Customer support tools as a breach vector
Okta, Twitter, T-Mobile and AT&T all had major breaches via the elevated access their support teams have. What lessons can we take from them? With engineering and IT often getting most of our attention, customer support...
Okta, Twitter, T-Mobile and AT&T all had major breaches via the elevated access their support teams have. What lessons can we take from them?
With engineering and IT often getting most of our attention, customer support teams can be forgotten about despite the fact that they interface directly with users as well as sensitive internal systems.
Regular syncs between security and CS teams are foundational to building the trust that’s a prerequisite for sharing problems. The people on the front line are often painfully aware of potential issues that have been long overlooked - places where tools could be exploited or where processes fall apart. Build relationships here and you’ll find a wealth of issues you can help them address to improve security.
Support tools themselves are often built to solve an immediate problem, growing organically from there without the product, engineering and security oversight common to the other parts of your platform. Because of this, the level of access and associated audit logging can contain gaps you aren’t aware of and wouldn’t allow elsewhere. Have the team walk you through the flows and do some threat modeling, taking into account the possibility of compromised accounts.
Some others:
Strong authentication - Sorry for being a broken record here - you need unphishable MFA like passkeys. We’ve seen over and over that it’s far too easy for a mildly determined adversary to trick a user to give up their MFA creds.
Session tracking - When someone working from their treehouse in Costa Rica suddenly shows up in an upscale suburb East of Moscow, forced re-authentication is a very strong protection against session hijacking / cookie theft.
Tying account access to active tickets - A bit more work but privileged access management that ties account access to active tickets being worked on can greatly reduce the blast radius of a compromised account.
Audit logging and anomaly alerting - Having forensics to track what is done allows you to also alert on unusual activity like broad, rapid access to many accounts or access to accounts for where there aren’t active support tickets.
Support organizations often toil unseen, doing critical work requiring elevated access. Spending time getting to know the team, their processes and their tools is a worthwhile investment that will pay off many times over in actionable knowledge.
They’ll probably even work on your teams’ tickets a bit faster 😀