This fall has been marked by an unprecedented wave of cybersecurity breaches and ransomware attacks targeting healthcare networks, entertainment giants, tech companies, and even security providers themselves. Amidst the carnage, one consistent theme has emerged: IT help desks and customer support centers are increasingly being targeted by attackers using advanced social engineering techniques and technology to coerce vulnerable employees into unwittingly granting them access to systems and data.
For context, here are just some of the breaches we’ve seen in the last few months:
- August: McLaren Health Care is breached by ALPHV/BlackCat, compromising the personal and health information of 2.2 million patients.
- September: Scattered Spider breaches MGM Resorts International, resulting in a $100 million loss for the hospitality and gaming titan.
- October: Caesars Entertainment admits to paying $15 million to Scattered Spider in a previous ransomware attack. Okta themselves report an identity-based attack on the customer support center, wiping out $2 billion in market cap.
- November: ALPHV/BlackCat breach MeridianLink’s network, then file a U.S. Securities and Exchange Commission complaint against their victim.
Clearly, something needs to be done. But IT and Support departments are ill-equipped to counter this threat. 67% of cybersecurity professionals say their organization doesn't have the staff needed to prevent and troubleshoot cybersecurity issues. On a related note, 80% of organizations have suffered at least one cybersecurity breach attributable to “a lack of cybersecurity skills and/or awareness,” according to ISC2.
Threat Landscape: Social Engineering at the Help Desk
Social engineering attacks involve manipulating people to gain unauthorized access to systems and data. Attackers often impersonate employees, convincing help desk personnel to reset passwords (using MFA via an SMS or email that the attacker has already compromised), reset an MFA device (so the hacker can use their own device), or simply grant access to assets, applications, or sensitive information.
Social engineering is hard to detect and can be even harder to stop. Increasingly, attackers are using generative AI, like the hacker that used an AI-generated deep fake voice to break into an IT company. In fact, voice deep fakes are so concerning that the New York Times recently ran a feature piece on their use in scams and fraud.
Social engineering is extremely dangerous, but you can’t expect help desk employees to be security and psychology experts. So, companies need to take the necessary steps and use technology to help protect them from social engineering.
This is, in part, why Okta’s own Chief Security Officer (CSO) suggests that companies add a “visual verification” step at the helpdesk. The idea is basically this: you can’t trust device signatures, traditional multi-factor authentication (MFA), or security questions to guarantee that someone is who they say they are. So, verify their identity visually.
Video Visual Verification: the False Solution to Social Engineering at the IT Help Desk
Visual verification means verifying someone’s identity to ensure that they really are who they claim to be by performing a visual inspection. When an employee can walk up to your IT department in person, this is easy. But most employees contact the help desk by phone, chat, or other online means. And how do you perform visual verification on someone who’s in a different room (or different country)?
One way to do remote visual verification is via video call. It works like this:
- Someone contacts the help desk asking to reset their password, saying they lost their MFA device, or requesting access to sensitive company data or systems.
- The help desk agent sets up a video call via Zoom, Teams, or some other video conferencing system. Some companies require that the employee’s direct manager join as well. Often, schedule conflicts mean that the call can’t happen for hours or even days.
- Once on video together, the help desk agent and employee’s manager can see that the person on the other end is a real human being, that their face matches their employee record, and can ask them questions to verify that they match the account on file.
Clearly, this is extremely complicated and time-consuming. Employees often lose hours or days of productivity; managers have to drop everything and disrupt their workflows to verify their employees; and service agents are wasting time they could spend on other tickets.
No one has yet performed a dedicated study of how long it takes to do visual verification by video call. But it takes 2 to 30 minutes to reset someone’s password, and it seems reasonable to judge that video verification takes a similar amount of time. When you account for the manager’s time and the employee’s lost productivity while waiting for their verification call, the costs of video visual verification are staggering.
Luckily, there’s a better way to do it.
Automated Visual Verification: the Secure, Elegant Way to Prevent Help Desk Hacks
The point of visual verification is to prevent social engineering-related help desk hacks by verifying that the person contacting the help desk really is who they say they are. But doing this via video call is far too slow and time-consuming. This is where Nametag can come in.
Nametag is an identity verification tool built for the help desk. It uses AI-powered biometrics and cutting-edge mobile device security to quickly verify the person behind the device. It takes less than 30 seconds, and stops social engineering and account takeovers in their tracks. We surround your IAM and MFA to achieve the high level of assurance needed for admin-level functions like password and MFA resets, and access grants.
Here’s how it works:
- When someone calls the help desk, send them a link to verify their identity Nametag. You can text them the link via SMS, or copy it into an email or chat session. Or, they can scan a QR code to initiate self-service secure account recovery.
- Once the employee clicks their link or scans the QR code, it opens a modal on their device (no app download required). They scan a government-issued ID, then take a quick selfie. The system verifies their ID, uses advanced facial biometrics to verify their selfie, and then compares the two.
- Once Nametag finishes the verification, your agent console is automatically updated with the results of our analysis. The authentication result is as trustworthy as a video visual verification, in a fraction of the time and with a fraction of the resources required. The help desk agent can then proceed with the account recovery, MFA device reset, access grant, or other action.
How to Secure Your Help Desk with Automated Visual Verification
The process for setting up visual verification at the help desk can be easy or hard––it depends on how you do it. Doing it by video call uses tools you already have (like Zoom) feels like the easiest route, but is actually incredibly painful in practice. On the other hand, automated solutions like Nametag require limited time to set up (more on that in a moment), are fast in the field, and even more secure.
Step 1: Evaluate Your Security
No matter what route you take, start securing your help desk by evaluating your help desk security. Any good IT or CISO’s office knows what tools you have for security, but how vulnerable are you to social engineering? Some companies have gone so far as to hire experts to do a “social pentest” on their IT department.
Step 2: Set Up Visual Verification
When even Okta’s CISO is suggesting that all companies implement a visual verification step for high-risk help desk functions, you know you should be doing the same. You can do visual verification via video call, or via an automated solution like Nametag. Either way, make sure you’ve clearly documented the tools and processes, as well as when it should be done.
Step 3: Train Your Help Desk Staff
Educate your help desk staff on the importance of verifying employee identities and the proper use of visual verification. Make sure they really understand the threats posed by social engineering attacks, and how to utilize visual verification. You can have the best tools in the world, but they’re useless if no one knows when or how to use them effectively.
Step 4: Monitor and Review
Finally, monitor the effectiveness of your visual verification program. Measure and track how often it’s being used, how long it takes to verify, and other relevant metrics. Remember that staying proactive and continuously improving your security measures is critical in today's fast-moving threat landscape.
Cybersecurity and IT teams are under greater pressures than ever before. The recent wave of attacks targeting security providers just goes to show that no one is safe. Only 20% of organizations are highly confident they can prevent identity threats.
If a company is a castle, the IT help desk is the gate: the most vulnerable point. In addition to standard practices like setting up multi-factor authentication and identity and access management (IAM), companies need to implement strong, biometrics-based authentication measures to verify employees contacting the help desk. It’s the only way to stop social engineering attacks and prevent help desk hacks.