Credential Reset and Recovery

Robert:
Hello everybody. Happy New Year. Welcome back to our Fun IBA Friday. Hi Sheetal, how are you?

Sheetal:
I'm good. How are you Robert?

Robert:
Happy New Year.

Sheetal:
Happy New Year.

Robert:
Yeah. So to put you on the spot, Sheetal, I've heard just recently that you're learning to play an instrument. Is that true?

Sheetal:
Yes. That's my New Year resolution to do something.

Robert:
Tell us what that instrument is, Sheetal.

Sheetal:
I'm learning to play the ukulele. I'm not sure I'm going to be good at it, but I'm totally okay.

Robert:
So everybody listening to IBA Friday right now and myself will expect in about six months is a theme song, just as Maureen said earlier.

Sheetal:
Yes.

Robert:
Excellent.

Sheetal:
We're going to beat the ends this time.

Robert:
Yeah, just so everybody knows that's listening right now. I'm going to be in trouble for saying that, but it's all good. Sheetal, I'm just poking at you. So, all right, let's get started, shall we?

Today we've got something that we want to talk about and it has to do with identity proofing users, specifically ones that call help desks. And as a practical example of why we're talking about that, and we've talked about this breach before and we don't want to keep dragging MGM under the bus here, but they had a fairly significant breach as did Caesars. MGM kind of had more of the spotlight because theirs lasted longer. But that happened because somebody had called the help desk and there was a vishing, that's with a V, not phishing, but a vishing attempt that enabled them to get access to a user's credentials and then whatever they had access to on the backend. So I know that you did a little bit of research. Why don't you tell us a little bit about what happened there and then we can talk about, well, how can we solve that going forward? So specifically, what kind of happened at the end, just to reframe everybody and refresh everybody's memory, what kind of happened there?

Sheetal:
So with MGM, I think this happened back in October. We noticed that literally some ... Scattered Spider, which is one of these really popular groups called in to a help desk agent. They had grabbed a critical employee's LinkedIn credentials, used some of the information there, called in a help desk, and had a very persuasive tone of voice and convincing storyline. Spoke with a help desk agent and they were able to reset their credentials or gain access to their credentials. They then actually used these credentials to go ahead, gain access to critical systems, enough to steal and encrypt all of their data. So this sort of massively brought them down and of course they started demanding for crypto.

What it really meant for MGM was for days on end, they were stuck with people who are at resorts having no access to the slot machines, not being able to go up and down an elevator. I think that hits hard and we've all been those customers in a resort who were not happy with that kind of customer service. Not happy at slot machine. So it really hurt MGM and it took them literally 10 days to sort of come out and step out of their attack. What's surprising was it was just a simple ... It was not a complex attack vector. It was a simple social engineering tact. Pick up LinkedIn credentials, call a help desk and get them reset. So that's really how that entire 10 days of pain was inflicted upon a casino as large as MGM.

Robert:
Yeah. And as net result, I got a letter in the mail probably just before the holidays saying, "Hey, I know you've stayed at our hotels before and your data might've been compromised, so here's a free credit check for the year." So I mean, outside of all the lost revenue, there's this spend that they had to go through just to try to reassure customers that their data is safe or if it isn't, that they'll be able to keep track of it.

So you and I were on a call recently with a Gartner analyst. They had commented that they're receiving a lot of calls a week around how to prevent these types of attacks because they are on the rise. And just like we said back when this happened, that copycats when they see something, they're like, "Oh, okay, if that's an easy way to do it, then that's what we're going to do." So there's been a significant increase in these types of attacks. Gartner analysts are seeing it from what customers are asking for, and being that 1Kosmos is really good at doing identity proofing and passwordless and being able to combine all that stuff together, let's chat about what we could do to help a desk agent or an organization that has help desks, be able to prove who the user is that's calling. Let's chat a little bit about that. How would we or how could an organization do that?

