It's pretty simple for a hacker to steal a password from an employee in almost any company. Sometimes it's a simple as calling the company helpdesk.
A caller calls into the helpdesk: Caller: "Hello, this is Jim Barnes. I'm out here in Baltimore and I forgot my password, could you reset it for me?"
Helpdesk: "Sure, your new password is 'Pass0123', you can reset it to whatever you want after using it."
Caller: "Thanks!"
This is the most common type of call a helpdesk will receive. After handling them for years, I was forced to ask myself, "How do I know that Jim Barnes is really Jim Barnes?" I could've just given a password out to a stranger for all I know. This has happened before with other companies. Hackers call it "Social engineering". I posed this question to my helpdesk manager. The question was met with complete disregard. I decided to rock the boat a little bit and posed the question to other managers or users that might be concerned that their accounts could easily be compromised.
Finally my boss sat me down to talk with me about my attempts at a more secure network. He didn't appreciate my persistence with this issue and wanted me to drop it. He told me that nobody but employees know our helpdesk phone number anyway. I agreed, but most of the employees don't know the helpdesk extension. They call the main switchboard and simply ask for the helpdesk. Then they get transferred to us. Anybody can do this. He questioned the ability for a hacker to get information about people that work here. I replied by pointing out the fact that company employees are published on the internet in press releases and our own web site. "What do you think we should do then?" my manager asked. I told him there should be a system just like a credit card company would have. The user would have to provide information such as last 4 digits of a social security number, pet's name, birth date, anything that a hacker wouldn't easily know. I was told this would be too difficult to implement and it would just be another thing that our users would have to remember besides a password. He also felt it would frustrate users and cause more harm than good.
I had a lot of these types of debates with my manager and eventually left the company because of them. I kept in touch with the employees. I was recently told that a programmers' email account was compromised. A hacker had got into his account and stole some very valuable software code. They aren't sure how the hacker got in and got his password, but of course it didn't surprise me. To get the full effect of how damaging this social engineering threat can be try it yourself. Call your helpdesk and give your CEO's name. Tell them you need the password reset. How do you think your CEO would like that? If you can do it, so can others. Every helpdesk I have worked in has this hole, and it's huge. By simply using the same method most web sites do for forgotten passwords, you can save your company from being a victim of social engineering.
This article is featured at Technipages where you can find articles and downloads related to anything technical. Submit your own technical article or post a message at the Computer Help Forum to obtain free computer help.
Article Source: http://EzineArticles.com/?expert=Mitch_Bartlett
http://EzineArticles.com/?I-Can-Get-Your-Password&id=617369