People are always going to be the weakest link in the security chain.
However, people in a service or support role are unique. Their job is to make things easy for the customer. They're not paid to judge and it's uncommon for them to be allowed to deny a customer request based on suspicion alone.
While awareness training can help, it isn't a perfect solution for those working in customer service, because regardless of their suspicions, most are bound to support the customer first and foremost.
Some organizations do empower employees to deny requests if they feel there is a security risk. At the same time, the process of denial requires considerable effort on the support employee's part. It's easier, and far less stressful to simply make the customer happy and do as they ask within reason.
Resetting a username and password seems reasonable, provided the customer isn't being pushy and can justify a lack of information. That's what Mr. Troia did. He justified a lack of information by playing the frustrated executive.
"She asked me to verify the PIN, which I didn’t have. She then asked me to verify the last four digits of the credit card used to purchase the domain, which I also didn’t have. I explained to her that I'd asked my assistant to setup the domain for me," Mr. Toria said, continuing his explanation.
Mr. Troia told GoDaddy's support representative that his "assistant" had said he'd used a card ending in four random numbers. The numbers he gave the representative were made-up on the spot. Naturally, those numbers were incorrect and that verification step failed. Adding to this, the support representative was told that the assistant didn't remember setting up a PIN.
"I apologized, both for not having the information and for my daughter yelling in the background. She laughed and said it wasn't a problem. I was directed to a website where I could fill out a form and request access," Mr. Troia said.
If none of the account information is available during a reset request, GoDaddy will allow customers to use a change of account (or email) form.
Vinny TroiaThis form requires that you provide a copy of a government-issued ID, such as a passport, military ID, or driver's license, in order to prove you're who you say you are. If the domain in question isn't a personal domain, then business information is required as well. The entire process is completed online, and full instructions are available here.
In order for the attack to work, Mr. Troia created a fake Gmail account, as well as a Google + profile to match his version of Steve Ragan. The email account would be used for password resets. The social media account was simply there to give Troia's Steve Ragan a presence on the Web.
When it came to government-issued identification, he turned to friends in Indiana.
"I knew a few people in Indiana and they both sent me quality pictures of their license. In the end, I found it easier to modify their existing license than to make a new one from scratch. I spent about four hours with the details of the license and getting the shading of the text right.
"This was probably overkill, but I’m a perfectionist when it comes to these things. The subtitles in the driver's license seal were no match for Photoshop's 'content aware and replace' feature. It wasn't perfect, so the majority of my time was spent pushing pixels until it looked right. A little blur and grain go a long way to making something look authentic," Mr. Troia said.
The form was submitted on Friday, March 13, but it wouldn't be reviewed until the following Monday, as those responsible for change requests do not work during the weekends.
On Tuesday afternoon, Mr. Troia received an email asking for additional information. Most of the domains under my account are registered to a business name, which would require additional information.
"I sent an email stating that there was no actual business which they could verify, and that I just put something there because I thought I had to. I sent the email and immediately called right after. The woman I spoke with was super nice. She looked at the email while we were on the phone and said that people use non-existent business names all the time. They just needed the written copy for an audit trail. She authorized the email switch while we were on the phone. Instructions to reset my account password were in my email by the time we hung up," Mr. Troia said.