alt Hacker NewsI used to watch videos from social engineers like Jayson Street [0] and think "Is it really that easy to break into serious firms with social engineering?" and then the below happened:
- COVID lock down and I can't access my internal PC from home
- Call help desk line and say "hi, it's <ME> and I can't login. Btw, there is another person at the firm named <ME> (which was true) but that's not me HA HA."
- Help Desk removes 2FA
- Still doesn't work so I call back and reference the first call.
- Help Desk removes IP restriction
- This keeps happening (can't login, Help Desk removes something) until basically I can login with no password or 2FA (which did temporarily)
AT NOT POINT did someone ask me for a document/challenge/manager name to verify who I was.
Just being myself, knowing a couple pieces of info that were easily searchable on LinkedIn and I was in.
Scary stuff and a reminder that ALL of these systems are a lot easier to break into than many of us realize.