Your speaking about social engineering. Makeing sure that the person on the phone is who they say they are.
An idea we had was to put up inexpensive computers in key locations and to put inexpensive cameras on these systems. So when a person called to get their password reset, that person would go the the password station, the helpdesk person would see the person is who they say they are, then reset the password.. It could be a cheap system too, an old PC running windows, and a cheap $40 web-camera from CompUSA and walla! Thank You Steve Champion Sr. Security Analyst Methodist Health Care Systems [EMAIL PROTECTED] -----Original Message----- From: Robert Sieber [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 12:50 PM To: [EMAIL PROTECTED] Subject: How to authentificate an user via telephon? Hello colleauges, imaging the following situation: User calls the helpdesk to reset/alter some kind of account-password (NT, RAS, PKI-PIN ...) and you has to determin wheter the user is the correct (owner of the account) user. What would you do to authentificate the users identity? What are good methodes to do this? It should be easy for the user but secure for the administration. Robert -- http://board.protecus.de - Firewalls, Security and more ...
