Connecticut
Information Security

Beyond the Main Gate: Securing Overlooked Authentication Paths 

Trumpington Road Gate

The 1983 movie WarGames taught us that “Back doors are not secrets!” This remains true today, as many previously undocumented or secondary access methods are regularly uncovered and disclosed. These hidden access types can range from hard-coded credentials to authentication bypasses. While the issues often stem from exploits or poor coding practices, sometimes they are simply overlooked features or access points that haven’t undergone a full security review.

Recently, we’ve seen a significant increase in voice and phone-based attacks. Attackers target these system types because many organizations allow entry using methods that bypass traditional authentication controls. For example:

  • A particularly vulnerable area is helpdesks that can issue multi-factor authentication (MFA) bypass codes. Attackers use text-to-voice engines to engage in full conversations with support staff, aiming to obtain temporary authentication methods to gain unauthorized access to a user’s data or company systems.
  • Interactive Voice Response (IVR) systems, designed for automation and self-service, are also being targeted. Weak authentication or validation methods, such as easily researchable data (e.g., birthdays, security questions) or leaked information (e.g., social security numbers) make these systems susceptible to attacks. Without additional forms of verification such as MFA or text message verification, these systems can allow unauthorized access and actions. With lower chance of detection, these attacks often go unnoticed for significant periods.
Organizations can take steps to reduce the success rates of these attacks:
  • Reinforce Authentication Methods: Ensure that secondary authentication methods are in use for user verification. For example, use registered phone numbers or MFA for caller verification.
  • Verify New Devices: For users with new phones or without enrollment in MFA, conduct video or in-person verification sessions. In larger organizations, requesting a valid ID may also be necessary. If there is a phone number on file, send verification codes via text message to confirm the user’s identity.
  • Test Security Verification Practices: Each authentication point should be reviewed by security professionals (e.g., web, IVR, chat, etc.) to assess the security of the verification methods in place.

By focusing on securing secondary access points with the same rigor as primary access points, institutions can significantly reduce the risk of unauthorized access. If you aren’t sure about your current security verification processes? Contact us, we can help.