One of my clients uses a large Business Solutions provider to manage payroll and benefits over the web. This provider requires that each user with access to their system has a personal certificate, as well as a userid and password in order to access their site. This is outstanding! Two-factor authentication is great!
Unfortunately, when you will reissue the certificate based solely on a phone call, to a caller-supplied email address, your two factor authentication doesn’t work so well. We recently migrated this client to a new domain. During this process, one user’s certificate was somehow corrupted. She could no longer access the website. After trying to re-import the certificate from a backup, we wound up calling support. The support staff was friendly and helpful, until they discovered that I was not an “approved contact”, at which point they told me the call could not proceed until they got authorization from an approved contact. Bravo! This company clearly pays attention to security. And with access to so many people’s PII, they should!
On a whim, I asked the support representative who was authorized to approve me, and to my dismay, he gave me three names. “Hold on a sec, I’ll get $approved_contact_1,” I said. I walked into the next office, got her, and returned. “Here’s $approved_contact_1,” I told him, and hit the speakerphone button. The rest of the dialog went like this:
SR: “Is this $approved_contact_1?”
AC1: “Yes.”
SR: “Is Aaron authorized to contact me regarding your account?”
AC1: “Yes.”
SR: “Ok, thanks for your time.”
My jaw dropped. He didn’t offer to call the number they had on file for the company and speak with one of the approved contacts. He didn’t ask the approved contact to answer any of her security questions. He didn’t do ANYTHING to verify that the call was legitimate, or that the approved contact was who I said she was.
At this point, we went through several troubleshooting steps, none of which addressed the problem. The support rep finally decided that the best way to fix this problem was to reissue the user’s personal certificate. Imagine my surprise when he asked me what email address I would like the certificate request sent to. Wondering if they could be this silly, I gave him one of my email addresses, one that clearly did not belong to any of the approved contacts, let alone the user who had a problem. Now imagine my astonishment when the certificate request shows up in my inbox. Surely they can’t be this cavalier with access to their site?!?
I went through the process as outlined in the certificate request email, and at some point was prompted for the user’s credentials. She had stepped out for lunch by then, so I couldn’t have her type in her password. I offered to call back when she was available, but this support rep was REALLY helpful, so he went ahead and reset the user’s password for me. Wait…What? I didn’t ask him to do that. So now I have the user’s personal certificate, the user’s userid (provided in the certificate request email), AND her password. Wow. It’s a good thing they use two-factor authentication…
The moral of the story:
Customer service is very important in today’s marketplace, and I hate to bag on a company for providing support that is too helpful, but seriously, you don’t go around providing access to sensitive resources without doing SOME kind of verification. Had I been an attacker, I would have the keys to the kingdom, and all the social security numbers and other information I could eat. If you’re going to be working with PII, please make sure your support staff knows how to deal with these types of situations.