kickarse Posted February 18, 2009 Share Posted February 18, 2009 So I've got this dilemma in trying to figure out a policy on how to verify users over the phone for resetting and unlocking them from various network resources. I'm curious on what others do. We already have their last 4 of their social and figure that's probably good enough. Any thoughts? Quote Link to comment Share on other sites More sharing options...
VaKo Posted February 18, 2009 Share Posted February 18, 2009 Ask each user to setup secret 5 questions and when they need to be verified ask for 2 random answers? Its how ALU manage intranet passwords. Quote Link to comment Share on other sites More sharing options...
kickarse Posted February 19, 2009 Author Share Posted February 19, 2009 Well, that's a great idea but we all know how users are, they'll forget the questions/answers they created and they won't be created with the security in mind. I wonder if it'd be more appropriate to create a set of questions for them, like banks do. Perhaps five questions and randomize them when they call in as suggested. Store it in AD and create a script/program to query the list. Quote Link to comment Share on other sites More sharing options...
VaKo Posted February 19, 2009 Share Posted February 19, 2009 If that fails, they call their boss and ask it to vouch for the user, boss calls you, explains situation and you call them back on a company line, and that line only. Beyond that, you probally need to start chipping your users. Quote Link to comment Share on other sites More sharing options...
digip Posted February 19, 2009 Share Posted February 19, 2009 At my workplace we have a list of "verify" questions that all employees must fill out. Its bacially 5 perosnal questions, where were you born, mothers maiden name, when were you born, first grade school name, and last 4 of social. Then when you call the help desk to reset a password, they ask you two of the five questios, along with what is your employee ID number. No one should ever know your employee ID number since you use it to login to things, and is part of the way they look up your questions. This way, giving them a name alone does not let them change your password if you don't know the employees ID number. Quote Link to comment Share on other sites More sharing options...
Razor512 Posted February 19, 2009 Share Posted February 19, 2009 just use good security and recommend users make a strong password then put a captcha to complete the login (the captcha will be visible for right and wrong passwords ) if you make things too complicated for users, they will move somewhere else for services, just put ample warning on making a strong password, that removes liability if they make a weak one Quote Link to comment Share on other sites More sharing options...
VaKo Posted February 19, 2009 Share Posted February 19, 2009 And how does one add a captcha to an AD login prompt, and how does this help verify the user is who they claim to be? Quote Link to comment Share on other sites More sharing options...
kickarse Posted February 20, 2009 Author Share Posted February 20, 2009 If that fails, they call their boss and ask it to vouch for the user, boss calls you, explains situation and you call them back on a company line, and that line only. Beyond that, you probally need to start chipping your users. Think they'll go for me putting a RFID under their skin? lolz... I think the best thing is definitely a random set of questions. Nobody remembers their employee number. Quote Link to comment Share on other sites More sharing options...
preciousroy Posted February 20, 2009 Share Posted February 20, 2009 Depending on how your company is set up and how secure you have to be a good idea might be to keep the company phone directory handy, tell them to give you their full name and return to their desk and call them BACK at their extension. Don't let them give you their extension, take it from the directory. Also, if each user has a PC with an asset tag number that's associated with their name, you can base it on that. Have them read the tag number over the phone. There's a question about exactly this on a Microsoft certification prep that tells you the correct answer is to remote in and set the password for what they want on their say so. Goes to show you that not everyone is thinking about security. Quote Link to comment Share on other sites More sharing options...
Razor512 Posted February 20, 2009 Share Posted February 20, 2009 if companies can use captchas like this, it will stop random people from making accounts for no reason, or if possible if you can get someone to make a captcha system to show random pictures and ask a question like "Is the cat in this picture, cute?" it will help and it will also cause new technology to be developed because spam companies and hackers will have to develop a cute cat detecting program (then it can be reverse engineered and added to google image search ) that way no matter which search you make, you can be sure to always find the cute cat pictures available in any search you make there many tutorials on adding basic captchas to your site http://webcheatsheet.com/php/create_captcha_protection.php but it is never really enough info available and no way of telling if the captcha system has been compromised until you test it out and find a million spam bots advertising weight loss pills if your running a business, don't skimp on it, get someone who is a professional to do a login system thats secure for your site, Quote Link to comment Share on other sites More sharing options...
kickarse Posted February 20, 2009 Author Share Posted February 20, 2009 It's not going to be for users to create their own accounts. It to verify already existing accounts Razor. I thought I mentioned that it was for user verification over the phone. Quote Link to comment Share on other sites More sharing options...
Razor512 Posted February 20, 2009 Share Posted February 20, 2009 It's not going to be for users to create their own accounts. It to verify already existing accounts Razor. I thought I mentioned that it was for user verification over the phone. well for user verification over the phone nothing beats an actual human who has been trained to understand social engineering just remember, phone traffic is not really encrypted, (no SSL :) ) and sadly what makes us who we are, is just a few numbers and anyone with those numbers can become you, and take out a loan to buy a personal space station :) most companies that to verification over the phone will often ask for account holders name, phone number and mailing address and often nothing else. and it is often little or no security because when I did a verizon speed upgrade for someone (a while back verizon used to give 768k down and 128k up, even though verizon now offers 3mbit if you had a 768k account they would not increase your speed to the new standard unless you can and request it and they do it free of charge. well when I was doing it for a friend (she didn't like dealing with these companies and wanted me to do it for her) so i called, and gave the phone number and address, then when they asked for the account name I gave her name and guess what, even though I am a male and have a male voice, they called me by her name and said things like mam and miss as far as the outsourced workers could tell, I was her phone security is often very weak and since your dealing with another human who often doesn't understand security, you are not allowed to give out certain pieces of personal info because the workers are not at a level where you can trust them with it unless you want to verify by credit card number in which case if a malicious user gets that info, things cant get much worst, they already have your money. Quote Link to comment Share on other sites More sharing options...
kickarse Posted February 20, 2009 Author Share Posted February 20, 2009 Razor, I still don't think you understand. We're verifying our domain users over the phone. We don't have access to their personal account information. We'd like to not have to even know their employee number or last four of their ssn (because honestly if you know where they were born up you can gather the rest of the numbers). We're just trying to come up with a more secure way to go "Ok you are who you say you are I'll unlock your account/reset your password to the domain/program/web site/etc". Instead of the "Hi this is Mark Smith" and me thinking "hmm... sounds like Mark I guess it's him". We're probably going to be going with a solution like the password reset self solution from SpecOps http://www.specopssoft.com/products/passwo...self%20service/ But we still need something in place for those times when we can't just do a domain unlock. However, we do have a intranet based ticket system in place. This could provide the solution for that since its based on domain rights to get to the page, then they can request securely for things other than network access. Also, I'm not too worried about people tapping our phones externally. If it was a wireless phone maybe. Quote Link to comment Share on other sites More sharing options...
VaKo Posted February 20, 2009 Share Posted February 20, 2009 That reset solution from SpecOps looks interesting, thanks for the heads up. I still think picking random questions from a pre-defined list would be the most simple way of doing things over the phone, get HR to approve it and work with them to set it it and it should cover most eventualities. Just don't choose questions you can search facebook for. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.