Shielding Helpdesk Operations from Scattered Spider Attacks
Unlock On-Demand Webinar
Video Transcript
Abby Stephens:
Hello, and thank you for joining us. On behalf of 1Kosmos and Carahsoft, I would like to welcome you to today's webinar, Shielding Help Desk Operations Against Scattered Spider Attacks. And at this time, I'd like to introduce our speakers for today, Robert MacDonald, VP of Product Solutions, 1Kosmos, and Mike Engle, CSO at 1Kosmos. And the floor is yours, Mike and Rob.
Mike Engle:
Thank you so much. It's great to be-
Robert MacDonald:
Hey, Mike, how are you? Mike had to do an emergency restart before we got started here, so everything's back online, Mike, you ready to roll?
Mike Engle:
I have no idea.
Robert MacDonald:
I know what we didn't talk about, we didn't talk about who was going to share the slides. Did you want me to do that?
Mike Engle:
Yeah, I think I got it. Let's push this button here, see what happens.
Robert MacDonald:
Okay.
Mike Engle:
It's not even Friday yet. So let's share, there we go. I think we've done it. Yep, okay.
Robert MacDonald:
Technology works.
Mike Engle:
It does. Yeah. So let's say hi to everybody. I'm Mike Engle, co-founder at 1Kosmos, and I've been doing this over here, for about seven or eight years now. And Robert, you are a Canadian and-
Robert MacDonald:
I'm the VP of product marketing here at 1Kosmos. Coming up on my anniversary here at 1Kosmos, so yeah, it's very exciting. And today, Mike, we're going to talk a little bit about help desk operations, or service desk operations, and the Scattered Spider attacks that have been happening over the last little while. So I think everybody, or maybe most people are aware of MGM, Caesars, I think Visa, Pians, there's a bunch of people that have been under attack by Scattered Spider. And what they're doing, is they're kind of chasing after, I don't know if it's a new attack vector, but it certainly seems to be new. They're coming after the help desk operations and the service desks, with somewhat great effect, which is interesting. And we're going to talk a little bit about how you can help prevent that today, right?
Mike Engle:
That's right. Do you know where this Scattered Spider name came from?
Robert MacDonald:
Yeah, we're going to talk about that in a second. But before we get started, Mike, we're going to actually start with a polling question. Abby, if you have that first one up there, let's take a look at the polling question. I thought this would be an interesting way to get us started, Mike, and look at has anybody actually experienced any sort of attack through either their service or help desk? So everybody that's online right now, if you can go ahead and vote on that, that'd be great, just to see where we are. So there's a, thankfully, not yet. Not yet is usually the operative word there, right? Unfortunately, yes, we have. And maybe people are just unsure because they haven't found it yet. So 73% of people said, "Thankfully, not yet," which is good. Nobody's unsure, and 27% of people said that "Yes, they have," so I think this is probably pretty timely, Mike. Let's get into it, and talk a little bit about Scattered Spider and what they do here.
Mike Engle:
Yeah. And you have this really scary picture here, so it's a good starting point.
Robert MacDonald:
Yeah, yeah. I found this online doing a little bit of Googling. But they're a threat actor. They're based out of the US and a bunch of other places, so that they have a global presence. They target BPO organizations, energy, manufacturing, retail, telecommunications. And it doesn't matter where you're based for the most part, they're after you. So US, Europe, India, Australia are kind of their key targets. They're all about trying to collect some money, to get people to pay to remove whatever they put into place, the malware or whatever they put in, just like they did with... Actually MGM and Caesars were both attacked at the same time. I believe Caesars paid the ransomware, and were able to keep operations up and running, but MGM did not, and wanted to forge their own path forward, and that was one of the reasons why they were out maybe as long as they were.
Just a note too, Mike, we're not here to pick on anybody. These things happen. It's unfortunate when they happen, but there's lessons learned from the things that do happen, and that's kind of why we're here, and what we're talking about today, right?
Mike Engle:
Yeah. As soon as you start picking on somebody, you're next, right? You'll end up-
Robert MacDonald:
Absolutely. Absolutely, yeah.
Mike Engle:
Throwing stones in a glass house.
Robert MacDonald:
And that's the other thing too, when these things do work, there's kind of this copycat effect that ends up happening too. So when the bad guys do get access to something, through a means, and it was successful, then others are going to try to do the same thing. So what we're going to talk about today, is really ways in which you can prevent these kinds of things from happening. So as I mentioned earlier, this group gained notoriety from the attacks that happened last, was it September, I think? And they targeted two of the largest casino and gambling companies in the US, and they brought one of them down for days. People were lined up around the corner, trying to check in. Mike, I know that you, you're a fan of Vegas, hopefully you weren't there around that time.
Mike Engle:
No, but was there for Identiverse a few weeks ago.
Robert MacDonald:
That's right.
Mike Engle:
And talking to one of the, maybe I was talking to one of the table operators, and he said the place was paralyzed. They were using paper, writing down bets, and doors wouldn't open. But yeah, there's a lot of brands that have been hit, that we haven't heard about. Caesar's and MGM of course, were big, but in doing some research, the Twilio, Okta stuff was involved with the same group. And I was surprised to learn that Walmart, Samsung, and Apple were also victims at some level. Obviously, they weren't completely taken offline, but yeah, very big deal. But the attack vector they've gone after is really not, I mean, it's innovative, and I'm sure they're really good at it, but it's a pretty straightforward attack vector for the most part. And let's talk about this for a minute.
Robert MacDonald:
Yeah. I mean, at the end of the day, what ends up happening, is that a bad actor calls in, claiming to be the customer, citizen, worker, or whoever it may be, to reset a credential. And there's typically a run book that happens when somebody calls in to do that, that an agent follows to try to verify the identity of the caller. And then once that happens, they reset the credential.
But in these instances, what happened is that the identity really wasn't proven. The bad actors socially engineered the responses. So I think we can all use own personal experiences when we call into a help desk, they'll ask us a couple questions, like "What's your address? What's your postal code? What your mother's maiden name?" There are lots of different questions that can be found easily online, right?
Mike Engle:
That's right.
Robert MacDonald:
And at the end of the day, when the bad actor answered those questions, the credential reset happened because it's assumed that the identity is, or was, legitimate at the time. And those knowledge-based questions, as we know, in other areas of cybersecurity, they're not really the best way to try to verify somebody's identity, right, Mike?
Mike Engle:
No, they're not. I had a personal experience of having a vacation stolen from me, because the company, they're called VRBO, very big company, they're actually owned by Microsoft, up the food chain, didn't validate people when they called into their help desk. So they created a fake email in our name, and convinced the VRBO people that this was them, which just took a name that looks similar, and they diverted an entire vacation over to their name. And could have had a really bad ending, we just happened to get lucky and get in front of it.
So the verification, there's all different kinds of levels. They did zero check. Somewhere in between, but the detects that we'll be showing here today, the detection capabilities is much higher level. But really, what does it mean when somebody can get into these systems? When they call the help desk and pretend to be Johnny or Sally admin, there's all these downstream target systems, that once you get your foot into the door, that's it. It's game over. So the old way of hacking was let's crack in through the firewall, or buffer overflow, some type of supply chain attack coming in from the perimeter. But why do that when you can just log in? So it really is a game changer, in terms of what we can do to protect it.
Robert MacDonald:
Yeah, it is. I mean, if you look at all the boxes that are on this screen, there are full industries built around these things, full markets built around trying to secure organizations. And organizations are buying these technologies to try to fortify their environment, to make sure that the bad guys stay out, information that's supposed to stay within, stays within.
And a simple call to a help desk, if you're able to get that credential reset, completely makes this stuff useless, right? Because now I'm just going to log in as a legitimate user, and your security operations team, as an example, your SOC team is not going to know that it's a bad actor versus somebody else, because I used a valid credential to log in with. So then everything I do, or everything I have access to from then on in, I can do whatever I need. So if I can get ahold of a credential that has a significant amount of privileges, well, I mean as one of these Scattered Spider, or the like, bad actors, I have exactly what I'm looking for, and I can do exactly what I need to do to get that financial gain that I'm looking for. But it's crazy that you can invest so much technology to try to keep things secure, but just a simple credential can make all of that stuff, bring it all down to its knees. And that's essentially what happened here, and it's-
Mike Engle:
You're depressing the hell out of everybody, Rob.
Robert MacDonald:
I know, it's crazy, right?
Mike Engle:
Describing the water while we're drowning. Yeah, the water really looks wet.
Robert MacDonald:
Yep. The water, yeah, it's fine. Come on in, guys.
Mike Engle:
So let's talk a little bit about some of the newer things that we can do, and the new attacks on those new things, because it is a cat and mouse game.
Robert MacDonald:
Yeah, it is.
Mike Engle:
So selfishly, we're going to talk a little bit about the things that we do in this space, just so you know who 1Kosmos are. 1Kosmos means one universe. And it's our belief that one day, we will have one identity to go do the things that we need to do in the digital world. Just like we have one identity in the physical world, I'd hand you my driver's license or my passport. So we have novel ways to enroll you into modern identity and authentication systems. And very important for today, is how to verify that you are who you say you are, so not just having a driver's license in your pocket, or a token. And to do that, we've built a platform that has all kinds of certifications and connectivity, and federated protocol standards, that were not the purpose of today's call, but really here to talk about the attack vectors and some of the compensating controls, right?
Robert MacDonald:
Yeah, yeah, absolutely.
Mike Engle:
So the vision, how do you mitigate a Scattered Spider attack, is to make it really easy to prove who somebody is. Use automation, put the power in the hands of the user. And so we'll show you some of this live here, and get into the weeds. And it really is simple. So imagine how simple it is when you get pulled over by a state trooper, or you go to the TSA, or security at the airport, it's very easy to prove who you are. "Here's a credential, match my face." And so now, we can do that digitally, obviously. And I'm sure many people on the call today, have done this, but probably haven't done it as they come into their help desk. And so we're going to talk about a combination of establishing identity.
So there's a couple of standards that are really important here. The US government put out a standard called NIST 800-63-3A, which says, "Here's how you prove who somebody is remotely." And we're going to pop into the polling question here, as we're doing this slide. We're going to go through what this process means, and then of course, using that proof over and over again, authenticating. Hey, Rob, I already know who you are, so I'm not going to ask you for that credential again, ties this all together. We call this identity-based authentication when you have a combination of a verified identity and an easy-to-use credential that you can use over and over again. So let's jump into the polling question here, our second one.
Robert MacDonald:
Yeah. So our second polling question here, asks, "Do you use knowledge-based authentication, knowledge-based factors to verify a user's identity?" 88% of people do, and 13% of people use something more than that. 0% said "We do not use those things." So the majority of the people that are on the call today, Mike, are using some sort of knowledge-based factor to verify an identity when a user calls into a help desk.
Mike Engle:
That's right. That's right. So let's talk about the levels of identity verification, and how we can do this remotely for our users. So the standard that we have here, NIST 800-63-3A, has three levels to it. And there's a new version coming out in the next six months, which has four levels. But this here, is kind of the gold standard. It's a combination of multiple sources of truth, verified against the issuing authority. So you have things like driver's licenses and passports, which are very powerful, and matching them to your actual face is really what makes them sing.
So we call this identity assurance level two. Three is the highest of levels that are out there today, and this standard exists globally in many countries. They call it something different in each country, but they're all based on the same principles, and many of them will reference this US government standard as well, so it really is the gold standard. But at the end of the day, what we're doing is capturing data from the user. So let's take a look at what this looks like as you deconstruct it. So you're going to see me go through a demo of this, where I am capturing both the front and back of a document. Now that sounds like an easy thing to do, right? You just point your camera at it, but there is a ton of devil in the details when you do this and try to do it right. So not only do you have to capture, and what happens when you hold your phone over, when you're trying... Did you ever try scanning a check for your bank, Rob, and you've got bad lighting and shadows and glare?
Robert MacDonald:
Yeah, yeah. Not easy.
Mike Engle:
Well, it's even worse with a glossy driver's license. So your provider needs to be really good at detecting glare, and guiding the user. So this image capture is really important. And then once the data, the image is captured, you need to extract it, detect what type of document it is, go verify it, et cetera, and that happens for the front and the back. And we're going to talk about this, because here is one of the new attack vectors. You want to talk a little bit about what liveness is, Rob?
Robert MacDonald:
Yeah. So there's a couple of different ways that we can describe liveness. The first way that we can talk about it is whether or not the person that's in front of the camera is live and it's not a picture. And you can do the same thing when you consider a document as well, is the document real? So that liveness check ensures that, one, the person that's there, is not a picture. There's my little thumbs up. Obviously, I'm using a Mac, I guess, is live. Or two, that the document itself, is also real. Yeah.
Mike Engle:
Yeah. And that all applies to the selfie as well.
Robert MacDonald:
That's right.
Mike Engle:
So is the document alive, and is the person alive? Because you have people holding a Photoshop, or something on their phone, you have to be able to detect that stuff as well. And the result is that you're doing all of these things in seconds. And most important, we're going to get into the attack vector, is that you are really... Let's do it. Is you are focusing on two different types of attack mitigation. You have to verify the document integrity and the liveness going together. So the integrity, what does that mean? Well, the font size, the holograms on the document, there's 100 overt security checks that you can do in a document. And then the liveness, is my head moving a little bit, or am I, what are they, a presentation attack, where I'm putting a mask on, et cetera. So let's give a demo of how this works. What do you think?
Robert MacDonald:
Yeah, I think it's a great idea. Talking about it and seeing it are two totally different things. So yeah, let's do that.
Mike Engle:
Let's do that. And then we'll get into the third polling question, and then get into a bit of the attacks on this concept.
This is a remote caller verification, and you are going to see a help desk operator here, on the left, and the remote caller on the right. And this is really a very low-friction operation. We've dropped this into help desks in a week, because it's as simple as asking the user for their phone number, or getting it out of the HR system, and sending it to them. So here's the help desk operator, just logged in, and they're engaged with the caller. And all they have to do is press a button, put their feet up on the desk, and wait for the magic to happen. And what you'll see on the right, is they're just going through a guided capture and verification process. So we're capturing the front, guiding the user, "Hey, too much glare, tilt it," capturing the back, and we're doing all those overt security checks in seconds.
Robert MacDonald:
Yeah, real-time.
Mike Engle:
Real-time. And it might fail here, if it's a bad actor
Robert MacDonald:
That's right.
Mike Engle:
Now, we're going to ask the user for a selfie, and compare it to the photo on the driver's license, or the passport, whatever document we're using. That's it.
Robert MacDonald:
And that's important, right? Because that's how we can tell whether or not the user that's presenting the document, is the person that owns it, right?
Mike Engle:
That's right. Yeah. So there's multiple checks, we call it triangulation, that can be done. So here, let's look at all the things that went on here. We verified the document and the human were live, the document was valid. And if the application calls for it, and your operation wants it, we can even look up that they live at that address. We can contact them at the address of record that's in authoritative system, so we can go really deep into that. But you saw how amazing of an experience that is, and it's, say, just a wee bit more secure than "What is your mother's maiden name," right, Rob?
Robert MacDonald:
Yeah, absolutely. So the whole point with what you've just seen there, is that when Mike calls me, the service desk agent, I would send him that text. He would then scan that document. I would then get the check back saying that the verification has passed. I think under the summary, you can see that on the screen there. So now I can then go do the credential reset because I know that I'm dealing with the actual person, the identity, you've verified that identity. So I know that it's Mike, I can now go change his credential. And while that looks... That just happened in, I think there's even a time, it took 44 seconds for that to happen.
Mike Engle:
That's right.
Robert MacDonald:
You're going to spend 44 seconds getting people to answer the knowledge-based checks. So with little assurance at the end of it, based on what we're seeing in the industry. So this way of doing it is a significant step forward from a help desk, or service center perspective, in terms of ensuring that when they reset a credential, it is actually that user.
Mike Engle:
Yeah. So Abby, if you're ready for the next poll, we could pop that up. If not, I'll hit one more slide if you don't have it spinning on the record quite yet. Well, there it is.
Robert MacDonald:
There you go.
Mike Engle:
She's good.
Robert MacDonald:
Do you utilize any self-service options for employees? The question there is are you trying to just even prevent people from calling the help desk or service center, try to eliminate the threat before it even gets there. Now there's still some issues, as we can talk about later, Mike, even with that. You still want to make sure that when you're updating a credential, that the user is actually the one requesting it. But replies here are, we do not. Users need to call the service or help desk. We do, or we have a hybrid model. So nobody has said that they do not have a self-service option. They do, so 38% of people on the call right now, say it is the only way to request access and reset a password. And 63% say they have a hybrid model, so users call in for certain use cases.
