A new look on identity verification, often overlooked but crucial component in dealing with social engineering attacks

Issued by Integralis IT Consultancy
Johannesburg, 20 Oct 2020

COVID-19 has redefined the way businesses interact with their staff, business partners, suppliers and the like. Many organisations were mandated to employ a work-from-home policy where possible, and even now as the lockdown restrictions are gradually lifted, it seems like this ‘distributed workforce’ milieu, or at least a hybrid thereof, is set to continue for the foreseeable future.

Services and capabilities for this remote (home) office were expedited by many IT departments and service providers with a necessitated amount of haste. New hires were onboarded during the lockdown with as much welcome as one can produce with social distancing and remote offices in place. Inevitably, new team members and IT support staff are physically removed from one another and interact with voice calls, voice and video conferencing technologies. This ‘remoteness’ equips imposters with yet another method to exploit unsuspecting call service desk agents by impersonating employees attempting to reset their network or application passwords.

So, how accurately can the service desk agent verify the identity of the user? Traditional questions and answers are a viable screening method, but in modern times where imposters have access to a wide array of personal information online, the effectiveness of traditional questions and answers are diminishing in value as the data becomes outdated. For example, how many times has your postal or physical address changed without updating the HR records? The service desk agent then utilises outdated information for verification. If you can persuade the service desk agent, in many instances someone you’ve never personally met before, that you are the correct person on the other end of a voice call, then surely a malicious imposter can do the same by supplying generally available semi-accurate information.

The password reset process at the service desk can be an excellent gateway for attackers to breach IT systems.

Consider the scenario where a user needs to reset their enterprise password. The first step is to contact the IT service desk, and the agent needs to verify the caller’s identity only using their voice.

The ideal is to eliminate the possibility of human error from the identity verification process by having an IT workflow process guiding the service desk agent through the process. The process needs to be adapted based on user groups within the enterprise, and must include many different verification components, like personal data, tokens, maybe even a manager’s approval if so mandated.

Introducing the Identity Verification Client (IVC)

The Identity Verification Client (IVC) replaces the traditional identity verification portion of the service desk's password reset process by controlling the actions needed to verify each user based on specific, relevant information – the data used to verify the user is a combination of static and dynamic data. Once the identity of the user is established and verified, the password can be reset and/or changed.

The IVC has many different verification options and is highly configurable and fully auditable. The diagram below provides a view into various sources of static and dynamic data that can be used in the verification process.

Although the above scenario focused on the single process of contacting the company help desk for support relating to the reset of a password or other credentials, the Identity Verification Client provides the ability to configure many different scenarios throughout the business.

These can include:

Third-party or vendor verification as part of requests for access to company resources (VPN, etc);
Human resource verification of employees or contractors in scenarios where salary details need to be updated; and
Verification of individuals by building security before issuing physical security access (smart card, tokens, etc).

The benefits of using the Identity Verification Client are: