Seth Arnold wrote: >On Tue, Jun 18, 2002 at 01:31:16PM -0700, Crispin Cowan wrote: > > >>So the "tell me, yes/no" hack is nearly as dangerous as having full text >>access to the password file. >> >> >What method would work better for authenticating users to tech support? > True, that is a problem. The main thrust of my argument is that it should not be the same method as used to authenticate users to the computer system: that leads to social engineering attacks, which are already too easy. Seth does raise a good point: the *other* social engineering attack is to call up tech support in the name of some other user, and start messing with the account. Current common authentication practice is to ask for a zip code and a social security number. That sucks, because I've already seen at least one on-line service that will cough up zip codes for arbitrary people's names. Fortunately for me, that service had data-mined my zip from a false entry that I gave Yahoo :) Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 16:20:19 PDT