Mike Engle:
Yeah, it's table stakes today. I mean, you have to have some type of it, otherwise your help desk gets crushed. But what we do find, is a lot of people need to either be VPN'd in, or in the office, which kind of defeats the purpose if you're trying to get in, your home and don't have the password. So that's probably some of the hybrids, where they're afraid to open it up externally. But as you saw, the one that we just did is 100% external, and you can trust it.
Robert MacDonald:
Yeah. And again, the reason why you know that VPN, or you need to be in the office is there, is because they're trying to ensure that it's the person that's requesting it at the end of the day.
Mike Engle:
That's right. So we had a couple of good questions from Samuel, and the first question he asked, it's like he teed it up and read our mind, is that data stored? So you saw a driver's license and some faces, and the answer is it can be, or it may not be, depending on the organization's privacy policies. So if you're proofing for high security operation, you may need to keep that evidence around for a month, or years, depending on what kind of forensics you may need after the fact, what type of proof that you gave access to the right person.
But in a help desk environment, you don't want the help desk operator seeing any of that data. They don't need to see your home address and how young you are, right, Robert?
Robert MacDonald:
Yeah.
Mike Engle:
So we have very customizable PII retention and display permission. So here, you can see all of the data on the left. It's like we can, you can define your own system in your instance of this, to get very granular, and say, "I do want the images. I don't, I just want the data," et cetera. And on the right, we're showing that we can just discard it instantly after it's been processed.
And similarly, for the help desk or the systems administrators, the help desk will see this kind of basic, it was good or it wasn't good screen, which is all they need, and then they go on and follow their procedures in the run book. But an administrator, again, if you want to keep it around, could go in after the fact, and see something went wrong with that call, let's go see what happened. So a very granular set of controls on this, which of course, is what you would need depending on your risk tolerance and privacy policies.
Robert MacDonald:
Or even depending upon what compliance mandates you may be adhered to as well, right?
Mike Engle:
That's right. And I'll answer Samuel's next question live, is real ID-compliant ID required? And no, it's not required, but you could make it required. And you could go so far as to say, "I want to only do passports and read the chip in the passport." It's obviously a heavier exercise, but much more trustworthy credential because you have an NFC chip, that has a digitally-signed credential in it. So again, it comes down to risk tolerance, and what you're trying to do, and how many hoops you want the users to go through. So good question, Samuel.
Robert MacDonald:
Absolutely. Yeah, those are great questions. The cool thing with reading the chip as well, is that we can verify the data that's on the passport is the same thing that what's on the chip, right?
Mike Engle:
Yeah.
Robert MacDonald:
Or if the chip's even been compromised, so there's a bunch of different checks you can do along those lines. And Mike, you said earlier that some of the triangulation that we can do, driver's licenses, we can go out and check to make sure the driver's license is legit as well, right? We can go out-
Mike Engle:
Exactly. So this is really key. If you're just verifying possession of a phone or an email, that's pretty weak. Can they fetch a code, or we call this SIM binding, they're proving possession of a phone, but maybe it was SIM swapped, right? So then you can take it a step further, and do the biometrics, which we demonstrated. Once you get the driver's license, you can say, "Is that driver's license valid with the Department of Motor Vehicles," that's what AMBA represents here. So putting this together, multiple sources of truth, gives you a much higher level of assurance, that even if let's say they did bypass your liveness, right? I know your liveness is pretty good, Robert, but we can't say nothing in security is 100%.
Robert MacDonald:
That's right.
Mike Engle:
But could they spoof all of the features of the driver's license, or the fact that they live at a certain address being checked with the bureaus, for example?
Robert MacDonald:
Yeah, I mean even something as simple as reading the PDF-417 barcode in the back, just to again, trying to make sure that that document is legitimate, and things on the front match the things on the back, and vice versa, are all things that you need to be able to do to ensure that the document is legitimate, and the stuff that's printed on the front of it is accurate.
Mike Engle:
Right.
Robert MacDonald:
It's all about improving the validity of that identity and document, to ensure that they are who they claim to be. Now Mike, there are a bunch of things that we have listed here, in terms of building a verified identity. The one thing that we haven't touched, and maybe we might want to leave that to the end, is this concept of a wallet, and being able to reuse that identity. Do you want to talk a little bit about what that means here?
Mike Engle:
Yeah, this is a real game changer. It really is. So all these things, we do them all the time. I'm scanning driver's licenses for more and more apps. My Ring doorbell popped up and asked me to scan a driver's license when I was trying to log into Ring from Amazon recently. So it's getting common, and it's frankly, it can be a pain. Because if I have to do this once a week, it becomes more of a hassle than fetching MFA.
So what we can do now, and we as in the industry, of course, 1Kosmos does this very well, is take these exercises and store them in a place where the user can have them in their possession, and the proof of possession now, is in their control. So this is the wallet. Imagine you scan your driver's license once, but could transmit that proof and over again. I've done my live ID, my selfie, and I can transmit proof that I am still me, over and over again. We're seeing wallets evolve globally. Some countries are issuing them, some trade industry organizations, your bank really acts like a wallet today. They give you a trusted app. Apple has a wallet, Google has a wallet, so employers are making their own wallets as well, and we've powered quite a few of them. This is a real game changer as we start to ask for identity more and more, which we frankly have not been in the habit of doing in the security world, until these scary Scattered Spider guys came out and start making us think about these things.
Robert MacDonald:
Yeah, I mean, identity in the security world, up until now, has been an entry in active directory, or Okta. And it's a username and a password, that's been your identity up until this point. And I think with some of these most recent attacks, that that's going to change. And the concept of a wallet from a workforce perspective, is going to be something that is going to be much more common. What do we call it? I don't know if it's going to be called a wallet in the workforce perspective, but that concept is certainly something that's going to be more commonplace going forward, I think.
Mike Engle:
Yeah. So if we have time at the end, we'll show an example of a wallet being used to onboard a new hire. It's pretty cool. But first, let's talk about, we're showing this new stuff and scanning, and we talked about liveness. And that liveness is the compensating control for these different types of attack vectors. So social engineering, that's what Scattered Spider's using, and they can call the help desk now and pretend to be you. And this has really been around for a long time, they're just getting really good at it.
Robert MacDonald:
Really good at it.
Mike Engle:
And now you can fake somebody's voice, or their video, as we heard about with the $25 million Zoom CFO wire money scam that happened a couple months back. So that's going to happen more and more. You're seeing political campaigns with fake politicians, globally, it's becoming a real issue. How many fake Elon Musk videos are there, and Tom Cruise videos? So what we can do now, is to mitigate print and injection attacks, what's the difference, Rob, between a print and an injection attack?
Robert MacDonald:
So print is just as it sounds, you get a high-res image off the internet somewhere. You print it on a very good printer, and you use it as the presentation for as being the user. The injection is obviously a little bit, or not a little bit, it's a lot more sophisticated. You're going to find that same, you're going to use that same high-res image though, but you're going to use that image to create a video, and then you're going to inject that into the stream, and present it as a liveness check. So the user looks like they're actually there, and I think that you're going to show us what that looks like in a second, right?
Mike Engle:
Yeah, I was hoping you'd ask. So yeah, the print, or it's often called presentation attacker, and PAD, P-A D, Presentation Attack Detection, is one of the key technologies that we employ to try to stop those fake, holding up a document, or a fake picture. And then the injection attacks, you can just shimmy the video right into many different types of systems.
People go as far as to take their phones apart, like an Android, and put a different type of camera in, and be able to inject stuff in there. And this is what that looks like. So here's a deep fake demo video, where I'm employing a pretty off-the-shelf piece of software to become three people. So this is me becoming Jude Law, back to normal. Press the button on Tom Cruise. Not too bad, I just don't have that smile. I'm jealous of his smile and the hair, of course, my God. And then John Krasinski from Jack Ryan on the Amazon show, the books. So press a button and my face features have changed, that could bypass automated checks. Or I'm doing a video call with somebody, so that's the poor man's demo. I'm sure the bad actors have really sophisticated equipment to be able to simulate these things.
Robert MacDonald:
Yeah, it's kind of scary when you look at it that way, right? But there are certainly things that can be done to help prevent that. And one of the reasons why we're showing that, I know we started with Scattered Spider and with the help desk, but this just shows what's coming next, and how you can be prepared for it going forward. And it goes back to a lot of this identity verification stuff that you talked about two or three slides ago, right?
Mike Engle:
That's right. So two things to wrap up. Let's see, we've got another question here, let's see if it's a good one. Can we use advanced AI/ML to catch fraudsters versus legit? Absolutely. It is. The bad guys, or girls, or non-gender, are using all these sophisticated machine learning, or AI-generating video to attack. You could probably go to some GPT engines now, and say, "Make me a California driver's license. Here's my picture," just put it all together for you. So we need to have compensating controls that are on par with that, and we do. So some of the things we'll look for on that demo of Jude, Tom, and John here, are the artifacts of the images coming together. So that's one piece of the puzzle. We can detect that the camera is a virtual camera, not a real USB device, or you can only allow certain types of USB devices as well. So yeah, there's a bunch of AI and ML behind the scenes, and a whole bunch of patents that go into this arms race that we're in today. We talked a bit... Go ahead, Rob.
Robert MacDonald:
I was going to say, yeah, there's another one there, we can answer right quick as well. Samuel, again. Thank you, Samuel. How long does it take to do the process for a help desk caller? And I'd mention that just really quickly, when we showed that. It takes in and around 44 seconds, Samuel, give or take. Again, we coach the user as we're going through it, in case there's glare and things along those lines, but it's certainly less than 60 seconds start to finish.
Mike Engle:
Yeah. And of course, there's a little bit of, it depends. Some people, like I can get through it in 20 seconds because I'm a pro now, right?
Robert MacDonald:
Yeah.
Mike Engle:
But grandma, it might take her two, three minutes. If you're hiring grandma at your company, and she is not that adept with the phone. And we have some other tools that can help, so we have a staffed call center that can augment the automated process. So we call that supervised remote. And so if you do have a proofing process that fails for new hires, or et cetera, we can put those types of controls in place, and have that backup option as well, so you don't have to have too painful of an exception process.
So the last thing, so we talked about a couple of options for account recovery. What did we do? Well, we scanned a driver's license, but we also support a bunch of other options, where if you can reach out to the user and ask them for their FIDO passkey. FIDO is all the rage these days. So we can reach out to the user, and ask them to present a known authentication mechanism that they might have on a secondary device. And this biometric hash is a real game changer. So if you've gone through a modern airport recently, you've probably just looked into a camera and gotten on a plane, that is what we can do for remote callers as well. So lots of different options for verifying users, or onboarding, et cetera. And it's for recovering, or using a wallet, so the biometrics are a real enabler when it comes down to a wallet.
Robert MacDonald:
One of the questions earlier, Mike, as well, was about data storage, and that the bad guys are getting in and getting some of these documents. The very right-sided box there, is the blockchain file system, which is something that we leverage. Do you want to talk a little bit about how we ensure that data that is captured and stored in a wallet, is secured, and not really accessible by anybody else but the user?
Mike Engle:
Yeah, so there's multiple types of wallets. There's one that lives just on your phone, so we support that. Lose your phone, you might lose your wallet, that's one of the challenges of it. Is it possible to have a wallet without a phone? Well, there is, it's called a hosted wallet. And so what we can do, is this is basically a distributed ledger, or blockchain-based file system. And imagine that your data is kept super secret, safe, and this is a private system. It's not like on some public Ethereum, or whatever, Tezos blockchain, but it's private. And then inside of it, imagine if we use one of these encryption options then, to take your identity data, encrypt it, and then put it here. And then tomorrow you come back, and as long as you can reproduce one of these decryption factors, you could get your wallet, and go transmit it to the requesting party with your permission. So this is happening today.
Your bank hosts all of your data for you. It's hosted already, and the government is hosting lots of your data. We just, instead of it being protected with a username, password, in some monster database where all your data is today, we're putting you in control of it by giving you the encryption key that keeps it all super secure here. And this is a really powerful option. So now, let's say I need to verify my identity a second time. I don't have my phone. I can just look into the camera, decrypt my data, and send it. And so it could be as simple as something like this where, "Hey, this is the verification portal. Click this button, engage with the system, do a biometric, here's your decryption key," and boom, your data with permission. I said, "Yes," on the consent screen, my data is decrypted and sent over to the requesting party.
And of course, it doesn't have to be all of this data, but it could just be a yes or no. Is this Mike, yes or no? It's been verified. So this is the concept of a wallet that's reusable, and can be plugged into any part of an IT operation for customers, for employees, citizens, it doesn't matter.
Robert MacDonald:
Yeah. I mean, I guess Mike, even from a help desk perspective... So we talked about wallets coming to an organization near you, not too far down the line in a lot of cases. So if we have a wallet, and I call the help desk, or the service desk, I'm assuming I wouldn't have to go through then, all of those processes of scanning driver's licenses, and all that kind of stuff.
Mike Engle:
That's right.
Robert MacDonald:
They could probably just send me a link that would then access the wallet, would say, "Yeah, that's Rob," and we're off and running.
Mike Engle:
Exactly, exactly. Yeah. As long as you have one of those, call it decryption factors, it's as simple as presenting it, and you're on your way. So I think we've gotten all the questions. We kind of answered them in real-time.
Robert MacDonald:
Yeah.
Mike Engle:
And with that, I think we're going to say we've done it. We got about 15 minutes to the top of the hour here, and enough time for everybody to grab a break between meetings. We don't seem to get those anymore these days, do we?
Robert MacDonald:
No, we do not. We do not. I got a question for you, Mike, and I'm sure everybody's probably wondering it. From an integration standpoint, is this difficult to put in place?
Mike Engle:
It is not a heavy lift. And because these are loosely-coupled features, so let's say you want to do one, two, three, or all of these steps, it's really as simple as accessing a URL. So for one of our clients, they got attacked by Scattered Spider. We were in the early stages of working with them, and of course things got escalated quite quickly. They're like, "We really need your help now." So we dropped this remote caller verification process in, in less than a week in testing, and up and running. And so the hardest part then, is just teaching the help desk how to use it. It's the human side that typically takes longer than the technology side, when we deploy these types of features.
And similarly, for user onboarding, imagine if you're in procurement or accounts payable, there's one of the biggest attacks for business email compromise is, "Hey, this is my new routing number, send the $100,000 check over here." Well, imagine if you presented a verified identity before you did that, and if you made that part of your process. Imagine if before a Zoom starts, you have a green check mark that says, "This person's been digitally verified." You don't even have to have their video on. They have possession of that credential, and that's the type of thing we like to do with the least amount of friction
Robert MacDonald:
Yeah. And so much power in knowing who that user is on the other side of that connection, and being able to prove that that user's legitimate. And that's really what we bring to the table, and that's where the world is going, which is exciting.
Mike Engle:
Yeah, I predict that by the beginning of next year, organizations will expect a green check mark in the Zoom window, or in the Teams window, that says verified. So I will be powering that, we already have the hooks for it, so hopefully, that'll start getting adopted.
Robert MacDonald:
Well, that'll be cool. It'll be better than just paying for a green check mark, because that doesn't prove anything, just that you have money. So yeah, very exciting stuff. Mike, thanks a lot. Appreciated it as always. And thank you to everybody that came along for the ride today. Hopefully, you learn something today, and if you have any questions, as always, you can either reach out to our friends at Carahsoft, or ourselves, and we'll be more than happy to answer any questions for you.
Mike Engle:
Thank you so much.
Robert MacDonald:
Thanks.
Abby Stephens:
Awesome. Well, thank you again everyone, for your participation. I want to thank all of our participants for joining us today. We hope that you found this webcast informative and helpful to you in your organization. And I'm just going to take the screen back over real quick. Please take a moment to answer the questions that will appear on your browser after the webinar. We appreciate your feedback. For those who met the CP requirements today, you'll receive your certificate of completion within a few weeks. If you have any further questions, or would like to request more information, please feel free to contact us. Our content information is currently being displayed on the screen, so please don't hesitate to call us or email us.
And finally, in the next day or two, it'll be emailing you all a link to an archived version of this webcast, along with a few additional resources, so you can either review it or pass it on to a colleague. Thank you all again for joining.
Hello, and thank you for joining us. On behalf of 1Kosmos and Carahsoft, I would like to welcome you to today's webinar, Shielding Help Desk Operations Against Scattered Spider Attacks. And at this time, I'd like to introduce our speakers for today, Robert MacDonald, VP of Product Solutions, 1Kosmos, and Mike Engle, CSO at 1Kosmos. And the floor is yours, Mike and Rob.
