Achilles-Heel-Blog-Mini-Header

Identity Theft from the IT-department is the Achilles Heel for Identity Management Solutions

This blog discusses the risk for identity theft of enterprise users’ accounts through the IT-department. It also presents a solution to protect internal processes and services thereby preventing identity theft for a small additional fee.


The cost of implementing secure identity verification at the help desk is expected to be less than 2-5% of the total Identity Project investments, while delivering improved security within a timeframe of 2-4 months.

The objective of all Identity Management solutions is to ensure that only authorized individuals have access to data and systems. However, our IT-systems do not recognize people directly, they only recognize user-identities. To establish a connection between individuals and their identities, we employ credentials such as passwords.

Everything seems fine until a hacker steals the credentials of a legitimate user. At this point, the Identity Management solution inadvertently aids the criminal in gaining full access as the genuine user. This results in both Identity Theft and a Data Breach.

Falling victim to a phishing scheme is already problematic for a user, but it becomes completely unacceptable when the IT-department unintentionally gives away users’ credentials. As Kevin Mitnick wrote many years ago: “Why waste hours on breaking into an IT-system when you can do it in minutes with a phone call”! The IT-service desk, as part of its duties, resets passwords, which means that by impersonating a real user, someone could potentially obtain their password.

hackers and IT support

Are IT help desks really attacked by hackers?

In 2018 a UK teenager named Kane Gamble was sentenced for committing a significant data breach. His targets included high-profile figures such as then CIA director John Brennan, Director of National Intelligence James Clapper, Secretary of Homeland Security Jeh Johnson, FBI deputy director Mark Giuliano, as well as other senior FBI figures. Gamble successfully posed as Brennan and tricked call center and helpline staff into revealing broadband and cable passwords, which his team also used to gain access to plans for intelligence operations in Afghanistan and Iran.

In 2020, Twitter experienced a breach that exposed its users’ accounts to hackers. The mastermind behind the attack is Graham Ivan Clark of Tampa, Florida, who was only seventeen at the time of the attack. According to Twitter: “The attack targeted a small number of employees through a phone spear phishing attack. “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.” This is a precise description of Social Engineering.

Similar social engineering attacks have been reported by other companies like Twilio, RobinHood, CISCO, and Mailchimp against their IT help desks. It is remarkable how it is high-tech companies who have been transparent about the data breaches and the attacks. From conversations with customers, we have learned that other companies also face the burden of dealing with such incidents.

An example of a social engineering attack against the IT help desk

A customer experienced this example:

A hacker came across a manager’s name and email in a forum. They proceed to search the managers’ employee on the company’s LinkedIn page, where they easily find the employee’s name and email. Obtaining this information was relatively easy.

Next, the hacker contacts the Service Desk to gather more information. Let’s name the manager Jim Ward, and his employee Tom Johnson. The hacker either guesses or searches for help around the company website and he finds an application CRM and tried to use the email Jim.Ward@acme.com as the login that gives an unknown user, then finds that he can use Jim.Ward – that works.

Tom.Johnson also works as a username. Now he calls the Service Desk, and the conversation unfolds as follows:

social engineering-attack hacker it-support sample conversation 1

So now the hacker obtained a lot of knowledge, he knows when and where the user had an issue, and even the ticket number.

The hacker calls again and makes sure it is a different Service Desk Agent this time – pretending to be Tom.

social engineering-attack hacker it-support sample conversation 2

The Agent does not suspect anything is amiss since Tom has specific information, such as the username, and the ticket ID. This establishes trust with the agent, who believes this is in fact Tom!

And that’s how they were hacked.

See also: How to Hack the Service Desk: Reconstruction of a Real Story as Recounted by a Client

How are users verified today?

Currently, most service desks want to verify users with simple verification tests. Service Desk Institute did a survey in 2018:

Currently, we observe that many service desks are incorporating SMS messages as a supplementary verification method.

However, this approach presents several issues. Firstly, many answers to verification questions can be obtained in advance, as phone numbers and SMS replies can be easily spoofed.

The more significant concern lies in the fact that skilled hackers adept in social engineering techniques can manipulate agents / supporters into deviating from the prescribed verification procedures. Add to this the fact that many supporters have limited experience and knowledge, while also facing pressure to handle a high volume of calls.

