Tuesday, June 14, 2016

Self-Service Password Reset & Social Engineering: A Match Made In Hell

Self-Service Password Reset & Social Engineering: A Match Made In Hell:
"A sad tale of how hackers compromised a CEO's corporate account by trolling Facebook and LInkedin for answers to six common authentication questions. (And how to avoid that happening to you)
Recently, I was on a call with the CISO of a customer whose CEO’s account had been hacked.
The CISO and his team were trying to understand how this had occurred, and, following a short investigation, we discovered that the hacker had been able to compromise the CEO’s password via the company’s software solution that enables end users to reset forgotten passwords.
After reviewing logs and other audit mechanisms, we determined that the hacker had used the solution’s self-service password reset (SSPR) capability to reset the CEO’s password.
Once the password was reset, the hacker had free reign over the CEO’s account.
...A few days later, I had the opportunity to create an account on a third-party system that used SSPR for password reset, and --  based on my earlier conversation with the customer -- saw the questions I was asked to answer in a completely different light.
They included:

  • What was the name of your first pet?
  • What was the name of the first school you attended?
  • In what city was your father born?
  • In what city was your mother born?
  • In what city did your parents meet?
  • What was your childhood nickname?

Read on!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)