Mike Engle:
Thank you so much. It's great to be-
Robert MacDonald:
Hey, Mike, how are you? Mike had to do an emergency restart before we got started here, so everything's back online, Mike, you ready to roll?
Mike Engle:
I have no idea.
Robert MacDonald:
I know what we didn't talk about, we didn't talk about who was going to share the slides. Did you want me to do that?
Mike Engle:
Yeah, I think I got it. Let's push this button here, see what happens.
Robert MacDonald:
Okay.
Mike Engle:
It's not even Friday yet. So let's share, there we go. I think we've done it. Yep, okay.
Robert MacDonald:
Technology works.
Mike Engle:
It does. Yeah. So let's say hi to everybody. I'm Mike Engle, co-founder at 1Kosmos, and I've been doing this over here, for about seven or eight years now. And Robert, you are a Canadian and-
Robert MacDonald:
I'm the VP of product marketing here at 1Kosmos. Coming up on my anniversary here at 1Kosmos, so yeah, it's very exciting. And today, Mike, we're going to talk a little bit about help desk operations, or service desk operations, and the Scattered Spider attacks that have been happening over the last little while. So I think everybody, or maybe most people are aware of MGM, Caesars, I think Visa, Pians, there's a bunch of people that have been under attack by Scattered Spider. And what they're doing, is they're kind of chasing after, I don't know if it's a new attack vector, but it certainly seems to be new. They're coming after the help desk operations and the service desks, with somewhat great effect, which is interesting. And we're going to talk a little bit about how you can help prevent that today, right?
Mike Engle:
That's right. Do you know where this Scattered Spider name came from?
Robert MacDonald:
Yeah, we're going to talk about that in a second. But before we get started, Mike, we're going to actually start with a polling question. Abby, if you have that first one up there, let's take a look at the polling question. I thought this would be an interesting way to get us started, Mike, and look at has anybody actually experienced any sort of attack through either their service or help desk? So everybody that's online right now, if you can go ahead and vote on that, that'd be great, just to see where we are. So there's a, thankfully, not yet. Not yet is usually the operative word there, right? Unfortunately, yes, we have. And maybe people are just unsure because they haven't found it yet. So 73% of people said, "Thankfully, not yet," which is good. Nobody's unsure, and 27% of people said that "Yes, they have," so I think this is probably pretty timely, Mike. Let's get into it, and talk a little bit about Scattered Spider and what they do here.
Mike Engle:
Yeah. And you have this really scary picture here, so it's a good starting point.
Robert MacDonald:
Yeah, yeah. I found this online doing a little bit of Googling. But they're a threat actor. They're based out of the US and a bunch of other places, so that they have a global presence. They target BPO organizations, energy, manufacturing, retail, telecommunications. And it doesn't matter where you're based for the most part, they're after you. So US, Europe, India, Australia are kind of their key targets. They're all about trying to collect some money, to get people to pay to remove whatever they put into place, the malware or whatever they put in, just like they did with... Actually MGM and Caesars were both attacked at the same time. I believe Caesars paid the ransomware, and were able to keep operations up and running, but MGM did not, and wanted to forge their own path forward, and that was one of the reasons why they were out maybe as long as they were.
Just a note too, Mike, we're not here to pick on anybody. These things happen. It's unfortunate when they happen, but there's lessons learned from the things that do happen, and that's kind of why we're here, and what we're talking about today, right?
Mike Engle:
Yeah. As soon as you start picking on somebody, you're next, right? You'll end up-
Robert MacDonald:
Absolutely. Absolutely, yeah.
Mike Engle:
Throwing stones in a glass house.
Robert MacDonald:
And that's the other thing too, when these things do work, there's kind of this copycat effect that ends up happening too. So when the bad guys do get access to something, through a means, and it was successful, then others are going to try to do the same thing. So what we're going to talk about today, is really ways in which you can prevent these kinds of things from happening. So as I mentioned earlier, this group gained notoriety from the attacks that happened last, was it September, I think? And they targeted two of the largest casino and gambling companies in the US, and they brought one of them down for days. People were lined up around the corner, trying to check in. Mike, I know that you, you're a fan of Vegas, hopefully you weren't there around that time.
Mike Engle:
No, but was there for Identiverse a few weeks ago.
Robert MacDonald:
That's right.
Mike Engle:
And talking to one of the, maybe I was talking to one of the table operators, and he said the place was paralyzed. They were using paper, writing down bets, and doors wouldn't open. But yeah, there's a lot of brands that have been hit, that we haven't heard about. Caesar's and MGM of course, were big, but in doing some research, the Twilio, Okta stuff was involved with the same group. And I was surprised to learn that Walmart, Samsung, and Apple were also victims at some level. Obviously, they weren't completely taken offline, but yeah, very big deal. But the attack vector they've gone after is really not, I mean, it's innovative, and I'm sure they're really good at it, but it's a pretty straightforward attack vector for the most part. And let's talk about this for a minute.
Robert MacDonald:
Yeah. I mean, at the end of the day, what ends up happening, is that a bad actor calls in, claiming to be the customer, citizen, worker, or whoever it may be, to reset a credential. And there's typically a run book that happens when somebody calls in to do that, that an agent follows to try to verify the identity of the caller. And then once that happens, they reset the credential.
But in these instances, what happened is that the identity really wasn't proven. The bad actors socially engineered the responses. So I think we can all use own personal experiences when we call into a help desk, they'll ask us a couple questions, like "What's your address? What's your postal code? What your mother's maiden name?" There are lots of different questions that can be found easily online, right?
Mike Engle:
That's right.
Robert MacDonald:
And at the end of the day, when the bad actor answered those questions, the credential reset happened because it's assumed that the identity is, or was, legitimate at the time. And those knowledge-based questions, as we know, in other areas of cybersecurity, they're not really the best way to try to verify somebody's identity, right, Mike?
Mike Engle:
No, they're not. I had a personal experience of having a vacation stolen from me, because the company, they're called VRBO, very big company, they're actually owned by Microsoft, up the food chain, didn't validate people when they called into their help desk. So they created a fake email in our name, and convinced the VRBO people that this was them, which just took a name that looks similar, and they diverted an entire vacation over to their name. And could have had a really bad ending, we just happened to get lucky and get in front of it.
So the verification, there's all different kinds of levels. They did zero check. Somewhere in between, but the detects that we'll be showing here today, the detection capabilities is much higher level. But really, what does it mean when somebody can get into these systems? When they call the help desk and pretend to be Johnny or Sally admin, there's all these downstream target systems, that once you get your foot into the door, that's it. It's game over. So the old way of hacking was let's crack in through the firewall, or buffer overflow, some type of supply chain attack coming in from the perimeter. But why do that when you can just log in? So it really is a game changer, in terms of what we can do to protect it.
Robert MacDonald:
Yeah, it is. I mean, if you look at all the boxes that are on this screen, there are full industries built around these things, full markets built around trying to secure organizations. And organizations are buying these technologies to try to fortify their environment, to make sure that the bad guys stay out, information that's supposed to stay within, stays within.
And a simple call to a help desk, if you're able to get that credential reset, completely makes this stuff useless, right? Because now I'm just going to log in as a legitimate user, and your security operations team, as an example, your SOC team is not going to know that it's a bad actor versus somebody else, because I used a valid credential to log in with. So then everything I do, or everything I have access to from then on in, I can do whatever I need. So if I can get ahold of a credential that has a significant amount of privileges, well, I mean as one of these Scattered Spider, or the like, bad actors, I have exactly what I'm looking for, and I can do exactly what I need to do to get that financial gain that I'm looking for. But it's crazy that you can invest so much technology to try to keep things secure, but just a simple credential can make all of that stuff, bring it all down to its knees. And that's essentially what happened here, and it's-
Mike Engle:
You're depressing the hell out of everybody, Rob.
Robert MacDonald:
I know, it's crazy, right?
Mike Engle:
Describing the water while we're drowning. Yeah, the water really looks wet.
Robert MacDonald:
Yep. The water, yeah, it's fine. Come on in, guys.
Mike Engle:
So let's talk a little bit about some of the newer things that we can do, and the new attacks on those new things, because it is a cat and mouse game.
Robert MacDonald:
Yeah, it is.
Mike Engle:
So selfishly, we're going to talk a little bit about the things that we do in this space, just so you know who 1Kosmos are. 1Kosmos means one universe. And it's our belief that one day, we will have one identity to go do the things that we need to do in the digital world. Just like we have one identity in the physical world, I'd hand you my driver's license or my passport. So we have novel ways to enroll you into modern identity and authentication systems. And very important for today, is how to verify that you are who you say you are, so not just having a driver's license in your pocket, or a token. And to do that, we've built a platform that has all kinds of certifications and connectivity, and federated protocol standards, that were not the purpose of today's call, but really here to talk about the attack vectors and some of the compensating controls, right?
Robert MacDonald:
Yeah, yeah, absolutely.
Mike Engle:
So the vision, how do you mitigate a Scattered Spider attack, is to make it really easy to prove who somebody is. Use automation, put the power in the hands of the user. And so we'll show you some of this live here, and get into the weeds. And it really is simple. So imagine how simple it is when you get pulled over by a state trooper, or you go to the TSA, or security at the airport, it's very easy to prove who you are. "Here's a credential, match my face." And so now, we can do that digitally, obviously. And I'm sure many people on the call today, have done this, but probably haven't done it as they come into their help desk. And so we're going to talk about a combination of establishing identity.
So there's a couple of standards that are really important here. The US government put out a standard called NIST 800-63-3A, which says, "Here's how you prove who somebody is remotely." And we're going to pop into the polling question here, as we're doing this slide. We're going to go through what this process means, and then of course, using that proof over and over again, authenticating. Hey, Rob, I already know who you are, so I'm not going to ask you for that credential again, ties this all together. We call this identity-based authentication when you have a combination of a verified identity and an easy-to-use credential that you can use over and over again. So let's jump into the polling question here, our second one.
Robert MacDonald:
Yeah. So our second polling question here, asks, "Do you use knowledge-based authentication, knowledge-based factors to verify a user's identity?" 88% of people do, and 13% of people use something more than that. 0% said "We do not use those things." So the majority of the people that are on the call today, Mike, are using some sort of knowledge-based factor to verify an identity when a user calls into a help desk.
Mike Engle:
That's right. That's right. So let's talk about the levels of identity verification, and how we can do this remotely for our users. So the standard that we have here, NIST 800-63-3A, has three levels to it. And there's a new version coming out in the next six months, which has four levels. But this here, is kind of the gold standard. It's a combination of multiple sources of truth, verified against the issuing authority. So you have things like driver's licenses and passports, which are very powerful, and matching them to your actual face is really what makes them sing.
So we call this identity assurance level two. Three is the highest of levels that are out there today, and this standard exists globally in many countries. They call it something different in each country, but they're all based on the same principles, and many of them will reference this US government standard as well, so it really is the gold standard. But at the end of the day, what we're doing is capturing data from the user. So let's take a look at what this looks like as you deconstruct it. So you're going to see me go through a demo of this, where I am capturing both the front and back of a document. Now that sounds like an easy thing to do, right? You just point your camera at it, but there is a ton of devil in the details when you do this and try to do it right. So not only do you have to capture, and what happens when you hold your phone over, when you're trying... Did you ever try scanning a check for your bank, Rob, and you've got bad lighting and shadows and glare?
Robert MacDonald:
Yeah, yeah. Not easy.
Mike Engle:
Well, it's even worse with a glossy driver's license. So your provider needs to be really good at detecting glare, and guiding the user. So this image capture is really important. And then once the data, the image is captured, you need to extract it, detect what type of document it is, go verify it, et cetera, and that happens for the front and the back. And we're going to talk about this, because here is one of the new attack vectors. You want to talk a little bit about what liveness is, Rob?
Robert MacDonald:
Yeah. So there's a couple of different ways that we can describe liveness. The first way that we can talk about it is whether or not the person that's in front of the camera is live and it's not a picture. And you can do the same thing when you consider a document as well, is the document real? So that liveness check ensures that, one, the person that's there, is not a picture. There's my little thumbs up. Obviously, I'm using a Mac, I guess, is live. Or two, that the document itself, is also real. Yeah.
Mike Engle:
Yeah. And that all applies to the selfie as well.
Robert MacDonald:
That's right.
Mike Engle:
So is the document alive, and is the person alive? Because you have people holding a Photoshop, or something on their phone, you have to be able to detect that stuff as well. And the result is that you're doing all of these things in seconds. And most important, we're going to get into the attack vector, is that you are really... Let's do it. Is you are focusing on two different types of attack mitigation. You have to verify the document integrity and the liveness going together. So the integrity, what does that mean? Well, the font size, the holograms on the document, there's 100 overt security checks that you can do in a document. And then the liveness, is my head moving a little bit, or am I, what are they, a presentation attack, where I'm putting a mask on, et cetera. So let's give a demo of how this works. What do you think?
Robert MacDonald:
Yeah, I think it's a great idea. Talking about it and seeing it are two totally different things. So yeah, let's do that.
Mike Engle:
Let's do that. And then we'll get into the third polling question, and then get into a bit of the attacks on this concept.
This is a remote caller verification, and you are going to see a help desk operator here, on the left, and the remote caller on the right. And this is really a very low-friction operation. We've dropped this into help desks in a week, because it's as simple as asking the user for their phone number, or getting it out of the HR system, and sending it to them. So here's the help desk operator, just logged in, and they're engaged with the caller. And all they have to do is press a button, put their feet up on the desk, and wait for the magic to happen. And what you'll see on the right, is they're just going through a guided capture and verification process. So we're capturing the front, guiding the user, "Hey, too much glare, tilt it," capturing the back, and we're doing all those overt security checks in seconds.
Robert MacDonald:
Yeah, real-time.
Mike Engle:
Real-time. And it might fail here, if it's a bad actor
Robert MacDonald:
That's right.
Mike Engle:
Now, we're going to ask the user for a selfie, and compare it to the photo on the driver's license, or the passport, whatever document we're using. That's it.
Robert MacDonald:
And that's important, right? Because that's how we can tell whether or not the user that's presenting the document, is the person that owns it, right?
Mike Engle:
That's right. Yeah. So there's multiple checks, we call it triangulation, that can be done. So here, let's look at all the things that went on here. We verified the document and the human were live, the document was valid. And if the application calls for it, and your operation wants it, we can even look up that they live at that address. We can contact them at the address of record that's in authoritative system, so we can go really deep into that. But you saw how amazing of an experience that is, and it's, say, just a wee bit more secure than "What is your mother's maiden name," right, Rob?
Robert MacDonald:
Yeah, absolutely. So the whole point with what you've just seen there, is that when Mike calls me, the service desk agent, I would send him that text. He would then scan that document. I would then get the check back saying that the verification has passed. I think under the summary, you can see that on the screen there. So now I can then go do the credential reset because I know that I'm dealing with the actual person, the identity, you've verified that identity. So I know that it's Mike, I can now go change his credential. And while that looks... That just happened in, I think there's even a time, it took 44 seconds for that to happen.
Mike Engle:
That's right.
Robert MacDonald:
You're going to spend 44 seconds getting people to answer the knowledge-based checks. So with little assurance at the end of it, based on what we're seeing in the industry. So this way of doing it is a significant step forward from a help desk, or service center perspective, in terms of ensuring that when they reset a credential, it is actually that user.
Mike Engle:
Yeah. So Abby, if you're ready for the next poll, we could pop that up. If not, I'll hit one more slide if you don't have it spinning on the record quite yet. Well, there it is.
Robert MacDonald:
There you go.
Mike Engle:
She's good.
Robert MacDonald:
Do you utilize any self-service options for employees? The question there is are you trying to just even prevent people from calling the help desk or service center, try to eliminate the threat before it even gets there. Now there's still some issues, as we can talk about later, Mike, even with that. You still want to make sure that when you're updating a credential, that the user is actually the one requesting it. But replies here are, we do not. Users need to call the service or help desk. We do, or we have a hybrid model. So nobody has said that they do not have a self-service option. They do, so 38% of people on the call right now, say it is the only way to request access and reset a password. And 63% say they have a hybrid model, so users call in for certain use cases.
Mike Engle:
Yeah, it's table stakes today. I mean, you have to have some type of it, otherwise your help desk gets crushed. But what we do find, is a lot of people need to either be VPN'd in, or in the office, which kind of defeats the purpose if you're trying to get in, your home and don't have the password. So that's probably some of the hybrids, where they're afraid to open it up externally. But as you saw, the one that we just did is 100% external, and you can trust it.
