The MGM hack this past week shows just how fragile people can be as a vector of attack. Although much of what I’m about to discuss is speculative, my proposed solution could potentially address what I believe was the issue at MGM and perhaps at other companies as well.
Hackers claim that they breached the system with just a 10-minute phone call. Prior to that there was some sleuthing done on LinkedIn to find a person to impersonate. With just those two pieces of information, it’s easy to speculate as to how the attack went down.
Impersonator: “Hi I’m [Employee Name] and I’ve lost my phone so trying to set up a new one and get 2FA configured. Can you help?”
You get the idea, and I’m sure this is how many help desks at large businesses operate. Given the impracticality for the help desk to recognize every employee, and considering our increasingly remote work environment, in-person resets are also unfeasible.
So, then, how can this be made more secure? For these rare, typically isolated events requiring a full reset, I propose a two-person authentication system.