Consider the following scenario. You work in the customer support team for a small web hosting provider. A call comes in from a user who claims they are unable to access their email account and therefore can’t reset the password for their hosting account. You run through the usual process for verifying their identity: what’s your full name and address? What’s your account username? The user supplies apparently accurate details and then asks you to change the email address associated with their account so that they can reset the password.
What do you do? You don’t want to lose the customer. You want them to be able to access their account. Do you change the email? If you understand the security implications, you most certainly do not do as the user asked. Obtaining address and email details is trivially easy and knowledge of them shouldn’t be considered as valid form of identity verification.
And yet, tricks like this do work in many cases. Companies like Amazon have given out physical addresses based on easily faked verification information. Apple has allowed user accounts to be hacked because they gave out temporary passwords. It’s not uncommon.
It is, however, uncommon enough to be difficult to combat. Ninety-nine percent of support calls of this nature are genuine. People do lose their account details, they are locked out of their email accounts, they forget which address they have ordered a product to be delivered to (surprisingly). The temptation is often to give customers the benefit of the doubt, but doing so is the reason that attackers are able to breach users’ accounts with surprising ease.
It doesn’t matter how solid your company’s encryption is. How well designed its password storage system. How immune to attack from outside the network. If a malicious individual can pick up a phone and talk to a support rep who is too willing to help, all the security systems in the world aren’t going to keep the customer’s data safe.
I’ve written before about the value of security training for employees. Employees are both the biggest security risk most companies have, and the best way to combat that risk. Unfortunately, many companies don’t implement the sort of security training and procedures that would empower employees like the support technician who answered the call in my example.
Customer service and support representatives are the front-line interface of a hosting company with its clients, and they should be trained accordingly. They should know how to spot phishing attempts and the type of social engineering attack we’ve discussed here. Without adequate training for front-line staff, your customer’s data, business, and possibly their safety is at risk.