Trying to filter the hackers from the users who constantly forget their password. Sometimes IT feels like walking through a field of landmines, that move like a cat when you are on a staircase.
26 Spice ups
Different article about this in the Snap! today if anyone wants to check it out: Snap! -- Invader Ice, Gene-Tweaking Mosquitoes, WhoFi: Wireless Tracking
12 Spice ups
I’m actually surprised this doesn’t happen more often, especially in the days of work from home, where helpdesks can no longer rely on calls coming from internal extensions.
Thankfully, we’re small enough here that I know almost all of my users, but this doesn’t look good for their outsourced helpdesk. I’m curious how helpdesks at other big organizations validate callers are legit to prevent this from happening.
10 Spice ups
ajason
(aJason)
4
This reminds me of an article about a guy who was targeted by a hacker. The hacker convinced someone at Apple that they had forgotten the password and to bypass regular protocols due to the “circumstances”. Created a socially engineered sob story if I recall correctly.
I must wonder like @CharlesHTN how big organizations keep this from happening often. I also run a small company and recognize most of our users, if not all of them.
However, with AI voice duplication, this may get even more challenging.
9 Spice ups
Very true! This is another reason the principal of least privilege should be followed when setting up user access from the beginning. How on earth does compromising a few user accounts result in ransomware that could be so damaging? I’m sure the scammers did their research and targeted very specific users, but the scope of damage should still be limited.
7 Spice ups
Sorry, did not intend to distract from your regular features.
9 Spice ups
ode2joy
(Ode2joy)
7
When I worked Helpdesk ages ago at a large hospital system, we weren’t allowed to reset password over the phone. We had to direct them to a self-service password reset site on the Intranet, and they had to supply two pieces of info (I believe it was employee ID and the last 4 of their SSN). That feed came directly from the HR department, and IT never even had access to it.
Like others have mentioned, I now work for a very small organization and users usually just come right to my desk if they can’t log in at all, but this scares me more than anything. I’d be skeptical of any call coming in from an unknown number, as all of our internal users call through Teams, but it still scares me in the private sector with bad actors trying to scam grandmas and grandpas and such.
8 Spice ups
molan
(molan)
8
that makes a lot of sense. I routinely refuse to reset passwords unless the request gets directed through the supervisor \ manager.
I don’t know who the person is most of the time so I am not handing out credentials, doubly so when the request comes in from a personal email account which happens routinely. “honest I am who I say I am from random @gmail.com”
they hate it but it servers two purposes.. 1 makes sure the request has gone through someone who can validate the ID at some level (CYA) 2 makes sure the supervisor \ manager is aware how often certain people ask for a password reset (weekly 
)
9 Spice ups
Not an issue at all. If you had posted it a bit earlier I would have put something else in the Snap!, but just wanted everyone to know the conversation was a little split on this one. 
5 Spice ups
Oh just set every pw to P@ssword123! and be done with it, nothing bad will happen.
5 Spice ups
