[unisog] Supplying Account Names to Students

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Sep 26 20:46:08 GMT 2002


On Thu, 26 Sep 2002 14:49:56 EDT, Gary Flynn <flynngn at jmu.edu>  said:
> How can they find out? If they're not on campus?

And equally important, what defenses do you use against social engineering
attacks? (i.e. make them show up with a picture ID, refuse to do password
changes over the phone, etc?) (And no, you don't need to share if you don't
want to say - but you *should* think "what do we do to make sure that the
person is who they say they are?" - and remember that things like their SSN
are probably a *lot* easier to get than you think.  I'm willing to bet that
walking through the gym locker room will find at least a few lockers that
contain wallets without benefit of padlocks - you now have a name and a
driver's license number (and in some states that's also the SSN by default).

A shocking number of organizations don't bother doing ANY verification...
-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20020926/68338573/attachment-0006.bin


More information about the unisog mailing list