Michael Engle is Cofounder at 1Kosmos and was previously head of InfoSec at Lehman Brothers and Cofounder of Bastille Networks.
A wave of cyberattacks targeting service desks has exposed a new social engineering technique in which criminals exploit the trust placed in front-line support staff to bypass security defenses and gain unauthorized access to critical systems.
In one example cited by the U.S. Department of Health, a threat actor called an IT service desk employee and convinced them to enroll a new device in multifactor authentication (MFA). The attacker provided sensitive information, likely obtained from public sources or data breaches, requesting the enrollment of a new device. With access to the network, the attacker searched for login information for payer websites and submitted forms to change ACH (banking) information. They then used compromised email accounts to instruct payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts.
Remote Identity Verification Limitations
These attacks expose the weaknesses in knowledge-based authentication (KBA) and traditional MFA limitations, underscoring the urgent need for more robust security measures.
Consider what happens when police pull you over or when you arrive at the airport; you show your license or passport, which matches your face. That’s a basic identity-based authentication strategy, but it can be done digitally at scale by having proofed credentials readily available that can be used repeatedly to verify users.
The federal government has already provided a series of standards to guide the provisioning and proofing of identities. The framework, NIST Special Publication 800-63A, serves as a gold standard to establish three levels of identity assurance based on the sensitivity of the organization; a fourth level will be established soon.
Combining biometrics and document scanning has significantly enhanced identity verification. Documents such as driver’s licenses or passports can be captured and matched to the user via a live selfie. Of course, the bad actors have been working on breaking through these defenses as well with the rise of deepfakes, but liveness detection tools can ensure the person and matching documents are real.
With automation, the system can check in seconds both the liveness of the selfie—looking for movement or the use of a mask or photo in place of the live person—and the integrity of the document by matching features such as the font, hologram or any number of markers of authenticity. Additionally, cross-referencing the document against established sources, such as the DMV license database, can give a higher level of identity assurance. NIST supports this kind of triangulation of multiple sources of truth, which can greatly reduce the risk of service-desk attacks.
Implementing Robust Identity Verification
Implementing identity verification can be done in phases, allowing you to test and scale the solution that best fits your operational requirements. A remote proofing tool, for example, can be given to service desk operators and used with little to no system integration within a day. As processes mature, remote proofing can be integrated into service desk tools such as ServiceNow for a more cohesive experience.
Reducing the friction in the onboarding and identity verification processes can go a long way to increase employee buy-in. Educating users about the importance of improved security and its benefits can help gain their support, especially if they are being asked to share their information and expect it to be stored by the organization.
The identity verification process can be automated so a desk agent only needs to send a session link out to a cell phone via text or email and wait for the user to complete the steps (scan the document, take a selfie) before resetting that credential. It can take less than 60 seconds, which is comparable to most knowledge-based authentication, to establish assurance that the identity is valid. As many organizations also rely on self-service credential reset options to keep the service desk from being swamped with requests, adding identity verification to self-service workflows can help pay dividends.
Biometrics And Digital Wallets
Identity wallets are another useful tool to store and share documentation and avoid having to carry out the document authentication process repeatedly. They can also sidestep some of the technical issues that staffers can encounter when scanning documents or taking selfies to verify identity. Organizations can create their own digital wallets for their employees to store verified credentials or use existing devices such as Fast Identity Online (FIDO) keys.
Biometric hashing—which encrypts facial recognition markers—is another potential approach. If you’ve gone through a modern airport recently, there’s a chance you just looked into a camera at the immigration checkpoint. The same can be done for remote service desk callers by storing a proofed identity in a digital wallet. When a user contacts the service desk, the agent can send a verification link to verify their identity wallet and, if successful, can reset the credential.
While biometric hashing and digital wallets offer robust security, organizations should evaluate options based on their specific security needs. It’s also important to evaluate cost, ease of integration and scalability.
Organizations should begin by assessing their current identity verification methods and identifying areas where security improvements are most needed. A thorough review of existing processes, such as how multifactor authentication is utilized or whether knowledge-based authentication is relied upon, can highlight vulnerabilities most susceptible to exploitation.
Depending on your organization’s size, risk profile and resources, several options exist—from implementing biometric identity verification to adding digital identity wallets. It’s important to tailor these measures to your organization’s specific needs and to implement them in a phased approach. By starting with the most critical gaps, you can reduce vulnerabilities while maintaining operational continuity and gradually enhancing your overall security posture.
Conclusion
Whether using deepfakes or simply making a phone call, cybercriminals have increasingly put service desks in their crosshairs. It’s time for organizations to assess and implement security measures that go beyond simply providing an authentication factor and instead apply real-world identity verification techniques to digital workflows.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
