There is an article in the Summer 2016 issue of Security Smart about a security consultant who was hired to infiltrate a company’s buildings and networks to assess the effectiveness of its security procedures.
He walked in off the street and told the lady at the front desk that there was a ticket put in and asked if they received an email notification that he would be there to do some migration on the network. The undercover security consultant then asked her to log out and allow him to sit down at the desk. He plugged in a key logger, which covertly tracks the keys struck on a keyboard.
Then, he asked her to log back in so that he could pull up a command prompt to test the connectivity. She did and the key logger recorded the password. He told her that because he would have to ask her to do that a few times, he would like her to write down her password, and slid over a Post-it stack to her with a pen, as if that was normal. She wrote down her password and slid it back to him while he clicked around, gained access to network shares and several systems on the network.
The undercover security consultant asked her if she ever works from home and she said that she couldn’t ever get the VPN to connect. He told her that if she could tell him how she is supposed to remotely connect to the network that he could try to reset some things for her while he was there. She did and before long he had another gig of data, domain credentials, an encryption key, and a tutorial about how to connect to the VPN.
The article says “Don’t be gullible. Always double-check an outsider’s story, especially when that person is claiming to need access to company equipment or sensitive information. It’s perfectly OK to take a minute to call and verify someone’s story and/or credentials, whether the person appears legitimate and sympathetic, or impatient and inconvenienced. And never, ever write down your passwords.”