In todays article, I discuss a security procedure that many companies and organisations still struggle to implement, verifying staff identity during password resets. As a postgraduate student, I have heard from my peers that some help desk departments are not verifying staff identity during passwords reset requests. Now, there could be many reasons for this, such as the help desk staff dont have the information available to identify the staff members identity or they are concerned that verifying staff identity might breed a culture of mistrust in the workplace.
If staff identity is not verified, this makes it very simple for threat actors to gain access to a staff members account and the internal network. Now, some businesses many have a simple procedure already in place, where the staff member calls helpdesk to request a password reset & the help desk operator provides the staff member a temporary password then the staff member just simply logs in and changes their password. However, this may not be the most secure procedure, let me explain why.
It is now very simple for anyone by using AI voice cloning technology to clone the voice of an individual by using many free online voice cloning tools. Whats to stop a threat actor from cloning the voice of the Chief Financial Officer (CFO)? Lets say that a threat actor has access to the company network (this threat actor could be working as an insider) and wants access to the CFOs account for malicious purposes. Whats to stop the that threat actor from impersonating the CFO to request a password reset?
There are a few methods that can be used to verify a staff members identity, the first is a simple one, verify at least 3 points of ID with the staff member that is not known to the public. Such ID can include the last 4 digits of their drivers licence number, tax file number and bank account number. The key, is that this information must be easily available to the staff member requesting the password reset, but not easily available to the threat actor. Multifactor authentication should also be used, such as via sending a code to the staff members mobile phone.
Social media, has made verifying identity via date of birth redundant. If the CFO has a social media account, and they regularly post about their birthday then its not going to be hard for the threat actor to discover the CFOs date of birth. Verifying identity via the staff members role in the company is also redundant, its not going to be hard for the threat actor to find an organizational hierarchy chart. For security reasons, its best to not use publicly available information when verifying staff identity.
Storage of identifiable information is also important. If you are collecting personal information about the staff in your organisation, then its very important that the database that contains this information remains encrypted and password protected. As a security professional you need to always be thinking about the worse case example, what if the threat actor was able to transfer that database of information outside of your organisation? What if the threat actor gained access to a computer system that contains the database of information? Now I am not being paid to sell you a product, so I am talking in a general scope here. But if you where to populate a database with personal data then that database must be encrypted with a high bit level of encryption and password protected. That way, if the threat actor was about to transfer this information out of the organization, this information will be encrypted and password protected.
Staff may find it an inconvenience to verify their identity, not everyone knows the last 4 digits of their drivers licence number, bank account and tax file number from the top of their head. However, if you explain to the staff member that you acknowledge the inconvenience however as per the security policy of your organisation this information is requested so no one can impersonate them, then typically most staff members would understand.
So, in conclusion, due to advancements in AI technology with voice replication it is in the best interest of companies and organizations to enhance their security practices by implementing staff verification procedures for password resets. Non publicly available information must be used to verify identity, and this information must be contained in an encrypted database that is password protected.