On Call Welcome to On Call, The Register's weekly dive into the mailbag of woe from those faced with recalcitrant users or, occasionally, an overly helpful operator.
Today's story comes from a reader that the Reg's patented pseudoriser has called "Nick" and could be regarded as somewhat of a riposte to last week's Asset Tag shenanigans.
Rather than finding a PA careful not to hand out any potentially naughty numbers, Nick found himself in quite the opposite situation.
Nick's story is bang up to date, so there can be no "it was acceptable in the 80s"-type excuses for what follows. You have been warned.
"I was part of the infrastructure team," Nick told us, and "I overheard a service desk call where someone called up for a password reset." So far so good... "which was done with no checks."
So far so not so good.
Curious, Nick asked the service desk manager what the actual process was for resetting a password since this seemed a little, er, casual. He was told: "Oh, it's out of date. It was written when we were in one building and says we get people to come in person."
With expansion to multiple buildings, the face-to-face reset had become a pain. However, rather than update the process to something more practical and a teensy bit more secure, the service desk team had come up with an even better wheeze, as Nick explained:
"I was told that it was not a risk really as they would recognise the voice."
Just let that sink in for a moment.
Nick and a chum in the infosec team retired to "the pub-shaped meeting room" where Nick regaled his friend with his discovery. The infosec chap was blessed with a rich Scottish accent and decided to test Nick's claim: "He called up... and asked for my password to be reset."
"Which the service desk drone did."
Nick then sauntered back to the office and headed to the Service Desk Manager. In his own Southern Counties accent he asked why he could no longer log in.
"But you called for a reset," said the manager. "Not me!" replied Nick. This was the cue for the infosec chap to put in an appearance, replete with Scots brogue.
"The service desk manager was asked to pull up the call recording and after she listened to it, emailed her team to tell them the new process for password resets.
"I gave my notice in the next day."
Nick had more reason than most to be sensitive about those password resets. As a prequel, he also told us about an earlier incident while he was working for a small MSP, which looked after a number of businesses.
"We got a call asking for some passwords to be reset 'because people had left' and for access to their email to be given to the caller."
Something was a bit whiffy about the call, "as it looked like half the company was on the list."
The team dutifully double-checked by attempting to get in touch with their primary contact at the company. It appeared that person had left, so the MD was put on the line.
"It turned out the guy who called was a director who was leaving and was trying to steal a load of data."
Ever taken a call and refused to take action no matter how much like the Boss the caller sounded? We hope so. But if not, perhaps a swift email to On Call will ease your conscience? ®