Robert MacDonald:
Yeah. And again, the reason why you know that VPN, or you need to be in the office is there, is because they're trying to ensure that it's the person that's requesting it at the end of the day.
Mike Engle:
That's right. So we had a couple of good questions from Samuel, and the first question he asked, it's like he teed it up and read our mind, is that data stored? So you saw a driver's license and some faces, and the answer is it can be, or it may not be, depending on the organization's privacy policies. So if you're proofing for high security operation, you may need to keep that evidence around for a month, or years, depending on what kind of forensics you may need after the fact, what type of proof that you gave access to the right person.
But in a help desk environment, you don't want the help desk operator seeing any of that data. They don't need to see your home address and how young you are, right, Robert?
Robert MacDonald:
Yeah.
Mike Engle:
So we have very customizable PII retention and display permission. So here, you can see all of the data on the left. It's like we can, you can define your own system in your instance of this, to get very granular, and say, "I do want the images. I don't, I just want the data," et cetera. And on the right, we're showing that we can just discard it instantly after it's been processed.
And similarly, for the help desk or the systems administrators, the help desk will see this kind of basic, it was good or it wasn't good screen, which is all they need, and then they go on and follow their procedures in the run book. But an administrator, again, if you want to keep it around, could go in after the fact, and see something went wrong with that call, let's go see what happened. So a very granular set of controls on this, which of course, is what you would need depending on your risk tolerance and privacy policies.
Robert MacDonald:
Or even depending upon what compliance mandates you may be adhered to as well, right?
Mike Engle:
That's right. And I'll answer Samuel's next question live, is real ID-compliant ID required? And no, it's not required, but you could make it required. And you could go so far as to say, "I want to only do passports and read the chip in the passport." It's obviously a heavier exercise, but much more trustworthy credential because you have an NFC chip, that has a digitally-signed credential in it. So again, it comes down to risk tolerance, and what you're trying to do, and how many hoops you want the users to go through. So good question, Samuel.
Robert MacDonald:
Absolutely. Yeah, those are great questions. The cool thing with reading the chip as well, is that we can verify the data that's on the passport is the same thing that what's on the chip, right?
Mike Engle:
Yeah.
Robert MacDonald:
Or if the chip's even been compromised, so there's a bunch of different checks you can do along those lines. And Mike, you said earlier that some of the triangulation that we can do, driver's licenses, we can go out and check to make sure the driver's license is legit as well, right? We can go out-
Mike Engle:
Exactly. So this is really key. If you're just verifying possession of a phone or an email, that's pretty weak. Can they fetch a code, or we call this SIM binding, they're proving possession of a phone, but maybe it was SIM swapped, right? So then you can take it a step further, and do the biometrics, which we demonstrated. Once you get the driver's license, you can say, "Is that driver's license valid with the Department of Motor Vehicles," that's what AMBA represents here. So putting this together, multiple sources of truth, gives you a much higher level of assurance, that even if let's say they did bypass your liveness, right? I know your liveness is pretty good, Robert, but we can't say nothing in security is 100%.
Robert MacDonald:
That's right.
Mike Engle:
But could they spoof all of the features of the driver's license, or the fact that they live at a certain address being checked with the bureaus, for example?
Robert MacDonald:
Yeah, I mean even something as simple as reading the PDF-417 barcode in the back, just to again, trying to make sure that that document is legitimate, and things on the front match the things on the back, and vice versa, are all things that you need to be able to do to ensure that the document is legitimate, and the stuff that's printed on the front of it is accurate.
Mike Engle:
Right.
Robert MacDonald:
It's all about improving the validity of that identity and document, to ensure that they are who they claim to be. Now Mike, there are a bunch of things that we have listed here, in terms of building a verified identity. The one thing that we haven't touched, and maybe we might want to leave that to the end, is this concept of a wallet, and being able to reuse that identity. Do you want to talk a little bit about what that means here?
Mike Engle:
Yeah, this is a real game changer. It really is. So all these things, we do them all the time. I'm scanning driver's licenses for more and more apps. My Ring doorbell popped up and asked me to scan a driver's license when I was trying to log into Ring from Amazon recently. So it's getting common, and it's frankly, it can be a pain. Because if I have to do this once a week, it becomes more of a hassle than fetching MFA.
So what we can do now, and we as in the industry, of course, 1Kosmos does this very well, is take these exercises and store them in a place where the user can have them in their possession, and the proof of possession now, is in their control. So this is the wallet. Imagine you scan your driver's license once, but could transmit that proof and over again. I've done my live ID, my selfie, and I can transmit proof that I am still me, over and over again. We're seeing wallets evolve globally. Some countries are issuing them, some trade industry organizations, your bank really acts like a wallet today. They give you a trusted app. Apple has a wallet, Google has a wallet, so employers are making their own wallets as well, and we've powered quite a few of them. This is a real game changer as we start to ask for identity more and more, which we frankly have not been in the habit of doing in the security world, until these scary Scattered Spider guys came out and start making us think about these things.
Robert MacDonald:
Yeah, I mean, identity in the security world, up until now, has been an entry in active directory, or Okta. And it's a username and a password, that's been your identity up until this point. And I think with some of these most recent attacks, that that's going to change. And the concept of a wallet from a workforce perspective, is going to be something that is going to be much more common. What do we call it? I don't know if it's going to be called a wallet in the workforce perspective, but that concept is certainly something that's going to be more commonplace going forward, I think.
Mike Engle:
Yeah. So if we have time at the end, we'll show an example of a wallet being used to onboard a new hire. It's pretty cool. But first, let's talk about, we're showing this new stuff and scanning, and we talked about liveness. And that liveness is the compensating control for these different types of attack vectors. So social engineering, that's what Scattered Spider's using, and they can call the help desk now and pretend to be you. And this has really been around for a long time, they're just getting really good at it.
Robert MacDonald:
Really good at it.
Mike Engle:
And now you can fake somebody's voice, or their video, as we heard about with the $25 million Zoom CFO wire money scam that happened a couple months back. So that's going to happen more and more. You're seeing political campaigns with fake politicians, globally, it's becoming a real issue. How many fake Elon Musk videos are there, and Tom Cruise videos? So what we can do now, is to mitigate print and injection attacks, what's the difference, Rob, between a print and an injection attack?
Robert MacDonald:
So print is just as it sounds, you get a high-res image off the internet somewhere. You print it on a very good printer, and you use it as the presentation for as being the user. The injection is obviously a little bit, or not a little bit, it's a lot more sophisticated. You're going to find that same, you're going to use that same high-res image though, but you're going to use that image to create a video, and then you're going to inject that into the stream, and present it as a liveness check. So the user looks like they're actually there, and I think that you're going to show us what that looks like in a second, right?
Mike Engle:
Yeah, I was hoping you'd ask. So yeah, the print, or it's often called presentation attacker, and PAD, P-A D, Presentation Attack Detection, is one of the key technologies that we employ to try to stop those fake, holding up a document, or a fake picture. And then the injection attacks, you can just shimmy the video right into many different types of systems.
People go as far as to take their phones apart, like an Android, and put a different type of camera in, and be able to inject stuff in there. And this is what that looks like. So here's a deep fake demo video, where I'm employing a pretty off-the-shelf piece of software to become three people. So this is me becoming Jude Law, back to normal. Press the button on Tom Cruise. Not too bad, I just don't have that smile. I'm jealous of his smile and the hair, of course, my God. And then John Krasinski from Jack Ryan on the Amazon show, the books. So press a button and my face features have changed, that could bypass automated checks. Or I'm doing a video call with somebody, so that's the poor man's demo. I'm sure the bad actors have really sophisticated equipment to be able to simulate these things.
Robert MacDonald:
Yeah, it's kind of scary when you look at it that way, right? But there are certainly things that can be done to help prevent that. And one of the reasons why we're showing that, I know we started with Scattered Spider and with the help desk, but this just shows what's coming next, and how you can be prepared for it going forward. And it goes back to a lot of this identity verification stuff that you talked about two or three slides ago, right?
Mike Engle:
That's right. So two things to wrap up. Let's see, we've got another question here, let's see if it's a good one. Can we use advanced AI/ML to catch fraudsters versus legit? Absolutely. It is. The bad guys, or girls, or non-gender, are using all these sophisticated machine learning, or AI-generating video to attack. You could probably go to some GPT engines now, and say, "Make me a California driver's license. Here's my picture," just put it all together for you. So we need to have compensating controls that are on par with that, and we do. So some of the things we'll look for on that demo of Jude, Tom, and John here, are the artifacts of the images coming together. So that's one piece of the puzzle. We can detect that the camera is a virtual camera, not a real USB device, or you can only allow certain types of USB devices as well. So yeah, there's a bunch of AI and ML behind the scenes, and a whole bunch of patents that go into this arms race that we're in today. We talked a bit... Go ahead, Rob.
Robert MacDonald:
I was going to say, yeah, there's another one there, we can answer right quick as well. Samuel, again. Thank you, Samuel. How long does it take to do the process for a help desk caller? And I'd mention that just really quickly, when we showed that. It takes in and around 44 seconds, Samuel, give or take. Again, we coach the user as we're going through it, in case there's glare and things along those lines, but it's certainly less than 60 seconds start to finish.
Mike Engle:
Yeah. And of course, there's a little bit of, it depends. Some people, like I can get through it in 20 seconds because I'm a pro now, right?
Robert MacDonald:
Yeah.
Mike Engle:
But grandma, it might take her two, three minutes. If you're hiring grandma at your company, and she is not that adept with the phone. And we have some other tools that can help, so we have a staffed call center that can augment the automated process. So we call that supervised remote. And so if you do have a proofing process that fails for new hires, or et cetera, we can put those types of controls in place, and have that backup option as well, so you don't have to have too painful of an exception process.
So the last thing, so we talked about a couple of options for account recovery. What did we do? Well, we scanned a driver's license, but we also support a bunch of other options, where if you can reach out to the user and ask them for their FIDO passkey. FIDO is all the rage these days. So we can reach out to the user, and ask them to present a known authentication mechanism that they might have on a secondary device. And this biometric hash is a real game changer. So if you've gone through a modern airport recently, you've probably just looked into a camera and gotten on a plane, that is what we can do for remote callers as well. So lots of different options for verifying users, or onboarding, et cetera. And it's for recovering, or using a wallet, so the biometrics are a real enabler when it comes down to a wallet.
Robert MacDonald:
One of the questions earlier, Mike, as well, was about data storage, and that the bad guys are getting in and getting some of these documents. The very right-sided box there, is the blockchain file system, which is something that we leverage. Do you want to talk a little bit about how we ensure that data that is captured and stored in a wallet, is secured, and not really accessible by anybody else but the user?
Mike Engle:
Yeah, so there's multiple types of wallets. There's one that lives just on your phone, so we support that. Lose your phone, you might lose your wallet, that's one of the challenges of it. Is it possible to have a wallet without a phone? Well, there is, it's called a hosted wallet. And so what we can do, is this is basically a distributed ledger, or blockchain-based file system. And imagine that your data is kept super secret, safe, and this is a private system. It's not like on some public Ethereum, or whatever, Tezos blockchain, but it's private. And then inside of it, imagine if we use one of these encryption options then, to take your identity data, encrypt it, and then put it here. And then tomorrow you come back, and as long as you can reproduce one of these decryption factors, you could get your wallet, and go transmit it to the requesting party with your permission. So this is happening today.
Your bank hosts all of your data for you. It's hosted already, and the government is hosting lots of your data. We just, instead of it being protected with a username, password, in some monster database where all your data is today, we're putting you in control of it by giving you the encryption key that keeps it all super secure here. And this is a really powerful option. So now, let's say I need to verify my identity a second time. I don't have my phone. I can just look into the camera, decrypt my data, and send it. And so it could be as simple as something like this where, "Hey, this is the verification portal. Click this button, engage with the system, do a biometric, here's your decryption key," and boom, your data with permission. I said, "Yes," on the consent screen, my data is decrypted and sent over to the requesting party.
And of course, it doesn't have to be all of this data, but it could just be a yes or no. Is this Mike, yes or no? It's been verified. So this is the concept of a wallet that's reusable, and can be plugged into any part of an IT operation for customers, for employees, citizens, it doesn't matter.
Robert MacDonald:
Yeah. I mean, I guess Mike, even from a help desk perspective... So we talked about wallets coming to an organization near you, not too far down the line in a lot of cases. So if we have a wallet, and I call the help desk, or the service desk, I'm assuming I wouldn't have to go through then, all of those processes of scanning driver's licenses, and all that kind of stuff.
Mike Engle:
That's right.
Robert MacDonald:
They could probably just send me a link that would then access the wallet, would say, "Yeah, that's Rob," and we're off and running.
Mike Engle:
Exactly, exactly. Yeah. As long as you have one of those, call it decryption factors, it's as simple as presenting it, and you're on your way. So I think we've gotten all the questions. We kind of answered them in real-time.
Robert MacDonald:
Yeah.
Mike Engle:
And with that, I think we're going to say we've done it. We got about 15 minutes to the top of the hour here, and enough time for everybody to grab a break between meetings. We don't seem to get those anymore these days, do we?
Robert MacDonald:
No, we do not. We do not. I got a question for you, Mike, and I'm sure everybody's probably wondering it. From an integration standpoint, is this difficult to put in place?
Mike Engle:
It is not a heavy lift. And because these are loosely-coupled features, so let's say you want to do one, two, three, or all of these steps, it's really as simple as accessing a URL. So for one of our clients, they got attacked by Scattered Spider. We were in the early stages of working with them, and of course things got escalated quite quickly. They're like, "We really need your help now." So we dropped this remote caller verification process in, in less than a week in testing, and up and running. And so the hardest part then, is just teaching the help desk how to use it. It's the human side that typically takes longer than the technology side, when we deploy these types of features.
And similarly, for user onboarding, imagine if you're in procurement or accounts payable, there's one of the biggest attacks for business email compromise is, "Hey, this is my new routing number, send the $100,000 check over here." Well, imagine if you presented a verified identity before you did that, and if you made that part of your process. Imagine if before a Zoom starts, you have a green check mark that says, "This person's been digitally verified." You don't even have to have their video on. They have possession of that credential, and that's the type of thing we like to do with the least amount of friction
Robert MacDonald:
Yeah. And so much power in knowing who that user is on the other side of that connection, and being able to prove that that user's legitimate. And that's really what we bring to the table, and that's where the world is going, which is exciting.
Mike Engle:
Yeah, I predict that by the beginning of next year, organizations will expect a green check mark in the Zoom window, or in the Teams window, that says verified. So I will be powering that, we already have the hooks for it, so hopefully, that'll start getting adopted.
Robert MacDonald:
Well, that'll be cool. It'll be better than just paying for a green check mark, because that doesn't prove anything, just that you have money. So yeah, very exciting stuff. Mike, thanks a lot. Appreciated it as always. And thank you to everybody that came along for the ride today. Hopefully, you learn something today, and if you have any questions, as always, you can either reach out to our friends at Carahsoft, or ourselves, and we'll be more than happy to answer any questions for you.
Mike Engle:
Thank you so much.
Robert MacDonald:
Thanks.
Abby Stephens:
Awesome. Well, thank you again everyone, for your participation. I want to thank all of our participants for joining us today. We hope that you found this webcast informative and helpful to you in your organization. And I'm just going to take the screen back over real quick. Please take a moment to answer the questions that will appear on your browser after the webinar. We appreciate your feedback. For those who met the CP requirements today, you'll receive your certificate of completion within a few weeks. If you have any further questions, or would like to request more information, please feel free to contact us. Our content information is currently being displayed on the screen, so please don't hesitate to call us or email us.
And finally, in the next day or two, it'll be emailing you all a link to an archived version of this webcast, along with a few additional resources, so you can either review it or pass it on to a colleague. Thank you all again for joining.
Mike Engle
CSO
1Kosmos
The Scattered Spider attack on MGM, Caesars Entertainment, Visa, PNC, Transamerica and many others represented a significant breach in cybersecurity measures, disrupting the company’s services and jeopardizing customer data, all from a call into the helpdesk. The breach illustrated an identity gap in identity and access management, highlighting the significance of Caller ID Verification in fortifying helpdesk security protocols.
