Employee password resets make up a big percentage of the tickets that the service desk handles on a daily basis. While a lot can be said for the high costs that are incurred at the help desk for these types of calls, which Forrester estimates cost about $70 per call, more can be said about the risks that are present with this process. It might be easy to think that the help desk by itself is enough to ensure security, but techniques like social engineering prove otherwise.
A cyber-attack technique used to trick users to divulge confidential information or obtaining personal information easily obtained online about a subject. A classic example is when a hacker calls the service desk for a password reset and pretends to be someone else in order to gain access to organization’s sensitive data.
The hard truth is that the service desk barely has time to reset passwords, let alone verify each caller’s identity carefully. So, no matter how well intentioned a supposed process the help desk agent is supposed to follow, each help desk worker is going to fall victim to the pressures of the job – whether that be resolution time on the ticket or skipping security steps to help out a supposed executive. Hackers take full advantage of the pressures these service desk personnel are under, making this method a relatively easier way to get a user’s password rather than trying to guess or crack the password.
Hackers breached EA Games
To understand how prevalent the risk is, look no further than the 2021 EA Games breach. A group of hackers, who were able to gain access to internal systems and steal data from game publisher Electronic Arts (EA Games) in part, by tricking an employee over Slack to provide a login token. A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10 and using those to gain access to a Slack channel used by EA, according to Vice.
“Once [we gained access to their internal slack channels], we messaged [an] IT Support [representative] we [told] them we lost our phone at a party last night,” the representative said. The hackers then requested a multifactor authentication token from EA IT support to gain access to EA’s corporate network. The representative said this was successful two times.
Once they gained access, the hackers stole the source code for FIFA 21 and related matchmaking tools, as well as the source code for the Frostbite engine that powers games like Battlefield and other internal game development tools. In all, the hackers claim they have 780GB of data, and are advertising it for sale on various underground forums. While most hackers are motivated by the profits of their exploits, the ramifications for an organization like EA could be devastating.
“This sort of breach could potentially take down an organization,” Saryu Nayyar, CEO of cybersecurity firm Gurucul said in a statement to TechRepublic. “Game source code is highly proprietary and sensitive intellectual property that is the heartbeat of a company’s service or offering. Exposing this data is like virtually taking its life.” In addition to that, the company saw their share price go down by 2% in the week following the new story of the data breach going public.
You can see why it’s easy to worry about this happening to your organization, BUT there is a way to enforce and track user authentication at the service desk. You CAN guarantee that information and password resets are not offered to users who are not authorized to receive it.
Verify user identification with Secure Service Desk
With Specops Secure Service Desk you can securely enforce caller verification instead of relying on insecure processes that are prone to human error. Secure Service Desk customers can utilize authentication methods that remove the opportunity for user impersonation, by requiring verification with something the user has, not just something the user or an attacker may know.
Secure Service Desk increases security with identity verification options that range from mobile or email verification codes, to commercial providers such as Duo Security, Okta Verify, and PingID. All of the supported identity services go beyond the knowledge-based “something you know” method by requiring “something you have” such as the possession of a device.
If you want to remove the risk for social engineering at the service desk by enforcing user verification before allowing a password reset or account unlock to be completed, start your free trial of Secure Service Desk today.