Sheetal:
Typically in the past what we were doing was every time a password reset need to happen, we always used to do it through a device, a biometrics enabled device where you are able to verify somebody's face ID before you do it. But what happens in a scenario like a casino or a large retail center? These are all field employees who are on a casino floor or at a store. So they're not corporate employees who are in front of a desk or having access to their phone. So what do you do to support these kind of scenarios? Which is when we started thinking about why identity, identity is probably the answer to doing this, why don't we verify users' identity before actually allowing them to do a password reset?

So I think in the last few months with a lot of requests and conversations with customers in this category of having a lot of field staff, we found that having your help desk agents put the end user or the employee through a identity verification on the fly. So we are able to verify before we do a credential reset is probably the best way to go about it. And with one of our customers, we're about to do the exact same thing.

Robert:
Yeah, I mean at the end of the day, organizations want to try to mitigate any sort of fraud into the call center, which is exactly what this is. But they also want to make sure that they can shorten the average handle time to verify a caller. And typically what I believe, or I mean listen, I've called into a help desk, you've called into a help desk to reset passwords. They're going to ask you some questions. What's your mother's maiden name? How long have you worked here? There's a bunch of knowledge based questions and that's where the vishing came from. So trying to prove identity through that is not an efficient way or it's not a good way to prove the legitimacy of the caller. So I think you're going to show us how we could try to prove that legitimacy of the caller and do it with a very high level of assurance.

Sheetal:
Yes, absolutely. So we're going to jump into the demo just to make this exciting, pretty quickly. I'm going to go ahead and share.

Robert:
I think it's already exciting, Sheetal. I don't think it's possible to make it more exciting.

Sheetal:
Okay, so what we're about to see is a video of how one of our customers uses credential reset through our ID proofing solution. So we're actually going to start off with what happens with a help desk administrator and then we're going to proceed into what's happening with the actual employee or the person who's trying to reset their credential. So I'm going to go ahead and show you this video. And here what you see is this is the help desk agent who's trying to log into a portal where he can actually trigger the request for a password reset. So the help desk guy receives a phone call, he's logging into his own portal, and once he logs in, he's presented with a screen where he's able to send a verification link to the end user, to the employee saying that, "Hey, we'll verify your identity and then I will help you reset your password."

Robert:
Okay, so I'm the person looking to reset the password. You're the help desk agent. I call you and you're like, "Give me your phone number." You're going to put in my phone number there and then hit send.

Sheetal:
Yep. And that's it. So I'm going to hit send and then as you can see, we've created a new session for this person. So what we're going to do, and this is a live session where it is going to be active for a couple of hours. So the user is going to start receive the SMS, and this is Robert on the right who's received the SMS. He's going to click the link on it and he's going to begin his ID verification process. It's fairly quick to initiate the process and go through it end to end. They go through a consent screen where we sort of display the privacy notice of the company.

Then we proceed to opening up the camera. And here what's happening is Robert's being asked to scan the front side of his driver's license, and it could be any document. It can be a driver's license, a passport, any government issued ID where we have the front and back. And followed by, once the scan is complete, we're just showing you a quick preview of the front and back of the document that was captured. And then we're also asking the employee to provide a selfie. And at the end of it you will see that the ID verification has been completed. So there Robert sort of finished his identity verification.

Robert:
I got better looking in that video too, which is good. That doesn't happen often.

Sheetal:
Yeah, you did. So once that's done, so now what did the user provider? The user provided the front of their image, the back of their image, and then a selfie. So this is what we had. So now the help desk admin is going to go ahead and check that session right over here and he's going to check whether they used a completed verification. And as you can see here, he's able to use the same session ID and look up whether actually finished his ID verification and he did. And the document that was presented was a driver's license and verification passed.

Now the big thing is all of these little scores that we have here is really what helps us make sure that it was a real document. If Robert had presented a photocopy document, we would've caught that. We wouldn't pass a photocopy document. We wouldn't pass a document where it's a document that's been grabbed off of the internet or even if the face doesn't match on both the IDs. So these are all checks and balances that are in place to make sure that the ID that's being presented is a strong identity to begin with.

Robert:
Yeah, that's interesting. So I mean the other interesting there as well is that it didn't take very long. Time to finish was 44 seconds.

