Does Your MSP Really Know Who You Are?

Identity verification is the process of proving that you are who you claim to be. Identity Verification Request options, or “IVR options”, come in many forms and choosing the correct options can be a daunting task. Staff and customer convenience, costs, and maintenance complexities are often compared to the level of security determined necessary by business stakeholders or compliance programs.

We have worked with many MSPs over the years and find that most still do not have predictable controls in place to adequately perform IVRs. New techs are expected to use intuition if they believe a request is suspicious or simply required to remember what someone else was told to do the last time. That’s right, the same MSPs that promote security awareness training don’t always take identity verification seriously if at all. It’s not just MSPs though – businesses spanning all industries can be susceptible to even the most basic social engineering exploit tactics.

By way of example, we used a small local bank for one of our operating accounts just a few years ago. It seemed like the right thing to do at the time – community feel, small town, the staff knew you by your first name, etc. I was having a problem accessing my online account one day and it’s easy to notice the bank’s website was hosted by a third party that likely specializes in online hosting for small bank businesses.

Okay, I’ll arrive at my point…

It was incredibly easy to call the bank from the cell phone I have registered with the business account and ask for assistance with resetting my password. A staff member answered and greeted me by name. I said I was having an issue with gaining access to the website and politely complained for a few seconds about how challenging it was to reset my password. The staff member acknowledged and helped me reset my password without any additional form of IVR. Instead of complaining or bringing this to their immediate attention, I decided to perform a small science experiment.

A few days passed and I decided to try again with a different physical phone. A simple phone number spoofing app was installed to impersonate my real phone number then I stuck to a similar script describing challenges with authenticating and resetting the password online.

And just like that – a different employee did the same thing! I promise my voice is not incredibly unique too… They reset the password without mandatory MFA and politely gave “me” access to the business account. The Good Samaritan in me chatted with the banking manager later that day to discuss the experience and they were very appreciative.

Smaller, less experienced, or less caring MSPs also fall victim to social engineering attacks just like this!

The inverse is also true, whereas smaller and less sophisticated companies are easy targets when a threat actor claims they are a member of the IT team and need access to their computer.

We have witnessed a simple way to do this – call a handful of companies, let them know you’re calling to promote IT Services, and one will surely say “we are happy with our current IT provider”.

BE QUICK before they hang up on you, then respond in a positive way and say something like, “oh that’s great, we partner with most of the MSPs in the area, but the database that links to my calling software has been down for a couple of weeks. Who are you working with so I can exclude you from our calling database?” Without hesitation, most gatekeepers will tell you the name of their IT provider.

Repeat this process a few times (it won’t take more than an hour or two) then go to the website of every MSP and business you received details on. For MSPs – peruse and find the names of what appear to be senior techs. For the other businesses - repeat the process and target a variety of personas that you believe will be successful.

Call each business back, introduce yourself, and say you are “... calling from X MSP and working with Engineer X” to install an important update… One or more of the targets will allow you to connect to their machine remotely even if the remote tool differs (which it likely will).

So what should you do if IVR process doesn't exist or may need some work?

If you are an MSP - select the right tool to help with IVRs and implement for at least critical functions throughout your customer base. Getting started with policy and procedures for servicing password resets and requests for access control modification is a great start. Mandate all technicians attend and pass security awareness training that dives deep into social engineering examples and similar attack scenarios. Continue to add, refine, and balance controls when required. And most importantly – don’t ask your customers to opt-in, tell them your business takes security seriously and that all customers will be required to participate with IVR processes for select requests.

If you are a business – work with an appropriate provider capable of selecting and delivering security awareness training content for your employees, such as your MSP, and ensure all staff members regardless of title and tenure take it seriously and participate. Demand your MSP require mandatory IVR for sensitive requests and educate your staff on what to do if, “the IT provider contacts them” and asks to provide support that wasn’t initiated by your staff.

Contact us if you would like to chat more about the topic!