Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Who's calling, please?

Mathias Thurman | Jan. 16, 2015
Our manager discovers that the company’s customer validation processes are weak. It’s trouble that’s just waiting to happen.

Some security weaknesses can't be found with a scan or a vulnerability assessment of the infrastructure. As a security manager, you have to keep your eyes open for things that aren't as secure as they should be, based on any evidence that comes your way. That happened to me a few weeks ago, in just about the best way possible. We were able to take steps to tighten security in a particular area after an incident that could have been damaging but actually wasn't. I wish all our security lessons could be so benign.

Here's the story.


Trouble Ticket

At Issue: The company lacks any clear policy on verifying users who call in for things like password changes.

Action Plan: Establish solid policies and procedures, and make sure the customer service staff takes them seriously.


Someone called our customer support team saying he was a vice president at a company that's a customer for our services. He needed a password reset. He told the customer support rep that the password reset function wasn't sending a new password notification to his email address as he had requested. Our support rep went ahead and changed the password, told the caller the new password and set the password to be changed upon login.

I didn't know anything about this interaction until later. If I had, I would have protested that the rep needed to verify the vice president's identity. And as it turns out, we soon learned that the caller was not who he had claimed to be. This came to light a couple of days later when that same vice president called, complaining that he couldn't log into the application. "Are you using the new password that you set up a couple of days ago?" asked the support rep. "I didn't change my password a couple of days ago," was the response. "I just got back from vacation. A couple of days ago, I was on a plane."

That's when I got pulled in.

When we looked into the situation, we discovered that the person who had asked for a new password was an employee at the company who reported to the VP. He needed access to some application functionality that's available only to that VP. Not wanting to bother the VP while he was on vacation, he called, using the VP's name, in an attempt to get access to his account. It worked, but as far as I'm concerned, it shouldn't have.

We didn't get burned, but I did feel some heat. If the unauthorized employee could get the VP's password with such ease, why couldn't a true outsider, someone with less than benevolent intentions, do the same thing? We needed to tighten our policies on customer validation.


1  2  Next Page 

Sign up for MIS Asia eNewsletters.