Sheetal:
44 seconds.

Robert:
So that's pretty quick for that level of assurance that that user is not fraudulent. So okay, we captured all that there. There's no PII data on display here from what I can tell.

Sheetal:
Yup.

Robert:
So from a help desk agent standpoint, they're not looking at anything that they shouldn't have access to, which is cool. Where does the PII data go that was just captured by myself, also known as Persona?

Sheetal:
Robert, we always say this, we believe in being a privacy preserving company. So for any customer who's in production, we ensure that their data stays transient, meaning the data is available only until the time that the verification is completed. After that it just disappears. We purge that data just to make sure that we are a data processor, so we make sure that the data is handled appropriately, it's discarded as soon as the verification is handled. Now, on the other hand, if there are customers who need to keep the data, we also support that. But being in the business of ensuring that the right people have the right access to data, I think a help desk guide just needs to see just about this much information to know who scanned their document, then just go through it. So we're able to give them roles and permissions that get them to this point. So that's the beauty of it.

Robert:
Well that's amazing. So obviously in doing this for people that have been along for all of our IBA Fridays, we scan the document, we do the OCR scan on that, we then verify if the document looks real, we take the picture, we compare the picture to the selfie, all those things look legitimate. They pass all those good things, then that's why we got all the green check marks.

Sheetal:
That's right.

Robert:
And then if any one of those were red, then obviously that's a flag to the help desk agent, especially if it failed, that you would then have to shut that call down and maybe go talk to somebody about somebody trying to do some vishing attacks. Very cool. Easy enough. So when we look at this and we see what's going on in the market, even here at 1Kosmos, we've had a number of calls from customers asking, "Can you solve this problem?" What do you see? You have crystal ball, future looking. When you look at where this has the potential of going, tell us a little bit about your thoughts on how this could be integrated. Quick, simple, how does this work? If somebody wants to stand this up and deploy it, is it a six-month lift to make this work or can you have this up and running in a couple of days?

Sheetal:
So it's actually quick and simple.

Robert:
Of course it is.

Sheetal:
Of course it is. But for some of our customers, we are able to support this completely through APIs. So if they needed to do this within their own environment, we are able to totally support that. And it's just a quick integration of the API where it generates a session to do ID verification, and then it returns a verification result. So you as the customer can decide to use it in any kind of use case that you see it fit. But also for other customers who don't have the infrastructure to stamp this up, we are able to offer a portal that can help you generate this entire interaction. Use that on our portal, you set up help desk admins who can generate the session, who can view the session. It can go either ways, but quick and easy, it is.

Robert:
Interesting. One last question before we wrap up. You showed what that app looked like. It looked like it was very 1Kosmosy. I'm MGM, I've got a brand I've got to maintain, I'm Caesars, I have a brand I want to maintain. Can I change the look and feel of that to make sure that when I send it to maybe a customer or even an employee that they still feel like they're dealing with the same company?

Sheetal:
Absolutely. So I think every time a customer is going through an IT verification journey, these are all templates that are behind the scenes. So we offer the ability to sort of customize it so that it looks exactly and represents the brand. So a casino or retail center, we are able to show the exact branding of that organization. So it's a very seamless experience for anyone who is coming on board. So we can be behind the scenes and just let the identity verification template show the brand.

Robert:
That's awesome. Actually, that video was very exciting, Sheetal. I take it back. It did make it better. I do appreciate you doing that. So okay everybody, that's it for today's IBA Friday. Hopefully you got something out of that. If you do have a help desk and you are potentially struggling with being able to ensure the validity of the person on the other end of that call and you want to make sure before you reset any passwords that you prove that the caller calling is legitimate, this is a quick and easy way that you can do that with very little friction added in. And you can be assured that when you do reset that password, it's for somebody that is actually requesting it. So until next time, Sheetal, thanks again. Enjoy the rest of your Friday and we'll see you on our next IBA Friday. Thanks for coming everybody. Talk to you again soon.

Sheetal:
Thank you.