This attack has shown the impact of an inability to accurately verify the identity of a caller when resetting or updating a credential. The resulting breach illustrated the intricacies of caller authentication and its pivotal role in mitigating risks. Join 1Kosmos as they highlight the vulnerabilities of the exploit within helpdesk and call center operations, underscoring the urgent need for proactive caller identity verification.
During this webinar, 1Kosmos CSO Mike Engle examined identity based Caller ID Verification protocols, coupled with real-world case studies, strategic insights, and invaluable perspectives on fortifying organizational defenses against this evolving cyber threat.
By watching, you will learn:
- The challenges posed by identity fraud
- Real-world scenarios and industry best practices
- How to fortify helpdesk security protocols
- How to verify remote callers to safeguard helpdesks and call center
Mike Engle
CSO
1Kosmos
Video Transcript
Abby Stephens:
Hello, and thank you for joining us. On behalf of 1Kosmos and Carahsoft, I would like to welcome you to today's webinar, Shielding Help Desk Operations Against Scattered Spider Attacks. And at this time, I'd like to introduce our speakers for today, Robert MacDonald, VP of Product Solutions, 1Kosmos, and Mike Engle, CSO at 1Kosmos. And the floor is yours, Mike and Rob.
Mike Engle:
Thank you so much. It's great to be-
Robert MacDonald:
Hey, Mike, how are you? Mike had to do an emergency restart before we got started here, so everything's back online, Mike, you ready to roll?
Mike Engle:
I have no idea.
Robert MacDonald:
I know what we didn't talk about, we didn't talk about who was going to share the slides. Did you want me to do that?
Mike Engle:
Yeah, I think I got it. Let's push this button here, see what happens.
Robert MacDonald:
Okay.
Mike Engle:
It's not even Friday yet. So let's share, there we go. I think we've done it. Yep, okay.
Robert MacDonald:
Technology works.
Mike Engle:
It does. Yeah. So let's say hi to everybody. I'm Mike Engle, co-founder at 1Kosmos, and I've been doing this over here, for about seven or eight years now. And Robert, you are a Canadian and-
Robert MacDonald:
I'm the VP of product marketing here at 1Kosmos. Coming up on my anniversary here at 1Kosmos, so yeah, it's very exciting. And today, Mike, we're going to talk a little bit about help desk operations, or service desk operations, and the Scattered Spider attacks that have been happening over the last little while. So I think everybody, or maybe most people are aware of MGM, Caesars, I think Visa, Pians, there's a bunch of people that have been under attack by Scattered Spider. And what they're doing, is they're kind of chasing after, I don't know if it's a new attack vector, but it certainly seems to be new. They're coming after the help desk operations and the service desks, with somewhat great effect, which is interesting. And we're going to talk a little bit about how you can help prevent that today, right?
Mike Engle:
That's right. Do you know where this Scattered Spider name came from?
Robert MacDonald:
Yeah, we're going to talk about that in a second. But before we get started, Mike, we're going to actually start with a polling question. Abby, if you have that first one up there, let's take a look at the polling question. I thought this would be an interesting way to get us started, Mike, and look at has anybody actually experienced any sort of attack through either their service or help desk? So everybody that's online right now, if you can go ahead and vote on that, that'd be great, just to see where we are. So there's a, thankfully, not yet. Not yet is usually the operative word there, right? Unfortunately, yes, we have. And maybe people are just unsure because they haven't found it yet. So 73% of people said, "Thankfully, not yet," which is good. Nobody's unsure, and 27% of people said that "Yes, they have," so I think this is probably pretty timely, Mike. Let's get into it, and talk a little bit about Scattered Spider and what they do here.
Mike Engle:
Yeah. And you have this really scary picture here, so it's a good starting point.
Robert MacDonald:
Yeah, yeah. I found this online doing a little bit of Googling. But they're a threat actor. They're based out of the US and a bunch of other places, so that they have a global presence. They target BPO organizations, energy, manufacturing, retail, telecommunications. And it doesn't matter where you're based for the most part, they're after you. So US, Europe, India, Australia are kind of their key targets. They're all about trying to collect some money, to get people to pay to remove whatever they put into place, the malware or whatever they put in, just like they did with... Actually MGM and Caesars were both attacked at the same time. I believe Caesars paid the ransomware, and were able to keep operations up and running, but MGM did not, and wanted to forge their own path forward, and that was one of the reasons why they were out maybe as long as they were.
Just a note too, Mike, we're not here to pick on anybody. These things happen. It's unfortunate when they happen, but there's lessons learned from the things that do happen, and that's kind of why we're here, and what we're talking about today, right?
Mike Engle:
Yeah. As soon as you start picking on somebody, you're next, right? You'll end up-
Robert MacDonald:
Absolutely. Absolutely, yeah.
Mike Engle:
Throwing stones in a glass house.
Robert MacDonald:
And that's the other thing too, when these things do work, there's kind of this copycat effect that ends up happening too. So when the bad guys do get access to something, through a means, and it was successful, then others are going to try to do the same thing. So what we're going to talk about today, is really ways in which you can prevent these kinds of things from happening. So as I mentioned earlier, this group gained notoriety from the attacks that happened last, was it September, I think? And they targeted two of the largest casino and gambling companies in the US, and they brought one of them down for days. People were lined up around the corner, trying to check in. Mike, I know that you, you're a fan of Vegas, hopefully you weren't there around that time.
Mike Engle:
No, but was there for Identiverse a few weeks ago.
Robert MacDonald:
That's right.
Mike Engle:
And talking to one of the, maybe I was talking to one of the table operators, and he said the place was paralyzed. They were using paper, writing down bets, and doors wouldn't open. But yeah, there's a lot of brands that have been hit, that we haven't heard about. Caesar's and MGM of course, were big, but in doing some research, the Twilio, Okta stuff was involved with the same group. And I was surprised to learn that Walmart, Samsung, and Apple were also victims at some level. Obviously, they weren't completely taken offline, but yeah, very big deal. But the attack vector they've gone after is really not, I mean, it's innovative, and I'm sure they're really good at it, but it's a pretty straightforward attack vector for the most part. And let's talk about this for a minute.
Robert MacDonald:
Yeah. I mean, at the end of the day, what ends up happening, is that a bad actor calls in, claiming to be the customer, citizen, worker, or whoever it may be, to reset a credential. And there's typically a run book that happens when somebody calls in to do that, that an agent follows to try to verify the identity of the caller. And then once that happens, they reset the credential.
But in these instances, what happened is that the identity really wasn't proven. The bad actors socially engineered the responses. So I think we can all use own personal experiences when we call into a help desk, they'll ask us a couple questions, like "What's your address? What's your postal code? What your mother's maiden name?" There are lots of different questions that can be found easily online, right?
Mike Engle:
That's right.
Robert MacDonald:
And at the end of the day, when the bad actor answered those questions, the credential reset happened because it's assumed that the identity is, or was, legitimate at the time. And those knowledge-based questions, as we know, in other areas of cybersecurity, they're not really the best way to try to verify somebody's identity, right, Mike?
Mike Engle:
No, they're not. I had a personal experience of having a vacation stolen from me, because the company, they're called VRBO, very big company, they're actually owned by Microsoft, up the food chain, didn't validate people when they called into their help desk. So they created a fake email in our name, and convinced the VRBO people that this was them, which just took a name that looks similar, and they diverted an entire vacation over to their name. And could have had a really bad ending, we just happened to get lucky and get in front of it.
So the verification, there's all different kinds of levels. They did zero check. Somewhere in between, but the detects that we'll be showing here today, the detection capabilities is much higher level. But really, what does it mean when somebody can get into these systems? When they call the help desk and pretend to be Johnny or Sally admin, there's all these downstream target systems, that once you get your foot into the door, that's it. It's game over. So the old way of hacking was let's crack in through the firewall, or buffer overflow, some type of supply chain attack coming in from the perimeter. But why do that when you can just log in? So it really is a game changer, in terms of what we can do to protect it.
Robert MacDonald:
Yeah, it is. I mean, if you look at all the boxes that are on this screen, there are full industries built around these things, full markets built around trying to secure organizations. And organizations are buying these technologies to try to fortify their environment, to make sure that the bad guys stay out, information that's supposed to stay within, stays within.
And a simple call to a help desk, if you're able to get that credential reset, completely makes this stuff useless, right? Because now I'm just going to log in as a legitimate user, and your security operations team, as an example, your SOC team is not going to know that it's a bad actor versus somebody else, because I used a valid credential to log in with. So then everything I do, or everything I have access to from then on in, I can do whatever I need. So if I can get ahold of a credential that has a significant amount of privileges, well, I mean as one of these Scattered Spider, or the like, bad actors, I have exactly what I'm looking for, and I can do exactly what I need to do to get that financial gain that I'm looking for. But it's crazy that you can invest so much technology to try to keep things secure, but just a simple credential can make all of that stuff, bring it all down to its knees. And that's essentially what happened here, and it's-
Mike Engle:
You're depressing the hell out of everybody, Rob.
Robert MacDonald:
I know, it's crazy, right?
Mike Engle:
Describing the water while we're drowning. Yeah, the water really looks wet.
Robert MacDonald:
Yep. The water, yeah, it's fine. Come on in, guys.
Mike Engle:
So let's talk a little bit about some of the newer things that we can do, and the new attacks on those new things, because it is a cat and mouse game.
Robert MacDonald:
Yeah, it is.
Mike Engle:
So selfishly, we're going to talk a little bit about the things that we do in this space, just so you know who 1Kosmos are. 1Kosmos means one universe. And it's our belief that one day, we will have one identity to go do the things that we need to do in the digital world. Just like we have one identity in the physical world, I'd hand you my driver's license or my passport. So we have novel ways to enroll you into modern identity and authentication systems. And very important for today, is how to verify that you are who you say you are, so not just having a driver's license in your pocket, or a token. And to do that, we've built a platform that has all kinds of certifications and connectivity, and federated protocol standards, that were not the purpose of today's call, but really here to talk about the attack vectors and some of the compensating controls, right?
Robert MacDonald:
Yeah, yeah, absolutely.
Mike Engle:
So the vision, how do you mitigate a Scattered Spider attack, is to make it really easy to prove who somebody is. Use automation, put the power in the hands of the user. And so we'll show you some of this live here, and get into the weeds. And it really is simple. So imagine how simple it is when you get pulled over by a state trooper, or you go to the TSA, or security at the airport, it's very easy to prove who you are. "Here's a credential, match my face." And so now, we can do that digitally, obviously. And I'm sure many people on the call today, have done this, but probably haven't done it as they come into their help desk. And so we're going to talk about a combination of establishing identity.
So there's a couple of standards that are really important here. The US government put out a standard called NIST 800-63-3A, which says, "Here's how you prove who somebody is remotely." And we're going to pop into the polling question here, as we're doing this slide. We're going to go through what this process means, and then of course, using that proof over and over again, authenticating. Hey, Rob, I already know who you are, so I'm not going to ask you for that credential again, ties this all together. We call this identity-based authentication when you have a combination of a verified identity and an easy-to-use credential that you can use over and over again. So let's jump into the polling question here, our second one.
Robert MacDonald:
Yeah. So our second polling question here, asks, "Do you use knowledge-based authentication, knowledge-based factors to verify a user's identity?" 88% of people do, and 13% of people use something more than that. 0% said "We do not use those things." So the majority of the people that are on the call today, Mike, are using some sort of knowledge-based factor to verify an identity when a user calls into a help desk.
Mike Engle:
That's right. That's right. So let's talk about the levels of identity verification, and how we can do this remotely for our users. So the standard that we have here, NIST 800-63-3A, has three levels to it. And there's a new version coming out in the next six months, which has four levels. But this here, is kind of the gold standard. It's a combination of multiple sources of truth, verified against the issuing authority. So you have things like driver's licenses and passports, which are very powerful, and matching them to your actual face is really what makes them sing.
So we call this identity assurance level two. Three is the highest of levels that are out there today, and this standard exists globally in many countries. They call it something different in each country, but they're all based on the same principles, and many of them will reference this US government standard as well, so it really is the gold standard. But at the end of the day, what we're doing is capturing data from the user. So let's take a look at what this looks like as you deconstruct it. So you're going to see me go through a demo of this, where I am capturing both the front and back of a document. Now that sounds like an easy thing to do, right? You just point your camera at it, but there is a ton of devil in the details when you do this and try to do it right. So not only do you have to capture, and what happens when you hold your phone over, when you're trying... Did you ever try scanning a check for your bank, Rob, and you've got bad lighting and shadows and glare?
Robert MacDonald:
Yeah, yeah. Not easy.
Mike Engle:
Well, it's even worse with a glossy driver's license. So your provider needs to be really good at detecting glare, and guiding the user. So this image capture is really important. And then once the data, the image is captured, you need to extract it, detect what type of document it is, go verify it, et cetera, and that happens for the front and the back. And we're going to talk about this, because here is one of the new attack vectors. You want to talk a little bit about what liveness is, Rob?
Robert MacDonald:
Yeah. So there's a couple of different ways that we can describe liveness. The first way that we can talk about it is whether or not the person that's in front of the camera is live and it's not a picture. And you can do the same thing when you consider a document as well, is the document real? So that liveness check ensures that, one, the person that's there, is not a picture. There's my little thumbs up. Obviously, I'm using a Mac, I guess, is live. Or two, that the document itself, is also real. Yeah.
Mike Engle:
Yeah. And that all applies to the selfie as well.
Robert MacDonald:
That's right.
Mike Engle:
So is the document alive, and is the person alive? Because you have people holding a Photoshop, or something on their phone, you have to be able to detect that stuff as well. And the result is that you're doing all of these things in seconds. And most important, we're going to get into the attack vector, is that you are really... Let's do it. Is you are focusing on two different types of attack mitigation. You have to verify the document integrity and the liveness going together. So the integrity, what does that mean? Well, the font size, the holograms on the document, there's 100 overt security checks that you can do in a document. And then the liveness, is my head moving a little bit, or am I, what are they, a presentation attack, where I'm putting a mask on, et cetera. So let's give a demo of how this works. What do you think?
Robert MacDonald:
Yeah, I think it's a great idea. Talking about it and seeing it are two totally different things. So yeah, let's do that.
Mike Engle:
Let's do that. And then we'll get into the third polling question, and then get into a bit of the attacks on this concept.
This is a remote caller verification, and you are going to see a help desk operator here, on the left, and the remote caller on the right. And this is really a very low-friction operation. We've dropped this into help desks in a week, because it's as simple as asking the user for their phone number, or getting it out of the HR system, and sending it to them. So here's the help desk operator, just logged in, and they're engaged with the caller. And all they have to do is press a button, put their feet up on the desk, and wait for the magic to happen. And what you'll see on the right, is they're just going through a guided capture and verification process. So we're capturing the front, guiding the user, "Hey, too much glare, tilt it," capturing the back, and we're doing all those overt security checks in seconds.
Robert MacDonald:
Yeah, real-time.
Mike Engle:
Real-time. And it might fail here, if it's a bad actor
Robert MacDonald:
That's right.
Mike Engle:
Now, we're going to ask the user for a selfie, and compare it to the photo on the driver's license, or the passport, whatever document we're using. That's it.
Robert MacDonald:
And that's important, right? Because that's how we can tell whether or not the user that's presenting the document, is the person that owns it, right?
Mike Engle:
That's right. Yeah. So there's multiple checks, we call it triangulation, that can be done. So here, let's look at all the things that went on here. We verified the document and the human were live, the document was valid. And if the application calls for it, and your operation wants it, we can even look up that they live at that address. We can contact them at the address of record that's in authoritative system, so we can go really deep into that. But you saw how amazing of an experience that is, and it's, say, just a wee bit more secure than "What is your mother's maiden name," right, Rob?
Robert MacDonald:
Yeah, absolutely. So the whole point with what you've just seen there, is that when Mike calls me, the service desk agent, I would send him that text. He would then scan that document. I would then get the check back saying that the verification has passed. I think under the summary, you can see that on the screen there. So now I can then go do the credential reset because I know that I'm dealing with the actual person, the identity, you've verified that identity. So I know that it's Mike, I can now go change his credential. And while that looks... That just happened in, I think there's even a time, it took 44 seconds for that to happen.
Mike Engle:
That's right.
Robert MacDonald:
You're going to spend 44 seconds getting people to answer the knowledge-based checks. So with little assurance at the end of it, based on what we're seeing in the industry. So this way of doing it is a significant step forward from a help desk, or service center perspective, in terms of ensuring that when they reset a credential, it is actually that user.
Mike Engle:
Yeah. So Abby, if you're ready for the next poll, we could pop that up. If not, I'll hit one more slide if you don't have it spinning on the record quite yet. Well, there it is.
