So what can people and organisations do to ensure that they are neither susceptible to nor contributing to this sort of attack?
Evaluate your password recovery procedures. Both automated procedures and those via your customer support lines. It should be difficult to reset a user's password. Issuing a password reset should be the exception, not the rule.
Evaluate your administration trust chains. Ensure that you're not protecting valuable assets using lower security systems.
Evaluate your use of information for authentication. Examine how you utilise pieces of client information.
Are you using a credit card number as a means of authentication? A credit card is for making a purchase, not authenticating a user. Other organisations might not give it the same protection as you. Do you ask for someone's birthdate as a means of authentication?
Do you know how many people have their birthdate on their Facebook profile? It's not really information that only that person would know.
Above all, I hope that by learning from the experiences detailed here I'm not reading about you or your customers in the next attack report.
Pemberton is a technical policy analyst for InternetNZ
Sign up for Computerworld eNewsletters.