I wonder why. What made his account worth singling out for all that effort?
An easy solition is to track how many failed answers to security questions an accout recieves and if it becomes too high, MFA cannot be remove without a photocopy of a drivers licence faxed or scanned in and/or $1 payment on a valid credit card to unlock or something.
The big failing I took away from the article is it seems like no one tech was ever aware of how many prvious calls were made regarding this one account. That stuff should be tracked by and for the CS agents.
Yeah, that kinda astounds me. It was a ludicrously emphasized absolute requirement that we log every single customer interaction on their account, no matter how minute, and check previous notes when responding to new calls, when i worked a web support helpdesk back in TN. A pattern line that–tons of calls probing for info and failing to provide proper security info–would absolutely warrant escalating up, not to help them, but to get Fraud Prevention involved.
Mind, we were attached to a bank, so security standards were high, but it’s kinda crazy to me that a company the size of Sony wouldn’t implement something similar.