Re: How to authentificate an user via telephon?

From: Gene (
Date: 12/06/02

  • Next message: netsec novice: "Re: Incident Response"
    Date: Thu, 05 Dec 2002 19:48:04 -0800
    From: Gene <>
    To: Valter Santos <>


    I do agree with on your point, if social engineering is involved, and as
    attempt is made by someone with the utmost desire to get through would
    be able to obtain, any means necessary to get the information they
    require by doing recon on human infrastructure. Let's not forget about
    the good ole days of trash dumping, since I know that many
    administrator/organization fails to follow direction on shredding
    "internal" document. OT, I'm sure we couldn't find anything from our
    buddies at arthur anderson, since I heard that they did a pretty good
    job at shredding :).

    I don't believe that there is a 100% full proof solution, but there are
    some best practices with points of failure, or rather point of interest
    for the intruders.

    I don't think there would ever be a "perfect world" scenerio in the
    current security industry.


    Valter Santos wrote:
    > Hello Gene,
    > but that sollution will fail for a person-target attack... I can find
    > with little effort the ssn & birthdate of a target person and pretend to
    > be her/he.
    > I suppose the callback sollution is better, althought as it flaws 8-(
    > cheers,
    > /valter
    > On Wed, 2002-12-04 at 17:27, Gene Barlow wrote:
    >> Currently, I'm in the process of getting approval on a new procedure
    >>for doing just that. If approved, we'll write a script that will query
    >>the last 4 digits of the users ssn & birthdate against our ERP software.
    >> So, for instance, if John Doe calls and requests a password change,
    >>we'll ask for the last 4 digits of the ssn and their birthdate, type it
    >>in the script, and see if that user's name is returned in the response.
    >> If so, we know (hopefully) that the user is who he says he is...
    >>Hope this helps...
    >>Robert Sieber wrote:
    >>>Hello colleauges,
    >>>imaging the following situation:
    >>>User calls the helpdesk to reset/alter some kind
    >>>of account-password (NT, RAS, PKI-PIN ...) and you
    >>>has to determin wheter the user is the correct
    >>>(owner of the account) user. What would you do
    >>>to authentificate the users identity?
    >>>What are good methodes to do this? It should be
    >>>easy for the user but secure for the administration.

    Gene Yoo,