Visual Verification: A Hot Topic
With several large American companies such as Okta, MGM, and Caesars being involved in breaches through the helpdesk recently, the cybersecurity world has seen several industry leaders propose “visual verification” as the way to stop attackers from convincing your helpdesk to give them access to accounts that are otherwise protected by multi-factor authentication (MFA). Okta’s chief security officer, David Bradbury, recently wrote into DarkReading.com to address the Okta platform’s involvement in the recent MGM hack, saying that the way to prevent attackers from gaining this level of access by impersonating an employee or customer is to add “a visual verification step at the helpdesk”.
So, the industry has been buzzing about this term, but what exactly is it? In this article, we’ll explain what visual verification means, and explore some ways you can add visual verification to your business to stop helpdesk hacks before it’s too late.
Background: Why Visual Verification is Needed, and How It Relates to MFA
Helpdesk hacks have been all over the news lately, as attackers have found a new backdoor into even the world’s most secure companies, surpassing MFA security measures. These hacks entail an attacker impersonating an employee and convincing the helpdesk to give them access to an account that controls extensive assets, trade secrets or platform control. This is not a sophisticated attack; the attacker simply finds info about an employee or customer online, calls or messages the customer support team, and impersonates this person in an attempt to steal their account. The problem is that helpdesk and support teams do not have sufficient tools to distinguish these attacks from the real people.
Once the conversation has begun, the attacker will claim they’ve lost their multi-factor authentication (MFA) device, typically their mobile phone or a physical security key, and are therefore locked out. They say they need their access to be reset urgently, as they’re losing valuable work time.
Historically, the helpdesk agent would attempt to find out whether the attacker is being truthful about their identity by asking them security questions pulled from a credit check or HR file. However, attackers are often able to pull this information off the internet in their own research, or use social engineering tactics to convince the helpdesk agent to reveal the answer to them. In the end, without visual verification, the helpdesk agent has no reliable way to know whether or not the person on the other end is telling the truth, so they have no choice but to trust their gut.
The results can be devastating to a large enterprise. Often, as seen in the cases of security company Okta and casinos MGM and Caesars recently, this little loophole is all an attacker needs to seize extensive trade secrets, download user information, and even hold the company’s digital assets in exchange for a hefty ransom.
What is Visual Verification?
Visual verification (often referred to as ‘visual identity verification’) is the process of performing a visual inspection of a person’s identity, to ensure that they are indeed who they claim to be, before granting access. This inspection must occur either in person or via a trusted video source. Crucially, visual verification cannot be performed over the phone or in a support chat, Slack or Microsoft Teams conversation, or email thread – it must be performed by a human’s visual inspection or via computer vision. Visual inspection has emerged as an essential method because devices can easily be stolen or lost. The only way to verify someone with certainty is to visually inspect the human themselves.
Where is Visual Verification Needed?
If someone contacts your support desk claiming to be an employee or high-value customer, visual verification is always the safest and most efficient method of ensuring they are indeed who they claim to be. In particularl, in any environment where the relationship between the agent and the person contacting the helpdesk does NOT meet BOTH of these two requirements, visual verification is needed:
Requirement 1: These two people know each other personally and would be able to pick each other out of a crowd.
Requirement 2: These two people are in an office together, and the agent is able to see, face to face, who is operating the computer or device in question.
How to Add Visual Verification to Your Helpdesk.
Option 1: Zoom calls
Some companies have addressed this problem with a ‘Zoom call’ process. When someone calls the helpdesk claiming to be a customer or employee, typically saying they’ve lost their MFA device and are therefore locked out of their account, the helpdesk agent sets up a zoom call, often for a few days in the future. Several agents typically join this call. They see that the person on the other end is a real human being, can see their face, and can ask them questions to verify that they match the account on file. This process can be very slow and time-consuming (and therefore expensive), but it will make an attacker’s life much more difficult if the attack is not sophisticated and their goal is to scan your helpdesk for immediately-accessible vulnerabilities. One flaw to be mindful of with Zoom calls is that this is not a reliable way to verify a person’s government-issued ID, as your helpdesk agents will likely not be able to tell the different between a real ID and a fake ID. As such, it should ideally be paired with a secure form of ID verification to deter attackers and increase confidence before unlocking accounts (read more: Top 5 Things to Consider When Evaluating ID Verification Software).
Option 2: Automate visual verification
If setting up Zoom calls and implementing an ID verification process sounds like a costly endeavor, Nametag offers a way to automate visual verification.
Helpdesk agents can send a proof-of-identity request to any phone number, or copy and paste a link into any email or support chat. The recipient is taken through a rapid verification flow in a secure scanning environment that cannot be manipulated by rising threats such as AI-generated ‘deep fake’ IDs or humans. The customer or employee scans one of 10,000+ ID document types from around the world, and then scans their face to prove they match the person on the ID. If they’ve already used Nametag, they can revalidate their identity with one-click FaceUnlock.
In an average of less than 30 seconds, the agent receives verified proof-of-identity and, if it matches info on the account, can swiftly grant access. If not, the hacker is easily and efficiently identified and deterred.
That’s it. Visual verification can feel like a complicated process, but with the recent rise in social engineering at the helpdesk as a powerful attack vector to bypass 2FA or any other form of MFA, it’s become more important than ever to give your agents the proper tools to identify and resist such an attack.