Vlog: How Can Remote Caller Verification Protect Your Organization From Social Engineering?
Mike Engle:
Hi, everybody. My name is Mike Engle, co-founder and head of strategy here at 1Kosmos. I’m joined today by Jens Hinrichsen. Say hello, Jens.
Jens Hinrichsen:
Hello, everybody.
Mike Engle:
Jens is our head of sales here at 1Kosmos, spends a lot of time in the trenches. And today we’re here to talk about remote caller verification. We have an acronym for that, RCV. But Jens, would you mind giving your quick pitch on what RCV is for the folks out there?
Jens Hinrichsen:
Yeah, I would love to. And I think certainly also, Mike, with all the conversations that we’re both fortunate to have with a variety of organizations globally, please chime in with some of your own perspective as well. But I think remote caller verification, whether it is IT service desk for employees, contractors, other third parties that are interacting with an organization and have access to the inner sanctum, if you will, of an organization versus, say, contact center or call center. Where for years the industry has been working on solutions to mitigate fraud from a customer or outside facing standpoint, this is really about these emerging threat actor groups. Not even so much emerging, but Scattered Spider certainly has taken the cake recently in terms of being in the press most from MGM, Caesers, a host of other organizations where they have as a group socially engineered their way through the IT service desk of an organization.
So in the case of 1Kosmos, hi, I’m Mike Engle, I’m a co-founder. Service desk agent’s like, “Oh, my gosh, I got a co-founder on the call.” And if it’s not Mike and it’s a threat actor group, very charming, you name it, they can socially engineer their way in, get the credential reset, and then have Mike’s access to the company. So it is a big area of threat. It’s a big area of inefficiency also that organizations are trying to get better shored up. Mike, any other thoughts you have on that?
Mike Engle:
Yeah, so a lot of friends in the industry, I talk to them about this and they don’t have the right tools typically. So they’re using old, tired methods or no methods. They just turn it off because they can’t trust it. And an example would be secrets. What’s your employee ID? What was your date of hire? What was the amount of your last payroll deposits? Which I wouldn’t know that. So sometimes those are too hard and don’t work or they’re too easy to guess and anybody can use them. So social engineering has been around forever, but they’ve gotten really good at finding the information, the legacy ways that people have been using over time. What are some of the ways that they’re using now to get into help desks?
Jens Hinrichsen:
Well, it’s interesting, too. I think back to the point we made earlier from a fraud standpoint, I mean, there’s been social engineering going on for ages. Whatever that chain looks like, phishing, malware, getting information, and then pretending to be a customer of an organization, malicious actors are looking for economic gain and other impact for a variety of reasons. But where you can have big impact is when you’re able to infiltrate an organization. It’s one thing to steal $50,000 from a customer of an organization. It’s a big deal. You want to mitigate that, but as far as being able to get into the inner bowels of an organization’s IT stack moving laterally, whatever the case is, that is a huge area of focus these days.
So a lot of the, call it, the social engineering talent, the charms, I mean, Mike, you and I have even through different circles heard some of these calls and they’re … Wow, if I’m the service desk agent, yeah, I’m believing this person. You don’t have an ID for what reason or you don’t know this for whatever reason? Sure, of course. So I think it’s really been the same playbook focused on this avenue now. And again, it is really, really easy for these sophisticated threat actors to sound very believable, have core information that’s needed that would get a service desk agent to say, “Mr. Engle, co-founder of 1Kosmos, that’s fine that you don’t have this and this, but I’m going to issue a new credential to you right away. I want to make sure you’re happy.”
Mike Engle:
Right, and they may create a sense of urgency. I’m a doctor, I got a patient here at a table and I can’t unlock my stethoscope, whatever it is. So yeah, that’s a common tactic as well that we’ve seen them use. And then once they get that initial credential, they’re typically 50% of the way of getting into the core network and things go downhill from there. And so yeah, the traditional KBA, which you would think stands for knowledge based authentication.
Jens Hinrichsen:
Knowledge based authentication. Right.
Mike Engle:
We actually refer to it as known by anybody, KBA. So it really is close to useless. And whenever I opened a new financial services account and they pop up those five questions, what was the type of car you had when you were five years old or whatever, I run for the hills if I can. So what can we do about it? How does 1Kosmos, for example, mitigate this threat?
Jens Hinrichsen:
Yeah. And even, Mike, before we go there, and I think one of the examples, what’s one of the KBA examples you’ve used before? It’s like your grandmother’s shoe size when she was nine or something. Well, whatever the iteration is, before we even get into solution, I think some of the really interesting parts that we’ve gotten more intimate with is even the other ways that organizations are trying to address this. So KBA, sure, that’s one. Known by anybody, as you said. OTP. Hey, I’m going to push you an OTP. Well, we still don’t know it’s Mike. And then we’re also seeing a lot of organizations, not even necessarily just at the highest level of privilege, but even more broadly where it’s an escalation to the manager. And you do the math on that in terms of just sheer productivity loss and in some cases you might not still be actually verifying it’s that genuine user.
