Information Age: News, analysis & insight for IT & business leaders

Author and consultant Ian Mann explains how he got the better of a SaaS provider's security precautions by outsmarting its customer support agents

When IT professionals talk about the security of could computing, they usually refer to the vulnerability of a given system to hacking or malware infection. But cloud services are run by human beings, and as such they are as susceptible to the powers of persuasion as any business.

Ian Mann, a security consultant for ECSC and author of Hacking the Human, was recently hired by a software-as-a-service provider to see if he could penetrate its system. He chose to do this by exploiting the customer support helpline to gain administrator access to the SaaS system.

Pretending to be a senior employee at one of the SaaS provider’s customers, Mann timed numerous calls to the helpline to ensure that he would get a different customer support agent every time. His strategy was to persuade each successive agent to give him more and more information about how to access the system, on the basis that each one would assume he must be legitimate given that he had got that far.

The technique worked, Mann says. “At no point did I authenticate at all. Once I got to a certain point, the customer service people just assumed that I must have authenticated to get that far.”

What this proves, he says, is that strict security procedures are in fact less secure than flexible controls. “From a social engineering perspective, strict security protocols are not as good as flexible ones – once you’ve broken them they are defenceless.”

So if human agents are a weak point, does that mean that cloud services that offer less human IT support are more secure? Not necessarily, says Mann, because if the volume of customer support calls is low, then the security procedures that call centre operatives must follow are likely to be simplistic and therefore easily exploited.