Documentation

Unblu 6 (latest)

security-7-abusing-agent-role.png

This type of attack assumes that an 'agent' aims to use their position to gain information or money from a visitor. The agent tries to insert information into the visitor’s web content, such as their own account number, or to learn information that they do not otherwise have access to, such as passwords and security questions.

Practically, the agent may ask the visitor to fetch a letter with hopes to execute a financial transaction while the customer is away for a short amount of time.

How we Prevent the Agent Role from Abuse

Unblu has a number of ways to limit the agent’s access to the visitor’s web content:

  • The collaboration server never transmits passwords.

  • Agents cannot modify the content of the visitor’s web page.

  • You can configure the collaboration server to block access to certain data presented through the instrumented web application. For example, the collaboration server may not show the personal settings page of an agent, it may hide account numbers, it may block access to account numbers and payment amounts, and it may prevent agents from executing payments.

Unblu does not restrict traditional methods of social engineering over the telephone. An agent may still be able to talk a customer into giving away the password or executing specific actions. However, this is possible in all consulting situations, and it is not made easier by using unblu.

Can the Agent Role be Abused in a Cloud Setup?

This type of attack is blocked in a cloud setup in the same way as for an on-premises installation.