TL;DR: MGM Resorts’ 2023 outage showed how vishing and help desk impersonation can bypass weak identity verification, disrupting room keys, slot machines, and other services while risking customer data. The incident demonstrates that authentication controls fail when they still rely on human judgment at the point of escalation, not just stronger factors.
NHIMG editorial — based on content published by 1Kosmos covering the MGM Resorts cyberattack: identity verification gaps exposed by vishing and compromised authentication
Questions worth separating out
Q: How should security teams secure help desk password reset and account recovery flows?
A: Treat recovery as a privileged access function.
Q: Why do social engineering attacks still defeat mature IAM programmes?
A: Because many programmes secure the login event but leave recovery, escalation, and exception handling under-governed.
Q: What breaks when account recovery relies on verbal verification?
A: Verbal verification breaks when the attacker can sound credible, use public information, or pressure staff into acting quickly.
Practitioner guidance
- Reclassify the service desk as a high-risk access channel Apply privileged access controls, call-back verification, and dual approval to any request that can reset credentials, unlock accounts, or change authentication factors.
- Harden recovery flows before attackers reach them Remove weak knowledge-based checks and replace them with stronger proofing tied to authoritative identity records, device binding, or step-up authentication.
- Map the blast radius of every reset path Document which systems, sessions, and entitlements become reachable after a support action, then reduce the number of accounts that can unlock multiple downstream services.
What's in the full article
1Kosmos' full article covers the operational detail this post intentionally leaves for the source:
- The vendor’s explanation of how identity-based authentication is positioned against vishing and recovery abuse
- Product-specific detail on biometric verification, liveness checks, and non-phishable MFA claims
- The vendor’s compliance and chain-of-custody narrative for organisations evaluating identity proofing options
- Implementation-oriented framing for teams considering passwordless and biometric-driven authentication paths
👉 Read 1Kosmos' analysis of the MGM Resorts cyberattack and identity verification gaps →
MGM Resorts vishing breach: what IAM teams should learn?
Explore further
Identity verification is only as strong as the least disciplined recovery path. The MGM incident shows that attackers do not need to defeat every control when the help desk can be persuaded to override the one that matters. This is a governance problem, not just a training problem, because the service path itself was trusted too much. Practitioners should treat every recovery and reset flow as a primary identity control, not a back office process.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why identity and access blind spots persist across recovery and privilege workflows.
A question worth separating out:
Q: Who is accountable when a support workflow leads to identity compromise?
A: Accountability usually spans IAM, service desk leadership, security operations, and the business owner of the affected system. If the support channel can restore access without strong proofing, the issue is governance, not just a single user error. Frameworks that emphasise access control and operational resilience should be mapped to the reset and recovery process.
👉 Read our full editorial: MGM Resorts vishing breach exposes identity verification gaps