What’s the easiest way to get someone’s password? Hack their PC? Exfiltrate the user database?
Nope, much easier. Just ask them.
No matter how many times tech support staff are told never to ask for a user’s password, it still happens. It’s like no-one can help themselves and the ability to masquerade as an unsuspecting user is the divine right of service desk analysts everywhere. It’s not that it’s a cardinal sin (although certainly very bad practice and an indication of lazy processes), nope, it’s more that it opens the door to what becomes ‘acceptable’.
So when Mr Bad Guy phones one of your users it’s a cast iron certainty that he’ll say he’s from your IT department before proceeding to ask for their password – and probably for their mother’s maiden name, their bank card number, their PIN code, and the name of their favourite song to boot. You’d sort of hope that your users will be so well aware of your infosec policies that they’ll smell a rat and put the phone down. But remember it’s your credibility that’s being degraded, and your users that are being exploited. Just say no.