7

I had a conversation today and someone challenged me as to why you would need to verify the identity of a user calling a service desk with anything other than their company email. Granted, I know these can be spoofed, but the upper-level executive didn't.

I have been pressing to have at a minimum a user-specific PIN and the user's email address put in place for verification purposes.

Does anyone have access to published best practices for support desk this non-face to face (phone, chat services) user verification?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user2041774
  • 71
  • 1
  • 2

2 Answers2

5

The company email is likely a bad way to verify someone's identity. In most places, the email address is in a common format that could easily be guessed. Social engineering and pretexting are easy ways to get common information. You should also consider the insider threat, a coworker could impersonate someone with an email address easily. (I am assuming that you mean providing this over the phone, not sending them an email to open during a call)

If you want to authenticate a user's identity, you need to use something that is non-public and hard to guess. Some companies may have specific code words, etc. They may require a call back to a number known to be the employee's work, home, or cell number. This should not be their system or email password.

Eric G
  • 9,691
  • 4
  • 31
  • 58
  • Calling back assumes POTS lines (as these are harder to mess with than VoIP). Originating the call on a cellphone may be not exactly right due to the possibility of rogue repeaters. – Deer Hunter Jul 27 '13 at 03:28
3

There are two sides to this. First is verifying the identity of the user, and the other is verifying the legitimacy of the help desk. This is a pretty big deal because social engineering calls will almost always be directed toward the helpdesk or be impersonating a help desk member.

Since normal users are typically less sophisticated than help desk operators, you should simplify the process for authenticating the help desk. For example, a very easy rule is all help calls must be made from the user to the help desk. If the help desk calls you, then their only instruction should be "call me back at the standard internal help desk phone number". At no point should you trust a help desk rep who called you. This is easy for people to remember, and easy for them to implement. Also, whenever does call a user and says "call me back" it would be a good idea to remind him why he should do so; just a word or to so the concept is fresh on his mind: help desk ALWAYS tells you to call them back.

Then, authenticating the user with the help desk depends on the level of security required by the company. A "call in PIN" or password is a reasonable but not wonderful idea. Even better is some sort of internal closed-loop system that can't be made available to someone outside the company.

Better still, simply make the rule that all sensitive operations must be done in person, either at the help desk itself or through desk-side support, with appropriate checking of badges etc.

tylerl
  • 82,225
  • 25
  • 148
  • 226