Moreover, these supporters are often told to treat the callers as valued customers and provide excellent service. This presents a contradiction to their security tasks, as we expect them to approach all claims with skepticism.

The hacker industry evidently deems it worthwhile to target the help desk for gathering information and credentials. According to Statista, as of 2021, 69% of IT departments reported experiencing vishing attempts:

IT Staff vishing cases increased graphic

 

Conclusion: The hackers require passwords and expect to gain vital passwords from the IT-Department. Real-life examples illustrate that it is not difficult for even inexperienced teens to gather!

We can choose to ignore reality and pretend that it doesn't occur. However, as seasoned managers often emphasize, relying solely on hope is not a viable strategy.

What is the Vision

Envision a scenario where, upon receiving a call, a service desk employs an intelligent IT-workflow that conducts a verification test based on dynamic and contextual data. The extent and complexity of these tests, as well as the data involved, are determined by the specific situation and users involved.

This approach ensures that hackers are unable to manipulate the support staff and premeditate the verification process. Consequently, the hacker's attempts are thwarted, and they may find themselves inadvertently contacting someone else, such as your neighbor.

All calls might last a bit longer, but security always costs time and money.

hackers and IT support

SOLUTION OVERVIEW

The FastPass on-premise or cloud solution offers a secure identity verification service that is easy to integrate into any ITSM tool.

FastPass will collect system data from user directories, from own data, from other systems and use MFA tokens already in use:

Verification Data and Tokens

Tokens include OKTA, DUO, Microsoft Authenticator, Smartcards, SAML authentication services and more. Manager verification can be included as well.

FastPass integration to ServiceNow and TOPdesk is already certified.

The reset of passwords is not only for AD and Azure but includes SAP, Oracle, IBM, LDAP, SQL, and more.

The important flexibility in FastPass allows the administrator to configure multiple workflows to fit different users and different situations. At the end of the verification process, FastPass writes all details to the ticket before it is closed. In many situations, the user will create the new password directly in FastPass instead of receiving a temporary password.

It is important to remove the supporters’ privileged rights to password reset to avoid that they circumvent FastPass and still use Windows Administrator privileges and reset the password there!!

A better way than to have supporters reset passwords is of course to give users a self-service portal and this is included in FastPass.

BUSINESS CASE

Even though the solution carries a low cost most companies will demand a business case to balance benefits and costs. For security projects it is not an easy task to complete the business case, as there are no direct new revenue or direct cost savings.

Many business cases start with clear symptoms of problems, such as too excessive cost for the cars in one division compared to other divisions. The upside will be the difference between the present costs and the future costs.

In this situation a better comparison is COVID! We have not been hit yet, and we do not know if it will happen. However, we do see that many others have been infected.

Should we take the vaccine or not?

We are not talking about a cure, but vaccination to prevent future costs.

According to an IBM research report the average cost of a data breach in USA in 2022 was $9.4M!

FastPass new pricingThe FastPass Implementation can be completed within 2 to 4 months time done in 2-4 months’ time, and the operational cost will be a small fraction of costs for the Identity Management project and security-related costs in total. Expect a ballpark figure less than $2/user per year.


In the IT industry, we often perceive ourselves as the heroes who solve problems and overcome challenges for all other departments. We do not like to acknowledge the possibility that we could be the Achilles Heel when it comes to the security of our organization. The truth is that our IT help desk can unwittingly disclose critical information and provide credentials (such as passwords) to malicious individuals.

Unfortunately, we have not taken sufficient measures to prevent this from happening. The result might easily be identity theft against an important employee.

Considering the significant investments made in implementing Identity and Governance Management solutions, it is nonsensical that the entire structure is vulnerable due to ease with which an attacker can obtain user’s credentials – even when this user is extremely careful not to give it away to phishing or other attacks!

As IT professionals we cannot afford to be the weak link in our organization’s security chain. Ignoring the issue will not serve any beneficial purpose. Instead, we must confront these challenges head-on and actively work towards strengthening our security measures.

head in the sand

 

As IT professionals we must not be the weak link in security. It does no good to put our head in the sand!

 

Finn Jensen

Finn Jensen | Founder, FastPasscorp

Related Posts

Scroll to Top