Preventing Helpdesk Social Engineering in the Enterprise

The Frustrating Helpdesk Process

Most businesses today of any meaningful size leverage MFA. But the age old question is, what happens when my users get a new phone? How do I securely enroll them into MFA on their new device?

This is something that every helpdesk team around the world is dealing with recently because it's iPhone release time of year. Every Monday morning, millions of people with a new phone are calling up their helpdesk and after waiting on hold and answering some basic questions (last 4 of SSN, day they joined, etc..) they are then given a new password and instructions to enroll into MFA on their new device. This process, even when it works well, is time consuming, productivity killing, and frustrating for everyone involved. When it doesn't work well, escalations, security exceptions, and reduced productivity is the reality.

Most helpdesks these days are understaffed, underpaid, and overwhelmed by calls many of which are password or MFA related. When you have this trifecta of stressors, mistakes are made and the results can be catastrophic as we've seen with a multitude of recent breaches.

The Hacker Mindset

I've often said that the best hackers are the laziest hackers. This is because they look for the path of least resistance and oh boy is the helpdesk an easy target. Hackers are able to do simple open source intelligence on LinkedIn and other social media platforms to learn just about everything they need to know about an individual working at the target company. They then combine that information with data collected and made available on the dark web from all the previous breaches. They then call helpdesk teams and very convincingly pretend to be employees.

Once they convince the helpesk person that they're an employee, they get access to their account, move laterally within the environment, and then either ransom or extort their victim for a few million bucks. We've seen it happen time and time again.

Enter HYPR Affirm

In October 2019, we put together the first potential workflow of what we now call HYPR Affirm, our identity verification solution. Over the years we had countless conversations with security and IT teams on how they currently do credential provisioning and MFA resets. The methods rapidly evolved during the pandemic. Some of the large financial services companies implemented a process where they send a Zoom/Webex link to a person's personal email and require them to show their ID over the camera to a helpdesk person in order to prevent social engineering. They quickly find that this process is very brittle and almost impossible to audit.

Most businesses however stuck to their regular helpdesk process and continue to do so. One of the most important observations is that the enterprise still does not feel comfortable having a 100% automated process (typically seen on the consumer side of things) to issue credentials for employees. The fundamental part of the thought process here (which I agree with) is that on consumer side applications, a certain amount of fraud is accepted as the cost of doing business. Enterprise security teams do not have this luxury of knowingly accepting fraud.

So we built HYPR Affirm. It's designed to improve security, prevent social engineering, give accountability while providing a fast and simple user experience.

Affirm incorporates several core components:

• Verifying easy to get bits of data such as phone number and location
• Optional document verification such as passport or drivers license
• A live text and video chat with a helpdesk to manager of the employee

The entire interaction is centered around a chat window which provides humans with instant gratification of being in touch with another fellow human being (as well as a friendly bot). It also provides a very dynamic workflow that prioritizes ease of use and flexibility.

Rather than typing endlessly about it, here's a video of the product where an employee gets a new phone and goes through the identity verification process with their manager. Once the process is completed, they are issued a link that enrolls them in MFA (True Passwordless MFA, of course) so they can access any system in their corporate environment.

At the end of this process, here's what's true.

1. The user has been verified securely using a multitude of signals including phone verification, document verification, a video chat, and face recognition. This is a VERY steep mountain to climb for lazy hackers.
2. The enterprise IT and security team has a full audit trail of the entire interaction that they can review and validate.
3. In less than 2 minutes, the employee is verified and issued a new credential more securely and conveniently than ever before.

If you're interested in learning more about HYPR Affirm, let us know!