on accesses by this user for a few days.

This all worked fairly well. Wasn't a perfect system but it worked. Additionally mobile users were issued SECURE-ID tokens and had to pass the challenge response system in order to dial in.

Peter L. Berghold	Brewer of Belgian Ales
Peter@Berghold.Net	www.berghold.net
Unix Professional

In reply to Re:^3 Security: Technology vs Social Engineering by blue_cowdawg
in thread Security: Technology vs Social Engineering by chunlou

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.

Caller:	My name is Sid Down and I need my password reset
HD:	OK Mr. Down I see you are a mobile user, can I call you right back on your Cell Phone?
Caller	Errrmmm... I don't have my cell phone handy and I'm not in the office... can you call me at (555) 555-1212?
HD	Mr. Down please call us back when you are either in your office or have your cell handy. We don't have (555) 555-1212 as an authorised callback number for you at this time.
Caller	(trys another approach) WHO THE Expletetive Deleted IS YOUR MANAGER!?!?! I WANT MY PASSWORD RESET NOW!
HD	I understand your frustration Mr Down and want to help. I will conference your manager into this call as well as my own manager. Perhaps your manager can vouch for your identity.
Caller	**CLICK!****