[unisog] Supplying Account Names to Students

Peter Van Epp vanepp at sfu.ca
Thu Sep 26 23:32:26 GMT 2002

	I expect that given (for instance) a student number we would tell them
their ID by phone. The account management system and the portal are set up
to also record a series of challange response pairs which an authorized person
(one of the Computing Center directors) can decide to use by phone to verify
an ID by phone and issue a new password.  Another one we have done is issue a 
new password to an administrator or faculty member in the department where the 
person is a student/works and make the person contact the administrator or 
faculty member who can identify them by voice to get the new password (this
has an obvious security problem and is thus rare). This too needs the approval 
of one of the directors. 
	The general case to any of: too many attempts to create an account via 
the portal, making me supicious that the account is being shared or 
compromised or a variety of other sins and ommissions, is that the account will 
be disabled (or in more serious cases locked) in the account management system.
For a disabled account they need to appear in person with picture ID at one of 
our outlets (we have someone on all campuses) to get a new password set. In 
the case of a locked account (which is usually cracking outwards from our 
systems) the user needs to make an in person appointment and convince one of 
the computing center directors to return the account (or it can go to formal 
proceedings at either party's request and sometimes has).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> On Thu, 26 Sep 2002 14:49:56 EDT, Gary Flynn <flynngn at jmu.edu>  said:
> > How can they find out? If they're not on campus?
> And equally important, what defenses do you use against social engineering
> attacks? (i.e. make them show up with a picture ID, refuse to do password
> changes over the phone, etc?) (And no, you don't need to share if you don't
> want to say - but you *should* think "what do we do to make sure that the
> person is who they say they are?" - and remember that things like their SSN
> are probably a *lot* easier to get than you think.  I'm willing to bet that
> walking through the gym locker room will find at least a few lockers that
> contain wallets without benefit of padlocks - you now have a name and a
> driver's license number (and in some states that's also the SSN by default).
> A shocking number of organizations don't bother doing ANY verification...
> -- 
> 				Valdis Kletnieks
> 				Computer Systems Senior Engineer
> 				Virginia Tech
> --==_Exmh_700836352P
> Content-Type: application/pgp-signature
> Version: GnuPG v1.0.7 (GNU/Linux)
> Comment: Exmh version 2.5 07/13/2001
> J9R57BZkLmlUgxCNsIErERc=
> =hGnE
> --==_Exmh_700836352P--

More information about the unisog mailing list