Who's calling, please?

Our manager discovers that the company's customer validation processes are weak. It's trouble that's just waiting to happen.

Some security weaknesses can't be found with a scan or a vulnerability assessment of the infrastructure. As a security manager, you have to keep your eyes open for things that aren't as secure as they should be, based on any evidence that comes your way. That happened to me a few weeks ago, in just about the best way possible. We were able to take steps to tighten security in a particular area after an incident that could have been damaging but actually wasn't. I wish all our security lessons could be so benign.

Here's the story.


Trouble Ticket

At Issue: The company lacks any clear policy on verifying users who call in for things like password changes.

Action Plan: Establish solid policies and procedures, and make sure the customer service staff takes them seriously.


Someone called our customer support team saying he was a vice president at a company that's a customer for our services. He needed a password reset. He told the customer support rep that the password reset function wasn't sending a new password notification to his email address as he had requested. Our support rep went ahead and changed the password, told the caller the new password and set the password to be changed upon login.

I didn't know anything about this interaction until later. If I had, I would have protested that the rep needed to verify the vice president's identity. And as it turns out, we soon learned that the caller was not who he had claimed to be. This came to light a couple of days later when that same vice president called, complaining that he couldn't log into the application. "Are you using the new password that you set up a couple of days ago?" asked the support rep. "I didn't change my password a couple of days ago," was the response. "I just got back from vacation. A couple of days ago, I was on a plane."

That's when I got pulled in.

When we looked into the situation, we discovered that the person who had asked for a new password was an employee at the company who reported to the VP. He needed access to some application functionality that's available only to that VP. Not wanting to bother the VP while he was on vacation, he called, using the VP's name, in an attempt to get access to his account. It worked, but as far as I'm concerned, it shouldn't have.

We didn't get burned, but I did feel some heat. If the unauthorized employee could get the VP's password with such ease, why couldn't a true outsider, someone with less than benevolent intentions, do the same thing? We needed to tighten our policies on customer validation.

There are any number of ways to do this, and we've all experienced them when calling a financial institution or healthcare provider. You might be asked for the last four digits of your Social Security number, your date of birth, your mother's maiden name and so on.

With that sort of thing in mind, I met with some of our customer support staff, who told me that most customer service personnel simply asked for the customer's name and then checked to see if it was listed in Salesforce, just taking the caller's word that he or she was indeed the user whose name was listed. Some said they might balk if the user's voice didn't sound familiar. Naturally, I didn't find these to be valid methods of verification.

My next step was to review our policy, processes and training documents, and I found them sorely lacking in guidance on positively identifying customers. So I got together with customer support management, and we quickly drafted policy and protocol, the essence of which was that customer support personnel would need to validate users from information not readily available from public sources such as the Internet.

To introduce the new policy and guidance, I put together a presentation for the support staff, in which I demonstrated how easy it is to obtain information from the Internet. I chose one of our largest customers, and with nothing more than a Google search, I identified the most appropriate administrator or power user for our application. I then used LinkedIn to establish that that person was still active at the company. Several other business-oriented sites gave me additional information on the person. In less than two minutes, I had a name, email address, business phone, email and office address. To that I was able to add some interesting personal information from his wide-open Facebook profile. The customer service representatives were stunned, and I in turn was amazed that they had no idea that this sort of information could be gleaned from the Internet.

I then explained what constitutes the kind of information that can't be easily harvested. The first thing to check is that the user's caller ID matches the phone number registered in Salesforce. Then they need to to ask the user to answer some predefined security questions, such as the maiden name of the user's mother. They can also ask the user to verify the customer ID number or some information related to a transaction or activity from the recent past. If all else fails, the customer support representative can call back the user at the registered contact number, or send the user a verification message to the email address on file.

Now that we have a basic policy in place, I will be looking into automation that could help with customer verification. There are several products available that assist with streamlining this business process.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags salesforcesecurityLinkedIn

More about ----FacebookGoogleindeed

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts