People are always going to be the weakest link in the security chain.
However, people in a service or support role are unique. Their job is to make things easy for the customer. They're not paid to judge and it's uncommon for them to be allowed to deny a customer request based on suspicion alone.
While awareness training can help, it isn't a perfect solution for those working in customer service, because regardless of their suspicions, most are bound to support the customer first and foremost.
Some organizations do empower employees to deny requests if they feel there is a security risk. At the same time, the process of denial requires considerable effort on the support employee's part. It's easier, and far less stressful to simply make the customer happy and do as they ask within reason.
Resetting a username and password seems reasonable, provided the customer isn't being pushy and can justify a lack of information. That's what Mr. Troia did. He justified a lack of information by playing the frustrated executive.
"She asked me to verify the PIN, which I didn't have. She then asked me to verify the last four digits of the credit card used to purchase the domain, which I also didn't have. I explained to her that I'd asked my assistant to setup the domain for me," Mr. Toria said, continuing his explanation.
Mr. Troia told GoDaddy's support representative that his "assistant" had said he'd used a card ending in four random numbers. The numbers he gave the representative were made-up on the spot. Naturally, those numbers were incorrect and that verification step failed. Adding to this, the support representative was told that the assistant didn't remember setting up a PIN.
"I apologized, both for not having the information and for my daughter yelling in the background. She laughed and said it wasn't a problem. I was directed to a website where I could fill out a form and request access," Mr. Troia said.
If none of the account information is available during a reset request, GoDaddy will allow customers to use a change of account (or email) form.
This form requires that you provide a copy of a government-issued ID, such as a passport, military ID, or driver's license, in order to prove you're who you say you are. If the domain in question isn't a personal domain, then business information is required as well. The entire process is completed online, and full instructions are available here.
In order for the attack to work, Mr. Troia created a fake Gmail account, as well as a Google + profile to match his version of Steve Ragan. The email account would be used for password resets. The social media account was simply there to give Troia's Steve Ragan a presence on the Web.
Sign up for CIO Asia eNewsletters.