So there’s these kind of clunky ways and tools that we as an industry have been trying to address this. And so to your question, Mike, it’s like, well, gosh, what is a way that an organization can do this where it’s effectively automated? So somebody is still calling into the service desk, but you’re removing the onus of verification from the service desk agent because the reality is service desk agents are being asked to do so many things already and they’re always do it in this amount of time, get it faster, faster. So you don’t want to forsake quality, but how do you have a very easy process for both agent and user, whether genuine or a malicious actor, to undertake that then gives the credence that, yes, this is actually Mr. Engle calling in? And so there are a few ways to do it. One that really gives, I’ll say, the minimum viable baseline would be a one-time identity verification or identity proofing event where I call into the service desk and I’m pretending to be you.
And the service desk agent says, “Okay, Mr. Engle, I’m going to send you a link either to your phone, to your email address.” There are a variety of things that you have to take into consideration obviously in terms of companies that might not have employees be able to have phones or are they company owned, et cetera. Those are all things that you see and we navigate accordingly, but the very simple process of opening up a link, scanning the front and back of a driver’s license, a passport, some other government issued document, and then doing a matching selfie against the image that’s on that document. And what we can do with very high assurance is give a thumbs up or thumbs down. And all we would do is simply say the agent, “Yep, this is Mr. Engle,” or in my case, pretending to be you, “No, this is not.” And so that’s a really simple initial way to do it. The really exciting part, and this is what permeates the next generation, which is actually here now and gaining steam, is the user control.
That reusable identity of, hey, once I have verified myself, once I essentially have an identity wallet that I can then present wherever it’s needed that proves that I am like Engle and I don’t have to go back through the whole process of scanning something, selfie, et cetera. So the elegance is there. You get high assurance, quick and easy, reduces call center times. And then again, you’re removing that, again, onus on the service desk agent of having to be the one. And there are other companies, too, Mike, where it’s, “Hey, can you hold your ID up to the camera?” It’s hard enough to tell that they’re real when you’re holding them, much less over a camera.
Mike Engle:
Yeah. And when I hold my license up to a camera, now what’s the other person doing with that information? First of all, they can’t verify it. It’s too hard. You can’t see the little security features and then now I’ve just showed you my driver’s license number. That’s something you don’t want floating out there on a video call. So yeah, the privacy preserving aspects are really key. If you can assure the help desk and your remote callers, your remote employees, or customers that it’s safe, then they’ll trust it and feel good about using it as well. That’s a great point. Yeah, so I think we’ve about done it. I guess one last thing is how hard is it to implement a tool like identity-based biometric verification for a service desk?
Jens Hinrichsen:
Yeah. What’s the usual answer? Well, we could have had it in yesterday, so you got a couple of flavors. And I think the great thing for us as an industry is you can literally start as fast as you can start with, call it, a touchless integration where you’re simply calling out to an API. That link that we talked about earlier that gets sent to the user, that’s essentially a service. It’s a hosted service and you’re not having to replumb or do anything on day one within your organization. You can address the threat, make it a simpler process literally within a couple of weeks. And then the subsequent steps that I know we’ve observed with our customers is there are things that you can do to tighten some of the workflows, whether it’s ServiceNow or whatever the service desk system or backend might be.
But then that next step, and it can come pretty quickly, is the organization’s adoption and use of that reusable identity. And it’s a pretty powerful thing when we think about especially at the point of, say, onboarding. Whether it’s say HR onboarding, contract, or third-party onboarding, you’re doing that verification once. The user now owns it. You made a great point about privacy preservation. I mean, that’s what we’re all in the space for, right? It’s one thing to have a point in time, but you have to make sure it’s privacy preserving. But then also, let’s make it efficient for everybody. Do the verification once and then all you’re doing is you’re essentially authenticating into systems or doing high-risk transactions or whatever the case is after that.
Mike Engle:
Right, right. And you can’t implement something like this without uttering the words ROI, right?
Jens Hinrichsen:
Yeah.
Mike Engle:
You have the obvious security benefits, stop bad guys, but the user experience is actually better. And then an organization can have 100,000 calls into a help desk a year. It’s an average of 30% to 50% are password reset or identity related, so why not remove that and save those calls from even coming in? You can automate this, you can do it in a self-service password reset manner as well, SSPR. So yeah, a lot of reasons to do it.
Jens Hinrichsen:
Yeah. Well, no, and you’re right. And it’s fun to build these business cases alongside organizations because it’s not just a security risk mitigation. There are very direct, like you said, Mike, very direct savings, overall operating efficiencies. Even to the point where as an organization lifts its security posture, they’re getting better policy. Their cyber insurance policies are coming down or at least not going up as quickly as they might go, depending on what most of us are feeling in the industry. So that’s a great point, that this is a really a multi-pronged business case. And I think we’ve observed 10, 20, 30X return on an investment in even just the first year.
Mike Engle:
Yeah. Yeah, it’s a no brainer. So hopefully we’ll get the phone calls before the bad guys get in and not after, but either way …
Jens Hinrichsen:
Mike’s personal number is…
Mike Engle:
That’s right. Well, cool. Thanks so much for joining. It’s been fun chatting with you about this. Hopefully somebody out there will see it and will spark some ideas to make a difference in the world of cybersecurity.
Jens Hinrichsen:
Brilliant. Great chat, Mike.
Mike Engle:
Thank you.