Robert MacDonald:
There you go.
Mike Engle:
She's good.
Robert MacDonald:
Do you utilize any self-service options for employees? The question there is are you trying to just even prevent people from calling the help desk or service center, try to eliminate the threat before it even gets there. Now there's still some issues, as we can talk about later, Mike, even with that. You still want to make sure that when you're updating a credential, that the user is actually the one requesting it. But replies here are, we do not. Users need to call the service or help desk. We do, or we have a hybrid model. So nobody has said that they do not have a self-service option. They do, so 38% of people on the call right now, say it is the only way to request access and reset a password. And 63% say they have a hybrid model, so users call in for certain use cases.
Mike Engle:
Yeah, it's table stakes today. I mean, you have to have some type of it, otherwise your help desk gets crushed. But what we do find, is a lot of people need to either be VPN'd in, or in the office, which kind of defeats the purpose if you're trying to get in, your home and don't have the password. So that's probably some of the hybrids, where they're afraid to open it up externally. But as you saw, the one that we just did is 100% external, and you can trust it.
Robert MacDonald:
Yeah. And again, the reason why you know that VPN, or you need to be in the office is there, is because they're trying to ensure that it's the person that's requesting it at the end of the day.
Mike Engle:
That's right. So we had a couple of good questions from Samuel, and the first question he asked, it's like he teed it up and read our mind, is that data stored? So you saw a driver's license and some faces, and the answer is it can be, or it may not be, depending on the organization's privacy policies. So if you're proofing for high security operation, you may need to keep that evidence around for a month, or years, depending on what kind of forensics you may need after the fact, what type of proof that you gave access to the right person.
But in a help desk environment, you don't want the help desk operator seeing any of that data. They don't need to see your home address and how young you are, right, Robert?
Robert MacDonald:
Yeah.
Mike Engle:
So we have very customizable PII retention and display permission. So here, you can see all of the data on the left. It's like we can, you can define your own system in your instance of this, to get very granular, and say, "I do want the images. I don't, I just want the data," et cetera. And on the right, we're showing that we can just discard it instantly after it's been processed.
And similarly, for the help desk or the systems administrators, the help desk will see this kind of basic, it was good or it wasn't good screen, which is all they need, and then they go on and follow their procedures in the run book. But an administrator, again, if you want to keep it around, could go in after the fact, and see something went wrong with that call, let's go see what happened. So a very granular set of controls on this, which of course, is what you would need depending on your risk tolerance and privacy policies.
Robert MacDonald:
Or even depending upon what compliance mandates you may be adhered to as well, right?
Mike Engle:
That's right. And I'll answer Samuel's next question live, is real ID-compliant ID required? And no, it's not required, but you could make it required. And you could go so far as to say, "I want to only do passports and read the chip in the passport." It's obviously a heavier exercise, but much more trustworthy credential because you have an NFC chip, that has a digitally-signed credential in it. So again, it comes down to risk tolerance, and what you're trying to do, and how many hoops you want the users to go through. So good question, Samuel.
Robert MacDonald:
Absolutely. Yeah, those are great questions. The cool thing with reading the chip as well, is that we can verify the data that's on the passport is the same thing that what's on the chip, right?
Mike Engle:
Yeah.
Robert MacDonald:
Or if the chip's even been compromised, so there's a bunch of different checks you can do along those lines. And Mike, you said earlier that some of the triangulation that we can do, driver's licenses, we can go out and check to make sure the driver's license is legit as well, right? We can go out-
Mike Engle:
Exactly. So this is really key. If you're just verifying possession of a phone or an email, that's pretty weak. Can they fetch a code, or we call this SIM binding, they're proving possession of a phone, but maybe it was SIM swapped, right? So then you can take it a step further, and do the biometrics, which we demonstrated. Once you get the driver's license, you can say, "Is that driver's license valid with the Department of Motor Vehicles," that's what AMBA represents here. So putting this together, multiple sources of truth, gives you a much higher level of assurance, that even if let's say they did bypass your liveness, right? I know your liveness is pretty good, Robert, but we can't say nothing in security is 100%.
Robert MacDonald:
That's right.
Mike Engle:
But could they spoof all of the features of the driver's license, or the fact that they live at a certain address being checked with the bureaus, for example?
Robert MacDonald:
Yeah, I mean even something as simple as reading the PDF-417 barcode in the back, just to again, trying to make sure that that document is legitimate, and things on the front match the things on the back, and vice versa, are all things that you need to be able to do to ensure that the document is legitimate, and the stuff that's printed on the front of it is accurate.
Mike Engle:
Right.
Robert MacDonald:
It's all about improving the validity of that identity and document, to ensure that they are who they claim to be. Now Mike, there are a bunch of things that we have listed here, in terms of building a verified identity. The one thing that we haven't touched, and maybe we might want to leave that to the end, is this concept of a wallet, and being able to reuse that identity. Do you want to talk a little bit about what that means here?
Mike Engle:
Yeah, this is a real game changer. It really is. So all these things, we do them all the time. I'm scanning driver's licenses for more and more apps. My Ring doorbell popped up and asked me to scan a driver's license when I was trying to log into Ring from Amazon recently. So it's getting common, and it's frankly, it can be a pain. Because if I have to do this once a week, it becomes more of a hassle than fetching MFA.
So what we can do now, and we as in the industry, of course, 1Kosmos does this very well, is take these exercises and store them in a place where the user can have them in their possession, and the proof of possession now, is in their control. So this is the wallet. Imagine you scan your driver's license once, but could transmit that proof and over again. I've done my live ID, my selfie, and I can transmit proof that I am still me, over and over again. We're seeing wallets evolve globally. Some countries are issuing them, some trade industry organizations, your bank really acts like a wallet today. They give you a trusted app. Apple has a wallet, Google has a wallet, so employers are making their own wallets as well, and we've powered quite a few of them. This is a real game changer as we start to ask for identity more and more, which we frankly have not been in the habit of doing in the security world, until these scary Scattered Spider guys came out and start making us think about these things.
Robert MacDonald:
Yeah, I mean, identity in the security world, up until now, has been an entry in active directory, or Okta. And it's a username and a password, that's been your identity up until this point. And I think with some of these most recent attacks, that that's going to change. And the concept of a wallet from a workforce perspective, is going to be something that is going to be much more common. What do we call it? I don't know if it's going to be called a wallet in the workforce perspective, but that concept is certainly something that's going to be more commonplace going forward, I think.
Mike Engle:
Yeah. So if we have time at the end, we'll show an example of a wallet being used to onboard a new hire. It's pretty cool. But first, let's talk about, we're showing this new stuff and scanning, and we talked about liveness. And that liveness is the compensating control for these different types of attack vectors. So social engineering, that's what Scattered Spider's using, and they can call the help desk now and pretend to be you. And this has really been around for a long time, they're just getting really good at it.
Robert MacDonald:
Really good at it.
Mike Engle:
And now you can fake somebody's voice, or their video, as we heard about with the $25 million Zoom CFO wire money scam that happened a couple months back. So that's going to happen more and more. You're seeing political campaigns with fake politicians, globally, it's becoming a real issue. How many fake Elon Musk videos are there, and Tom Cruise videos? So what we can do now, is to mitigate print and injection attacks, what's the difference, Rob, between a print and an injection attack?
Robert MacDonald:
So print is just as it sounds, you get a high-res image off the internet somewhere. You print it on a very good printer, and you use it as the presentation for as being the user. The injection is obviously a little bit, or not a little bit, it's a lot more sophisticated. You're going to find that same, you're going to use that same high-res image though, but you're going to use that image to create a video, and then you're going to inject that into the stream, and present it as a liveness check. So the user looks like they're actually there, and I think that you're going to show us what that looks like in a second, right?
Mike Engle:
Yeah, I was hoping you'd ask. So yeah, the print, or it's often called presentation attacker, and PAD, P-A D, Presentation Attack Detection, is one of the key technologies that we employ to try to stop those fake, holding up a document, or a fake picture. And then the injection attacks, you can just shimmy the video right into many different types of systems.
People go as far as to take their phones apart, like an Android, and put a different type of camera in, and be able to inject stuff in there. And this is what that looks like. So here's a deep fake demo video, where I'm employing a pretty off-the-shelf piece of software to become three people. So this is me becoming Jude Law, back to normal. Press the button on Tom Cruise. Not too bad, I just don't have that smile. I'm jealous of his smile and the hair, of course, my God. And then John Krasinski from Jack Ryan on the Amazon show, the books. So press a button and my face features have changed, that could bypass automated checks. Or I'm doing a video call with somebody, so that's the poor man's demo. I'm sure the bad actors have really sophisticated equipment to be able to simulate these things.
Robert MacDonald:
Yeah, it's kind of scary when you look at it that way, right? But there are certainly things that can be done to help prevent that. And one of the reasons why we're showing that, I know we started with Scattered Spider and with the help desk, but this just shows what's coming next, and how you can be prepared for it going forward. And it goes back to a lot of this identity verification stuff that you talked about two or three slides ago, right?
Mike Engle:
That's right. So two things to wrap up. Let's see, we've got another question here, let's see if it's a good one. Can we use advanced AI/ML to catch fraudsters versus legit? Absolutely. It is. The bad guys, or girls, or non-gender, are using all these sophisticated machine learning, or AI-generating video to attack. You could probably go to some GPT engines now, and say, "Make me a California driver's license. Here's my picture," just put it all together for you. So we need to have compensating controls that are on par with that, and we do. So some of the things we'll look for on that demo of Jude, Tom, and John here, are the artifacts of the images coming together. So that's one piece of the puzzle. We can detect that the camera is a virtual camera, not a real USB device, or you can only allow certain types of USB devices as well. So yeah, there's a bunch of AI and ML behind the scenes, and a whole bunch of patents that go into this arms race that we're in today. We talked a bit... Go ahead, Rob.
Robert MacDonald:
I was going to say, yeah, there's another one there, we can answer right quick as well. Samuel, again. Thank you, Samuel. How long does it take to do the process for a help desk caller? And I'd mention that just really quickly, when we showed that. It takes in and around 44 seconds, Samuel, give or take. Again, we coach the user as we're going through it, in case there's glare and things along those lines, but it's certainly less than 60 seconds start to finish.
Mike Engle:
Yeah. And of course, there's a little bit of, it depends. Some people, like I can get through it in 20 seconds because I'm a pro now, right?
Robert MacDonald:
Yeah.
Mike Engle:
But grandma, it might take her two, three minutes. If you're hiring grandma at your company, and she is not that adept with the phone. And we have some other tools that can help, so we have a staffed call center that can augment the automated process. So we call that supervised remote. And so if you do have a proofing process that fails for new hires, or et cetera, we can put those types of controls in place, and have that backup option as well, so you don't have to have too painful of an exception process.
So the last thing, so we talked about a couple of options for account recovery. What did we do? Well, we scanned a driver's license, but we also support a bunch of other options, where if you can reach out to the user and ask them for their FIDO passkey. FIDO is all the rage these days. So we can reach out to the user, and ask them to present a known authentication mechanism that they might have on a secondary device. And this biometric hash is a real game changer. So if you've gone through a modern airport recently, you've probably just looked into a camera and gotten on a plane, that is what we can do for remote callers as well. So lots of different options for verifying users, or onboarding, et cetera. And it's for recovering, or using a wallet, so the biometrics are a real enabler when it comes down to a wallet.
Robert MacDonald:
One of the questions earlier, Mike, as well, was about data storage, and that the bad guys are getting in and getting some of these documents. The very right-sided box there, is the blockchain file system, which is something that we leverage. Do you want to talk a little bit about how we ensure that data that is captured and stored in a wallet, is secured, and not really accessible by anybody else but the user?
Mike Engle:
Yeah, so there's multiple types of wallets. There's one that lives just on your phone, so we support that. Lose your phone, you might lose your wallet, that's one of the challenges of it. Is it possible to have a wallet without a phone? Well, there is, it's called a hosted wallet. And so what we can do, is this is basically a distributed ledger, or blockchain-based file system. And imagine that your data is kept super secret, safe, and this is a private system. It's not like on some public Ethereum, or whatever, Tezos blockchain, but it's private. And then inside of it, imagine if we use one of these encryption options then, to take your identity data, encrypt it, and then put it here. And then tomorrow you come back, and as long as you can reproduce one of these decryption factors, you could get your wallet, and go transmit it to the requesting party with your permission. So this is happening today.
Your bank hosts all of your data for you. It's hosted already, and the government is hosting lots of your data. We just, instead of it being protected with a username, password, in some monster database where all your data is today, we're putting you in control of it by giving you the encryption key that keeps it all super secure here. And this is a really powerful option. So now, let's say I need to verify my identity a second time. I don't have my phone. I can just look into the camera, decrypt my data, and send it. And so it could be as simple as something like this where, "Hey, this is the verification portal. Click this button, engage with the system, do a biometric, here's your decryption key," and boom, your data with permission. I said, "Yes," on the consent screen, my data is decrypted and sent over to the requesting party.
And of course, it doesn't have to be all of this data, but it could just be a yes or no. Is this Mike, yes or no? It's been verified. So this is the concept of a wallet that's reusable, and can be plugged into any part of an IT operation for customers, for employees, citizens, it doesn't matter.
Robert MacDonald:
Yeah. I mean, I guess Mike, even from a help desk perspective... So we talked about wallets coming to an organization near you, not too far down the line in a lot of cases. So if we have a wallet, and I call the help desk, or the service desk, I'm assuming I wouldn't have to go through then, all of those processes of scanning driver's licenses, and all that kind of stuff.
Mike Engle:
That's right.
Robert MacDonald:
They could probably just send me a link that would then access the wallet, would say, "Yeah, that's Rob," and we're off and running.
Mike Engle:
Exactly, exactly. Yeah. As long as you have one of those, call it decryption factors, it's as simple as presenting it, and you're on your way. So I think we've gotten all the questions. We kind of answered them in real-time.
Robert MacDonald:
Yeah.
Mike Engle:
And with that, I think we're going to say we've done it. We got about 15 minutes to the top of the hour here, and enough time for everybody to grab a break between meetings. We don't seem to get those anymore these days, do we?
Robert MacDonald:
No, we do not. We do not. I got a question for you, Mike, and I'm sure everybody's probably wondering it. From an integration standpoint, is this difficult to put in place?
Mike Engle:
It is not a heavy lift. And because these are loosely-coupled features, so let's say you want to do one, two, three, or all of these steps, it's really as simple as accessing a URL. So for one of our clients, they got attacked by Scattered Spider. We were in the early stages of working with them, and of course things got escalated quite quickly. They're like, "We really need your help now." So we dropped this remote caller verification process in, in less than a week in testing, and up and running. And so the hardest part then, is just teaching the help desk how to use it. It's the human side that typically takes longer than the technology side, when we deploy these types of features.
And similarly, for user onboarding, imagine if you're in procurement or accounts payable, there's one of the biggest attacks for business email compromise is, "Hey, this is my new routing number, send the $100,000 check over here." Well, imagine if you presented a verified identity before you did that, and if you made that part of your process. Imagine if before a Zoom starts, you have a green check mark that says, "This person's been digitally verified." You don't even have to have their video on. They have possession of that credential, and that's the type of thing we like to do with the least amount of friction
Robert MacDonald:
Yeah. And so much power in knowing who that user is on the other side of that connection, and being able to prove that that user's legitimate. And that's really what we bring to the table, and that's where the world is going, which is exciting.
Mike Engle:
Yeah, I predict that by the beginning of next year, organizations will expect a green check mark in the Zoom window, or in the Teams window, that says verified. So I will be powering that, we already have the hooks for it, so hopefully, that'll start getting adopted.
Robert MacDonald:
Well, that'll be cool. It'll be better than just paying for a green check mark, because that doesn't prove anything, just that you have money. So yeah, very exciting stuff. Mike, thanks a lot. Appreciated it as always. And thank you to everybody that came along for the ride today. Hopefully, you learn something today, and if you have any questions, as always, you can either reach out to our friends at Carahsoft, or ourselves, and we'll be more than happy to answer any questions for you.
Mike Engle:
Thank you so much.
Robert MacDonald:
Thanks.
Abby Stephens:
Awesome. Well, thank you again everyone, for your participation. I want to thank all of our participants for joining us today. We hope that you found this webcast informative and helpful to you in your organization. And I'm just going to take the screen back over real quick. Please take a moment to answer the questions that will appear on your browser after the webinar. We appreciate your feedback. For those who met the CP requirements today, you'll receive your certificate of completion within a few weeks. If you have any further questions, or would like to request more information, please feel free to contact us. Our content information is currently being displayed on the screen, so please don't hesitate to call us or email us.
