RE: How to authentificate an user via telephon?

["Champion, Steve" <SChampion () tmh tmc edu>]

Your speaking about social engineering.

Makeing sure that the person on the phone is who they say they are.

An idea we had was to put up inexpensive computers in key locations and to
put inexpensive cameras on these systems.   

So when a person called to get their password reset, that person would go
the the password station, the helpdesk person would see the person is who
they say they are, then reset the password..

It could be a cheap system too, an old PC running windows, and a cheap $40
web-camera from CompUSA and walla!

Thank You
Steve Champion
Sr. Security Analyst
Methodist Health Care Systems
schampion () tmh tmc edu


-----Original Message-----
From: Robert Sieber [mailto:rsieber () web de]
Sent: Tuesday, December 03, 2002 12:50 PM
To: security-basics () lists securityfocus com
Subject: How to authentificate an user via telephon?


Hello colleauges,

imaging the following situation:

User calls the helpdesk to reset/alter some kind
of account-password (NT, RAS, PKI-PIN ...) and you 
has to determin wheter the user is the correct 
(owner of the account) user. What would you do
to authentificate the users identity?

What are good methodes to do this? It should be
easy for the user but secure for the administration.


Robert

-- 
http://board.protecus.de - Firewalls, Security and more ...