- Send an e-mail to the ICT helpdesk, asking for the password for ALBERTE to be reset. Use any e-mail account whatsoever to send this message! The reason that ICT-help will not find this unusual at all is that they only except password reset requests by e-mail. Since the lame network of Big U requires passwords to be changed on a monthly basis, they get a lot of requests for resets and ALL of these requests originate from some e-mail address different from that which they have to reset, of course. They apparently cannot require that these requests originate from the user's own e-mail address because either (i) they haven't thought of it; or (ii) most users don't have a separate e-mail password or have never used a computer other than their own.
- Wait a few minutes for the reset password - often "password" - to arrive.
- Log in the victim's user account. If they have no separate e-mail password, this will probably give you access to their e-mail as well.
- Don't worry. The victim does not receive a copy of the password reset request or of the reset password. They will log on the next time and probably assume that they have forgotten their brand new password from last week and request a new one. This behaviour will confirm ICT-help's conviction that the user ALBERTE is an idiot and that they should keep on doling out reset passwords.
[Apologies to Neil Stephenson for hijacking the title of his first published novel, The Big U.]
Useful links:
http://en.wikipedia.org/wiki/Social_engineering_%28security%29
http://en.wikipedia.org/wiki/The_Big_U
1 opmerking:
Needless to say, the reason why this "attack" is so obvious and easy is that the username (being the e-mail ID) is absolutely public knowledge. The problem with this can hardly be over emphasised.
Plaas 'n opmerking