And finally, in the next day or two, it'll be emailing you all a link to an archived version of this webcast, along with a few additional resources, so you can either review it or pass it on to a colleague. Thank you all again for joining.
Hello, and thank you for joining us. On behalf of 1Kosmos and Carahsoft, I would like to welcome you to today's webinar, Shielding Help Desk Operations Against Scattered Spider Attacks. And at this time, I'd like to introduce our speakers for today, Robert MacDonald, VP of Product Solutions, 1Kosmos, and Mike Engle, CSO at 1Kosmos. And the floor is yours, Mike and Rob.
Mike Engle:
Thank you so much. It's great to be-
Robert MacDonald:
Hey, Mike, how are you? Mike had to do an emergency restart before we got started here, so everything's back online, Mike, you ready to roll?
Mike Engle:
I have no idea.
Robert MacDonald:
I know what we didn't talk about, we didn't talk about who was going to share the slides. Did you want me to do that?
Mike Engle:
Yeah, I think I got it. Let's push this button here, see what happens.
Robert MacDonald:
Okay.
Mike Engle:
It's not even Friday yet. So let's share, there we go. I think we've done it. Yep, okay.
Robert MacDonald:
Technology works.
Mike Engle:
It does. Yeah. So let's say hi to everybody. I'm Mike Engle, co-founder at 1Kosmos, and I've been doing this over here, for about seven or eight years now. And Robert, you are a Canadian and-
Robert MacDonald:
I'm the VP of product marketing here at 1Kosmos. Coming up on my anniversary here at 1Kosmos, so yeah, it's very exciting. And today, Mike, we're going to talk a little bit about help desk operations, or service desk operations, and the Scattered Spider attacks that have been happening over the last little while. So I think everybody, or maybe most people are aware of MGM, Caesars, I think Visa, Pians, there's a bunch of people that have been under attack by Scattered Spider. And what they're doing, is they're kind of chasing after, I don't know if it's a new attack vector, but it certainly seems to be new. They're coming after the help desk operations and the service desks, with somewhat great effect, which is interesting. And we're going to talk a little bit about how you can help prevent that today, right?
Mike Engle:
That's right. Do you know where this Scattered Spider name came from?
Robert MacDonald:
Yeah, we're going to talk about that in a second. But before we get started, Mike, we're going to actually start with a polling question. Abby, if you have that first one up there, let's take a look at the polling question. I thought this would be an interesting way to get us started, Mike, and look at has anybody actually experienced any sort of attack through either their service or help desk? So everybody that's online right now, if you can go ahead and vote on that, that'd be great, just to see where we are. So there's a, thankfully, not yet. Not yet is usually the operative word there, right? Unfortunately, yes, we have. And maybe people are just unsure because they haven't found it yet. So 73% of people said, "Thankfully, not yet," which is good. Nobody's unsure, and 27% of people said that "Yes, they have," so I think this is probably pretty timely, Mike. Let's get into it, and talk a little bit about Scattered Spider and what they do here.
Mike Engle:
Yeah. And you have this really scary picture here, so it's a good starting point.
Robert MacDonald:
Yeah, yeah. I found this online doing a little bit of Googling. But they're a threat actor. They're based out of the US and a bunch of other places, so that they have a global presence. They target BPO organizations, energy, manufacturing, retail, telecommunications. And it doesn't matter where you're based for the most part, they're after you. So US, Europe, India, Australia are kind of their key targets. They're all about trying to collect some money, to get people to pay to remove whatever they put into place, the malware or whatever they put in, just like they did with... Actually MGM and Caesars were both attacked at the same time. I believe Caesars paid the ransomware, and were able to keep operations up and running, but MGM did not, and wanted to forge their own path forward, and that was one of the reasons why they were out maybe as long as they were.
Just a note too, Mike, we're not here to pick on anybody. These things happen. It's unfortunate when they happen, but there's lessons learned from the things that do happen, and that's kind of why we're here, and what we're talking about today, right?
Mike Engle:
Yeah. As soon as you start picking on somebody, you're next, right? You'll end up-
Robert MacDonald:
Absolutely. Absolutely, yeah.
Mike Engle:
Throwing stones in a glass house.
Robert MacDonald:
And that's the other thing too, when these things do work, there's kind of this copycat effect that ends up happening too. So when the bad guys do get access to something, through a means, and it was successful, then others are going to try to do the same thing. So what we're going to talk about today, is really ways in which you can prevent these kinds of things from happening. So as I mentioned earlier, this group gained notoriety from the attacks that happened last, was it September, I think? And they targeted two of the largest casino and gambling companies in the US, and they brought one of them down for days. People were lined up around the corner, trying to check in. Mike, I know that you, you're a fan of Vegas, hopefully you weren't there around that time.
Mike Engle:
No, but was there for Identiverse a few weeks ago.
Robert MacDonald:
That's right.
Mike Engle:
And talking to one of the, maybe I was talking to one of the table operators, and he said the place was paralyzed. They were using paper, writing down bets, and doors wouldn't open. But yeah, there's a lot of brands that have been hit, that we haven't heard about. Caesar's and MGM of course, were big, but in doing some research, the Twilio, Okta stuff was involved with the same group. And I was surprised to learn that Walmart, Samsung, and Apple were also victims at some level. Obviously, they weren't completely taken offline, but yeah, very big deal. But the attack vector they've gone after is really not, I mean, it's innovative, and I'm sure they're really good at it, but it's a pretty straightforward attack vector for the most part. And let's talk about this for a minute.
Robert MacDonald:
Yeah. I mean, at the end of the day, what ends up happening, is that a bad actor calls in, claiming to be the customer, citizen, worker, or whoever it may be, to reset a credential. And there's typically a run book that happens when somebody calls in to do that, that an agent follows to try to verify the identity of the caller. And then once that happens, they reset the credential.
But in these instances, what happened is that the identity really wasn't proven. The bad actors socially engineered the responses. So I think we can all use own personal experiences when we call into a help desk, they'll ask us a couple questions, like "What's your address? What's your postal code? What your mother's maiden name?" There are lots of different questions that can be found easily online, right?
Mike Engle:
That's right.
Robert MacDonald:
And at the end of the day, when the bad actor answered those questions, the credential reset happened because it's assumed that the identity is, or was, legitimate at the time. And those knowledge-based questions, as we know, in other areas of cybersecurity, they're not really the best way to try to verify somebody's identity, right, Mike?
Mike Engle:
No, they're not. I had a personal experience of having a vacation stolen from me, because the company, they're called VRBO, very big company, they're actually owned by Microsoft, up the food chain, didn't validate people when they called into their help desk. So they created a fake email in our name, and convinced the VRBO people that this was them, which just took a name that looks similar, and they diverted an entire vacation over to their name. And could have had a really bad ending, we just happened to get lucky and get in front of it.
So the verification, there's all different kinds of levels. They did zero check. Somewhere in between, but the detects that we'll be showing here today, the detection capabilities is much higher level. But really, what does it mean when somebody can get into these systems? When they call the help desk and pretend to be Johnny or Sally admin, there's all these downstream target systems, that once you get your foot into the door, that's it. It's game over. So the old way of hacking was let's crack in through the firewall, or buffer overflow, some type of supply chain attack coming in from the perimeter. But why do that when you can just log in? So it really is a game changer, in terms of what we can do to protect it.
Robert MacDonald:
Yeah, it is. I mean, if you look at all the boxes that are on this screen, there are full industries built around these things, full markets built around trying to secure organizations. And organizations are buying these technologies to try to fortify their environment, to make sure that the bad guys stay out, information that's supposed to stay within, stays within.
And a simple call to a help desk, if you're able to get that credential reset, completely makes this stuff useless, right? Because now I'm just going to log in as a legitimate user, and your security operations team, as an example, your SOC team is not going to know that it's a bad actor versus somebody else, because I used a valid credential to log in with. So then everything I do, or everything I have access to from then on in, I can do whatever I need. So if I can get ahold of a credential that has a significant amount of privileges, well, I mean as one of these Scattered Spider, or the like, bad actors, I have exactly what I'm looking for, and I can do exactly what I need to do to get that financial gain that I'm looking for. But it's crazy that you can invest so much technology to try to keep things secure, but just a simple credential can make all of that stuff, bring it all down to its knees. And that's essentially what happened here, and it's-
Mike Engle:
You're depressing the hell out of everybody, Rob.
Robert MacDonald:
I know, it's crazy, right?
Mike Engle:
Describing the water while we're drowning. Yeah, the water really looks wet.
Robert MacDonald:
Yep. The water, yeah, it's fine. Come on in, guys.
Mike Engle:
So let's talk a little bit about some of the newer things that we can do, and the new attacks on those new things, because it is a cat and mouse game.
Robert MacDonald:
Yeah, it is.
Mike Engle:
So selfishly, we're going to talk a little bit about the things that we do in this space, just so you know who 1Kosmos are. 1Kosmos means one universe. And it's our belief that one day, we will have one identity to go do the things that we need to do in the digital world. Just like we have one identity in the physical world, I'd hand you my driver's license or my passport. So we have novel ways to enroll you into modern identity and authentication systems. And very important for today, is how to verify that you are who you say you are, so not just having a driver's license in your pocket, or a token. And to do that, we've built a platform that has all kinds of certifications and connectivity, and federated protocol standards, that were not the purpose of today's call, but really here to talk about the attack vectors and some of the compensating controls, right?
Robert MacDonald:
Yeah, yeah, absolutely.
Mike Engle:
So the vision, how do you mitigate a Scattered Spider attack, is to make it really easy to prove who somebody is. Use automation, put the power in the hands of the user. And so we'll show you some of this live here, and get into the weeds. And it really is simple. So imagine how simple it is when you get pulled over by a state trooper, or you go to the TSA, or security at the airport, it's very easy to prove who you are. "Here's a credential, match my face." And so now, we can do that digitally, obviously. And I'm sure many people on the call today, have done this, but probably haven't done it as they come into their help desk. And so we're going to talk about a combination of establishing identity.
So there's a couple of standards that are really important here. The US government put out a standard called NIST 800-63-3A, which says, "Here's how you prove who somebody is remotely." And we're going to pop into the polling question here, as we're doing this slide. We're going to go through what this process means, and then of course, using that proof over and over again, authenticating. Hey, Rob, I already know who you are, so I'm not going to ask you for that credential again, ties this all together. We call this identity-based authentication when you have a combination of a verified identity and an easy-to-use credential that you can use over and over again. So let's jump into the polling question here, our second one.
Robert MacDonald:
Yeah. So our second polling question here, asks, "Do you use knowledge-based authentication, knowledge-based factors to verify a user's identity?" 88% of people do, and 13% of people use something more than that. 0% said "We do not use those things." So the majority of the people that are on the call today, Mike, are using some sort of knowledge-based factor to verify an identity when a user calls into a help desk.
Mike Engle:
That's right. That's right. So let's talk about the levels of identity verification, and how we can do this remotely for our users. So the standard that we have here, NIST 800-63-3A, has three levels to it. And there's a new version coming out in the next six months, which has four levels. But this here, is kind of the gold standard. It's a combination of multiple sources of truth, verified against the issuing authority. So you have things like driver's licenses and passports, which are very powerful, and matching them to your actual face is really what makes them sing.
So we call this identity assurance level two. Three is the highest of levels that are out there today, and this standard exists globally in many countries. They call it something different in each country, but they're all based on the same principles, and many of them will reference this US government standard as well, so it really is the gold standard. But at the end of the day, what we're doing is capturing data from the user. So let's take a look at what this looks like as you deconstruct it. So you're going to see me go through a demo of this, where I am capturing both the front and back of a document. Now that sounds like an easy thing to do, right? You just point your camera at it, but there is a ton of devil in the details when you do this and try to do it right. So not only do you have to capture, and what happens when you hold your phone over, when you're trying... Did you ever try scanning a check for your bank, Rob, and you've got bad lighting and shadows and glare?
Robert MacDonald:
Yeah, yeah. Not easy.
Mike Engle:
Well, it's even worse with a glossy driver's license. So your provider needs to be really good at detecting glare, and guiding the user. So this image capture is really important. And then once the data, the image is captured, you need to extract it, detect what type of document it is, go verify it, et cetera, and that happens for the front and the back. And we're going to talk about this, because here is one of the new attack vectors. You want to talk a little bit about what liveness is, Rob?
Robert MacDonald:
Yeah. So there's a couple of different ways that we can describe liveness. The first way that we can talk about it is whether or not the person that's in front of the camera is live and it's not a picture. And you can do the same thing when you consider a document as well, is the document real? So that liveness check ensures that, one, the person that's there, is not a picture. There's my little thumbs up. Obviously, I'm using a Mac, I guess, is live. Or two, that the document itself, is also real. Yeah.
Mike Engle:
Yeah. And that all applies to the selfie as well.
Robert MacDonald:
That's right.
Mike Engle:
So is the document alive, and is the person alive? Because you have people holding a Photoshop, or something on their phone, you have to be able to detect that stuff as well. And the result is that you're doing all of these things in seconds. And most important, we're going to get into the attack vector, is that you are really... Let's do it. Is you are focusing on two different types of attack mitigation. You have to verify the document integrity and the liveness going together. So the integrity, what does that mean? Well, the font size, the holograms on the document, there's 100 overt security checks that you can do in a document. And then the liveness, is my head moving a little bit, or am I, what are they, a presentation attack, where I'm putting a mask on, et cetera. So let's give a demo of how this works. What do you think?
Robert MacDonald:
Yeah, I think it's a great idea. Talking about it and seeing it are two totally different things. So yeah, let's do that.
Mike Engle:
Let's do that. And then we'll get into the third polling question, and then get into a bit of the attacks on this concept.
This is a remote caller verification, and you are going to see a help desk operator here, on the left, and the remote caller on the right. And this is really a very low-friction operation. We've dropped this into help desks in a week, because it's as simple as asking the user for their phone number, or getting it out of the HR system, and sending it to them. So here's the help desk operator, just logged in, and they're engaged with the caller. And all they have to do is press a button, put their feet up on the desk, and wait for the magic to happen. And what you'll see on the right, is they're just going through a guided capture and verification process. So we're capturing the front, guiding the user, "Hey, too much glare, tilt it," capturing the back, and we're doing all those overt security checks in seconds.
Robert MacDonald:
Yeah, real-time.
Mike Engle:
Real-time. And it might fail here, if it's a bad actor
Robert MacDonald:
That's right.
Mike Engle:
Now, we're going to ask the user for a selfie, and compare it to the photo on the driver's license, or the passport, whatever document we're using. That's it.
Robert MacDonald:
And that's important, right? Because that's how we can tell whether or not the user that's presenting the document, is the person that owns it, right?
Mike Engle:
That's right. Yeah. So there's multiple checks, we call it triangulation, that can be done. So here, let's look at all the things that went on here. We verified the document and the human were live, the document was valid. And if the application calls for it, and your operation wants it, we can even look up that they live at that address. We can contact them at the address of record that's in authoritative system, so we can go really deep into that. But you saw how amazing of an experience that is, and it's, say, just a wee bit more secure than "What is your mother's maiden name," right, Rob?
Robert MacDonald:
Yeah, absolutely. So the whole point with what you've just seen there, is that when Mike calls me, the service desk agent, I would send him that text. He would then scan that document. I would then get the check back saying that the verification has passed. I think under the summary, you can see that on the screen there. So now I can then go do the credential reset because I know that I'm dealing with the actual person, the identity, you've verified that identity. So I know that it's Mike, I can now go change his credential. And while that looks... That just happened in, I think there's even a time, it took 44 seconds for that to happen.
Mike Engle:
That's right.
Robert MacDonald:
You're going to spend 44 seconds getting people to answer the knowledge-based checks. So with little assurance at the end of it, based on what we're seeing in the industry. So this way of doing it is a significant step forward from a help desk, or service center perspective, in terms of ensuring that when they reset a credential, it is actually that user.
Mike Engle:
Yeah. So Abby, if you're ready for the next poll, we could pop that up. If not, I'll hit one more slide if you don't have it spinning on the record quite yet. Well, there it is.
Robert MacDonald:
There you go.
Mike Engle:
She's good.
