Part of any good social engineering attack will include, eventually, an attempt to gain access to a resource or gather information that is generally kept behind some method of authentication. Once authenticated that a user is who they say they are, they are checked for authorization to the item (are they authorized to access it) and finally access is provided.
Take a moment to think of all the methods which are often used to provide authentication. They generally fall under three categories:
- Something you have (badge, a key fob, a physical key, a photo ID)
- Something you know (password, recovery questions, a pin, pass phrase, personal information such as social security and birthdate)
- Something you are (fingerprint, iris scan, gait, signature and hand writing characteristics)
Even in cases where two of these three items are not required to again access, chances are two of three were required in some form or via a third party to gain a single factor of authentication. For example, if you have to swipe a badge (without any other action such as entering a pin) to gain access to a floor, you probably already had to prove your identity in person to gain the badge.
Local, Easier. Remote, Harder.
When dealing with remote users, providing authentication becomes more difficult. Most companies address this by setting up either Something You Have or Something You Know. Think account passwords provided over the phone (used specifically for this purpose), having to provide your “last four”, birth date, account number, or having to enter a onetime password sent to your phone. The greater the number that you can provide, the greater the confidence the company has that you are who you say you are.
The key to these methods is that they require a closed loop and some level of trust. For example, when opening an account with a website who will never see you in person or may not be privy to personal information such as social security numbers, then the general fallback is to send you a onetime link to your email address. The trust is placed in that you are the only person with access to your email and that your email account provider has already authenticated you.
In the Absence of All Else
When trying to authenticate someone for whom you do not have access to personal information, a previously established pin/passphrase, or even a previously established phone number; what do you do?
Try using a third party to authenticate the user. This is easier in corporate environments since there is usually a chain of command you can utilize. Call their boss. Is there another authorized contact for the company? Try them.
Use another, separate authenticated source such as email. Send them a single use set of random digits to read back through their email.
IT Security Awareness Reminders
Think about the access or information you are about to provide. Is it sensitive? Can it be used for wrongdoing? Is it personally identifiable or other legally protected information? In the end, denying access until a user can be truthfully authenticated is worth the annoyance to the end user if weight of the access supports it.
Never authenticate using only a single un-authenticated channel. IE: If someone calls you on a cell phone then tells you, on that call, their work phone number, then you cannot use that work number unless it corresponds to information you already had or can independently verify. Email is potentially different since ideally that user should be the only user with the password for it.
If you identify a process gap with a provider as an employee or a customer, report it!
CREDITS AND ADDITIONAL RESOURCES
Write up on how flaws in multiple service provider authentication methods allowed an attack to take over a reporter’s identity
http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
Paper on Authentication Methods
Paper on Internet Authentication Methods
https://www.sans.org/reading-room/whitepapers/securecode/secure-authentication-internet-2084