"A company valued at $33,900,000,000 was defeated by a 10-minute conversation"
-vx-underground, a malware archive
On Monday, casino group MGM had its digital systems breached and completely halted by ALPHV, a ransomware group. Gaining access to the 33-billion-dollar company's servers took only 10 minutes of effort, a single LinkedIn search, and a quick phone call – a process so simple it could be replicated by someone without any technical abilities at all – holding the company's servers hostage while demanding a payout, and even resulting in an immediate FBI investigation. To do so, the hackers simply exploited a loophole that exists in nearly every business in the world. Let's break it down:
How it happened to MGM
The hackers executed their attack in three simple steps:
Step 1: Find any employee on LinkedIn
The attacker used a simple search to find the name of an MGM employee. They may have also noted minor personal information from the employee's LinkedIn and online profiles, but this is often not necessary.
Step 2: Call the help desk
The ALPHV hacker called MGM's company-wide IT help desk and claimed to be the employee, saying they'd lost access to their internal employee accounts and needed access to be restored so they could continue working (implying a sense of urgency). Left with no backup methods to remotely verify the identity of the person on the other end of the phone call (and likely untrained for this situation), the help desk agent attempted to help this 'locked-out employee' the only way they could: by granting them access to the account belonging to the employee ALPHV had found on LinkedIn just minutes earlier.
Step 3: Gain access and take control
On Wednesday, Gizmodo reported that the hack "delayed customers from checking in, prompted slot machines to display error messages, shut down paid parking systems, and affected the company website, which is still showing an error message as of Wednesday. Likewise, MGM’s booking site is down, telling customers to reach out to customer support with any questions."
Who's to blame?
So why is the ability to hold MGM's servers hostage and access trade secrets and assets left up to a guessing game? While it might be easy to presume that the blame lies with the help desk agent who gave up this access in ten minutes, it's important to remember that this is not an issue of lack of training for the employee, nor is the employee themselves responsible. The entire organization had no structural resources set up for this scenario – no way to remotely verify the identity of the caller when all other methods fail – leading the help desk agent to rely on the only thing they could: trust, and their intuition.
In short: this is not a staffing problem or a training problem. The agent did not have the resources they'd need to identify this caller. This is a tooling problem.
Why this could happen to almost any business in the world
Companies across America are adding security measures beyond passwords that are required for employees to access their accounts. These solutions involve some sort of multi-factor authentication (MFA) device, which holds a private code that is required for access. This has mostly stopped basic password hacks, but what happens if someone loses their MFA device? They call up the help desk and tell the truth – that they've lost their device and can't access their account. The help desk typically takes them at face value – or attempts some sort of manual identity detective work – and then grants them access so they can continue working. But what happens when a hacker (or simply a person with bad intentions) calls up your help desk and pretends to be your employee, saying they've lost their MFA device and need access reset? Currently, help desk workers around the world have no reliable way to tell the difference. This has given rise to a new method of breaching accounts that doesn't even require the technical chops of hacking a password: impersonation. And, in the case of MGM, it only took ten minutes.
How to prevent it
Impersonation fraud like this is increasingly common, and the reasoning is always the same: help desk agents do not have on-demand tools to efficiently identify someone over the phone or in an email/chat interaction. Your support desk needs a clearly-defined procedure for resolving these lockouts that involves a legitimate, close inspection of their ID and personal details, and to make sure the human on the phone actually matches the identity details they're presenting.
Method 1: Add an investigative team
Companies that avoid these breaches often employ an investigative team to stop impersonation fraud and employee account breaches. When support desk agents and IT teams are contacted by someone claiming to be a locked out employee or customer, they pass along the case to these teams to run background checks, conduct in-person interviews, and use digital tools to validate the person's government-issued ID. Imagine a process similar to the DMV. While these teams can be expensive and the process can be tedious – even MGM, a $33 billion dollar company, hadn't built a team like this – the cost of a breach is always higher.
Method 2: Automate these identity checks
If hiring an investigative team feels too expensive, or if you're worried about employee frustrations and lost work time as they follow these processes and await results, there is another option. Some companies choose automated tools that can take someone through a secure identity verification process remotely (explore Nametag's human identity platform). Automating so much of the identity detective work typically means help desk agents can do the whole process themselves, and resolving an employee lockout or password reset this way typically only requires about 30 seconds of their time. Since exploitations of this MFA loophole have exploded in recent years, these solutions are relatively new.