Robert MacDonald:
Do you utilize any self-service options for employees? The question there is are you trying to just even prevent people from calling the help desk or service center, try to eliminate the threat before it even gets there. Now there's still some issues, as we can talk about later, Mike, even with that. You still want to make sure that when you're updating a credential, that the user is actually the one requesting it. But replies here are, we do not. Users need to call the service or help desk. We do, or we have a hybrid model. So nobody has said that they do not have a self-service option. They do, so 38% of people on the call right now, say it is the only way to request access and reset a password. And 63% say they have a hybrid model, so users call in for certain use cases.
Mike Engle:
Yeah, it's table stakes today. I mean, you have to have some type of it, otherwise your help desk gets crushed. But what we do find, is a lot of people need to either be VPN'd in, or in the office, which kind of defeats the purpose if you're trying to get in, your home and don't have the password. So that's probably some of the hybrids, where they're afraid to open it up externally. But as you saw, the one that we just did is 100% external, and you can trust it.
Robert MacDonald:
Yeah. And again, the reason why you know that VPN, or you need to be in the office is there, is because they're trying to ensure that it's the person that's requesting it at the end of the day.
Mike Engle:
That's right. So we had a couple of good questions from Samuel, and the first question he asked, it's like he teed it up and read our mind, is that data stored? So you saw a driver's license and some faces, and the answer is it can be, or it may not be, depending on the organization's privacy policies. So if you're proofing for high security operation, you may need to keep that evidence around for a month, or years, depending on what kind of forensics you may need after the fact, what type of proof that you gave access to the right person.
But in a help desk environment, you don't want the help desk operator seeing any of that data. They don't need to see your home address and how young you are, right, Robert?
Robert MacDonald:
Yeah.
Mike Engle:
So we have very customizable PII retention and display permission. So here, you can see all of the data on the left. It's like we can, you can define your own system in your instance of this, to get very granular, and say, "I do want the images. I don't, I just want the data," et cetera. And on the right, we're showing that we can just discard it instantly after it's been processed.
And similarly, for the help desk or the systems administrators, the help desk will see this kind of basic, it was good or it wasn't good screen, which is all they need, and then they go on and follow their procedures in the run book. But an administrator, again, if you want to keep it around, could go in after the fact, and see something went wrong with that call, let's go see what happened. So a very granular set of controls on this, which of course, is what you would need depending on your risk tolerance and privacy policies.
Robert MacDonald:
Or even depending upon what compliance mandates you may be adhered to as well, right?
Mike Engle:
That's right. And I'll answer Samuel's next question live, is real ID-compliant ID required? And no, it's not required, but you could make it required. And you could go so far as to say, "I want to only do passports and read the chip in the passport." It's obviously a heavier exercise, but much more trustworthy credential because you have an NFC chip, that has a digitally-signed credential in it. So again, it comes down to risk tolerance, and what you're trying to do, and how many hoops you want the users to go through. So good question, Samuel.
Robert MacDonald:
Absolutely. Yeah, those are great questions. The cool thing with reading the chip as well, is that we can verify the data that's on the passport is the same thing that what's on the chip, right?
Mike Engle:
Yeah.
Robert MacDonald:
Or if the chip's even been compromised, so there's a bunch of different checks you can do along those lines. And Mike, you said earlier that some of the triangulation that we can do, driver's licenses, we can go out and check to make sure the driver's license is legit as well, right? We can go out-
Mike Engle:
Exactly. So this is really key. If you're just verifying possession of a phone or an email, that's pretty weak. Can they fetch a code, or we call this SIM binding, they're proving possession of a phone, but maybe it was SIM swapped, right? So then you can take it a step further, and do the biometrics, which we demonstrated. Once you get the driver's license, you can say, "Is that driver's license valid with the Department of Motor Vehicles," that's what AMBA represents here. So putting this together, multiple sources of truth, gives you a much higher level of assurance, that even if let's say they did bypass your liveness, right? I know your liveness is pretty good, Robert, but we can't say nothing in security is 100%.
Robert MacDonald:
That's right.
Mike Engle:
But could they spoof all of the features of the driver's license, or the fact that they live at a certain address being checked with the bureaus, for example?
Robert MacDonald:
Yeah, I mean even something as simple as reading the PDF-417 barcode in the back, just to again, trying to make sure that that document is legitimate, and things on the front match the things on the back, and vice versa, are all things that you need to be able to do to ensure that the document is legitimate, and the stuff that's printed on the front of it is accurate.
Mike Engle:
Right.
Robert MacDonald:
It's all about improving the validity of that identity and document, to ensure that they are who they claim to be. Now Mike, there are a bunch of things that we have listed here, in terms of building a verified identity. The one thing that we haven't touched, and maybe we might want to leave that to the end, is this concept of a wallet, and being able to reuse that identity. Do you want to talk a little bit about what that means here?
Mike Engle:
Yeah, this is a real game changer. It really is. So all these things, we do them all the time. I'm scanning driver's licenses for more and more apps. My Ring doorbell popped up and asked me to scan a driver's license when I was trying to log into Ring from Amazon recently. So it's getting common, and it's frankly, it can be a pain. Because if I have to do this once a week, it becomes more of a hassle than fetching MFA.
So what we can do now, and we as in the industry, of course, 1Kosmos does this very well, is take these exercises and store them in a place where the user can have them in their possession, and the proof of possession now, is in their control. So this is the wallet. Imagine you scan your driver's license once, but could transmit that proof and over again. I've done my live ID, my selfie, and I can transmit proof that I am still me, over and over again. We're seeing wallets evolve globally. Some countries are issuing them, some trade industry organizations, your bank really acts like a wallet today. They give you a trusted app. Apple has a wallet, Google has a wallet, so employers are making their own wallets as well, and we've powered quite a few of them. This is a real game changer as we start to ask for identity more and more, which we frankly have not been in the habit of doing in the security world, until these scary Scattered Spider guys came out and start making us think about these things.
Robert MacDonald:
Yeah, I mean, identity in the security world, up until now, has been an entry in active directory, or Okta. And it's a username and a password, that's been your identity up until this point. And I think with some of these most recent attacks, that that's going to change. And the concept of a wallet from a workforce perspective, is going to be something that is going to be much more common. What do we call it? I don't know if it's going to be called a wallet in the workforce perspective, but that concept is certainly something that's going to be more commonplace going forward, I think.
Mike Engle:
Yeah. So if we have time at the end, we'll show an example of a wallet being used to onboard a new hire. It's pretty cool. But first, let's talk about, we're showing this new stuff and scanning, and we talked about liveness. And that liveness is the compensating control for these different types of attack vectors. So social engineering, that's what Scattered Spider's using, and they can call the help desk now and pretend to be you. And this has really been around for a long time, they're just getting really good at it.
Robert MacDonald:
Really good at it.
Mike Engle:
And now you can fake somebody's voice, or their video, as we heard about with the $25 million Zoom CFO wire money scam that happened a couple months back. So that's going to happen more and more. You're seeing political campaigns with fake politicians, globally, it's becoming a real issue. How many fake Elon Musk videos are there, and Tom Cruise videos? So what we can do now, is to mitigate print and injection attacks, what's the difference, Rob, between a print and an injection attack?
Robert MacDonald:
So print is just as it sounds, you get a high-res image off the internet somewhere. You print it on a very good printer, and you use it as the presentation for as being the user. The injection is obviously a little bit, or not a little bit, it's a lot more sophisticated. You're going to find that same, you're going to use that same high-res image though, but you're going to use that image to create a video, and then you're going to inject that into the stream, and present it as a liveness check. So the user looks like they're actually there, and I think that you're going to show us what that looks like in a second, right?
Mike Engle:
Yeah, I was hoping you'd ask. So yeah, the print, or it's often called presentation attacker, and PAD, P-A D, Presentation Attack Detection, is one of the key technologies that we employ to try to stop those fake, holding up a document, or a fake picture. And then the injection attacks, you can just shimmy the video right into many different types of systems.
People go as far as to take their phones apart, like an Android, and put a different type of camera in, and be able to inject stuff in there. And this is what that looks like. So here's a deep fake demo video, where I'm employing a pretty off-the-shelf piece of software to become three people. So this is me becoming Jude Law, back to normal. Press the button on Tom Cruise. Not too bad, I just don't have that smile. I'm jealous of his smile and the hair, of course, my God. And then John Krasinski from Jack Ryan on the Amazon show, the books. So press a button and my face features have changed, that could bypass automated checks. Or I'm doing a video call with somebody, so that's the poor man's demo. I'm sure the bad actors have really sophisticated equipment to be able to simulate these things.
Robert MacDonald:
Yeah, it's kind of scary when you look at it that way, right? But there are certainly things that can be done to help prevent that. And one of the reasons why we're showing that, I know we started with Scattered Spider and with the help desk, but this just shows what's coming next, and how you can be prepared for it going forward. And it goes back to a lot of this identity verification stuff that you talked about two or three slides ago, right?
Mike Engle:
That's right. So two things to wrap up. Let's see, we've got another question here, let's see if it's a good one. Can we use advanced AI/ML to catch fraudsters versus legit? Absolutely. It is. The bad guys, or girls, or non-gender, are using all these sophisticated machine learning, or AI-generating video to attack. You could probably go to some GPT engines now, and say, "Make me a California driver's license. Here's my picture," just put it all together for you. So we need to have compensating controls that are on par with that, and we do. So some of the things we'll look for on that demo of Jude, Tom, and John here, are the artifacts of the images coming together. So that's one piece of the puzzle. We can detect that the camera is a virtual camera, not a real USB device, or you can only allow certain types of USB devices as well. So yeah, there's a bunch of AI and ML behind the scenes, and a whole bunch of patents that go into this arms race that we're in today. We talked a bit... Go ahead, Rob.
Robert MacDonald:
I was going to say, yeah, there's another one there, we can answer right quick as well. Samuel, again. Thank you, Samuel. How long does it take to do the process for a help desk caller? And I'd mention that just really quickly, when we showed that. It takes in and around 44 seconds, Samuel, give or take. Again, we coach the user as we're going through it, in case there's glare and things along those lines, but it's certainly less than 60 seconds start to finish.
Mike Engle:
Yeah. And of course, there's a little bit of, it depends. Some people, like I can get through it in 20 seconds because I'm a pro now, right?
Robert MacDonald:
Yeah.
Mike Engle:
But grandma, it might take her two, three minutes. If you're hiring grandma at your company, and she is not that adept with the phone. And we have some other tools that can help, so we have a staffed call center that can augment the automated process. So we call that supervised remote. And so if you do have a proofing process that fails for new hires, or et cetera, we can put those types of controls in place, and have that backup option as well, so you don't have to have too painful of an exception process.
So the last thing, so we talked about a couple of options for account recovery. What did we do? Well, we scanned a driver's license, but we also support a bunch of other options, where if you can reach out to the user and ask them for their FIDO passkey. FIDO is all the rage these days. So we can reach out to the user, and ask them to present a known authentication mechanism that they might have on a secondary device. And this biometric hash is a real game changer. So if you've gone through a modern airport recently, you've probably just looked into a camera and gotten on a plane, that is what we can do for remote callers as well. So lots of different options for verifying users, or onboarding, et cetera. And it's for recovering, or using a wallet, so the biometrics are a real enabler when it comes down to a wallet.
Robert MacDonald:
One of the questions earlier, Mike, as well, was about data storage, and that the bad guys are getting in and getting some of these documents. The very right-sided box there, is the blockchain file system, which is something that we leverage. Do you want to talk a little bit about how we ensure that data that is captured and stored in a wallet, is secured, and not really accessible by anybody else but the user?
Mike Engle:
Yeah, so there's multiple types of wallets. There's one that lives just on your phone, so we support that. Lose your phone, you might lose your wallet, that's one of the challenges of it. Is it possible to have a wallet without a phone? Well, there is, it's called a hosted wallet. And so what we can do, is this is basically a distributed ledger, or blockchain-based file system. And imagine that your data is kept super secret, safe, and this is a private system. It's not like on some public Ethereum, or whatever, Tezos blockchain, but it's private. And then inside of it, imagine if we use one of these encryption options then, to take your identity data, encrypt it, and then put it here. And then tomorrow you come back, and as long as you can reproduce one of these decryption factors, you could get your wallet, and go transmit it to the requesting party with your permission. So this is happening today.
Your bank hosts all of your data for you. It's hosted already, and the government is hosting lots of your data. We just, instead of it being protected with a username, password, in some monster database where all your data is today, we're putting you in control of it by giving you the encryption key that keeps it all super secure here. And this is a really powerful option. So now, let's say I need to verify my identity a second time. I don't have my phone. I can just look into the camera, decrypt my data, and send it. And so it could be as simple as something like this where, "Hey, this is the verification portal. Click this button, engage with the system, do a biometric, here's your decryption key," and boom, your data with permission. I said, "Yes," on the consent screen, my data is decrypted and sent over to the requesting party.
And of course, it doesn't have to be all of this data, but it could just be a yes or no. Is this Mike, yes or no? It's been verified. So this is the concept of a wallet that's reusable, and can be plugged into any part of an IT operation for customers, for employees, citizens, it doesn't matter.
Robert MacDonald:
Yeah. I mean, I guess Mike, even from a help desk perspective... So we talked about wallets coming to an organization near you, not too far down the line in a lot of cases. So if we have a wallet, and I call the help desk, or the service desk, I'm assuming I wouldn't have to go through then, all of those processes of scanning driver's licenses, and all that kind of stuff.
Mike Engle:
That's right.
Robert MacDonald:
They could probably just send me a link that would then access the wallet, would say, "Yeah, that's Rob," and we're off and running.
Mike Engle:
Exactly, exactly. Yeah. As long as you have one of those, call it decryption factors, it's as simple as presenting it, and you're on your way. So I think we've gotten all the questions. We kind of answered them in real-time.
Robert MacDonald:
Yeah.
Mike Engle:
And with that, I think we're going to say we've done it. We got about 15 minutes to the top of the hour here, and enough time for everybody to grab a break between meetings. We don't seem to get those anymore these days, do we?
Robert MacDonald:
No, we do not. We do not. I got a question for you, Mike, and I'm sure everybody's probably wondering it. From an integration standpoint, is this difficult to put in place?
Mike Engle:
It is not a heavy lift. And because these are loosely-coupled features, so let's say you want to do one, two, three, or all of these steps, it's really as simple as accessing a URL. So for one of our clients, they got attacked by Scattered Spider. We were in the early stages of working with them, and of course things got escalated quite quickly. They're like, "We really need your help now." So we dropped this remote caller verification process in, in less than a week in testing, and up and running. And so the hardest part then, is just teaching the help desk how to use it. It's the human side that typically takes longer than the technology side, when we deploy these types of features.
And similarly, for user onboarding, imagine if you're in procurement or accounts payable, there's one of the biggest attacks for business email compromise is, "Hey, this is my new routing number, send the $100,000 check over here." Well, imagine if you presented a verified identity before you did that, and if you made that part of your process. Imagine if before a Zoom starts, you have a green check mark that says, "This person's been digitally verified." You don't even have to have their video on. They have possession of that credential, and that's the type of thing we like to do with the least amount of friction
Robert MacDonald:
Yeah. And so much power in knowing who that user is on the other side of that connection, and being able to prove that that user's legitimate. And that's really what we bring to the table, and that's where the world is going, which is exciting.
Mike Engle:
Yeah, I predict that by the beginning of next year, organizations will expect a green check mark in the Zoom window, or in the Teams window, that says verified. So I will be powering that, we already have the hooks for it, so hopefully, that'll start getting adopted.
Robert MacDonald:
Well, that'll be cool. It'll be better than just paying for a green check mark, because that doesn't prove anything, just that you have money. So yeah, very exciting stuff. Mike, thanks a lot. Appreciated it as always. And thank you to everybody that came along for the ride today. Hopefully, you learn something today, and if you have any questions, as always, you can either reach out to our friends at Carahsoft, or ourselves, and we'll be more than happy to answer any questions for you.
Mike Engle:
Thank you so much.
Robert MacDonald:
Thanks.
Abby Stephens:
Awesome. Well, thank you again everyone, for your participation. I want to thank all of our participants for joining us today. We hope that you found this webcast informative and helpful to you in your organization. And I'm just going to take the screen back over real quick. Please take a moment to answer the questions that will appear on your browser after the webinar. We appreciate your feedback. For those who met the CP requirements today, you'll receive your certificate of completion within a few weeks. If you have any further questions, or would like to request more information, please feel free to contact us. Our content information is currently being displayed on the screen, so please don't hesitate to call us or email us.
And finally, in the next day or two, it'll be emailing you all a link to an archived version of this webcast, along with a few additional resources, so you can either review it or pass it on to a colleague. Thank you all again for joining.