Protecting Your Account from Social Engineering
LuxSci adds new technologies to protect your account from social engineering during support phone calls and chats.
One of the biggest threats to your company’s security, its human error. Phishing attacks where people send email messages reporting to be from trusted sites that users click on and give away information. That’s the biggest threat. But what about social engineering?
Time and again at LuxSci we find people chatting in or calling in trying to get access to information or to execute commands on accounts without proper authorization. This is a big problem. We have passwords and we have two factor identification, all these steps in place. But what happens when someone calls in in a hurry complaining that they’re losing millions of dollars a day because they have a problem? You have to take extreme measures to verify these people for their own good. They don’t like it, but you have to.We see that many companies take a short road here. They don’t do a lot to verify people. At most they ask a security question and then move on. This is really dangerous. If you have mobile-based two-factor identification with Google Authenticator and strong passwords, but someone can get in just by guessing your company name, that doesn’t really provide you a lot of protection. This is one reason, for example, we don’t allow accounts to close unless we get really strong authorization from an account administrator. How would you like someone to call in and have your account closed on you just because they knew your mother’s maiden name?
LuxSci’s made some recent changes to even further bolster our security protections for your account. From now on when people call in or chat in they have to answer not only a security question, but they have to prove using a second factor that they really are who they are. We can send a token to your phone. We can use Google Authenticator. We can call you on a registered phone number. We can do all of these things to prove beyond merely a security answer, which can be fairly weak if you haven’t taken some strong pains to make sure you have a good question that you are who you are. The best way that we have actually is for you to login, go to a specific page, and read us a six digit code there. This proves not only that you are who you are but that you’ve logged in and have full authorization on the account based upon all of your normal login procedures.
LuxSci has also gone further. Many times customers like to authorize other people who aren’t really users in their account for certain actions, like “Mary in billing should be able to call and ask questions about my invoices whenever she needs to.” But Mary’s not a user on the account. They don’t want Mary to know the password. They don’t want Mary to have any access to stuff except billing. What should you do in this cases?
LuxSci has a system. We register Mary as a name. We give Mary her own passcode, and we allow you to even set up Mary with a second factor via her phone or Google Authenticator to really lock down how she says she is. The second factor is optional but if that’s important for your security we’ll take it into account and make sure that nobody else except for Mary gets the right information.
Here at LuxSci the integrity of your account and the security of your data are highly important to us. We place verify first and ask questions later as our priority.