Field notes · Case F-20 · Cyber

The phish that opens doors

Credential phishing is a physical security problem now: the access control system is an application, its admins have inboxes, and your door controllers trust a domain your helpdesk resets by phone.

The physical access control system used to be a metal box in a riser room. Today it is enterprise software: a server on the corporate domain, a browser console, administrators with email addresses and calendar invites. Which means the oldest attack on the internet now opens doors. Phish the PACS administrator, and the badge database, the door schedules and the alarm masking rules are yours without touching a fence.

Your door controllers trust a directory your helpdesk will reset over the phone.

Why codes and prompts stopped working

One-time codes and push prompts were designed against password reuse, not against patient adversaries. Real-time phishing kits proxy the code as fast as the victim types it; prompt bombing turns fatigue into consent; helpdesk impersonation skips the technology entirely. The industry’s answer is phishing-resistant authentication: FIDO2 security keys and passkeys, where the credential is bound to the origin and cannot be relayed to a look-alike site, no matter how convincing the email was.

Where to spend it first

This is the cheapest defense in this series: a few hundred keys, a rollout plan, and a policy sentence. The convergence attack it removes is the one we would run against you first.

We have rolled phishing-resistant keys out to PACS teams. It is a smaller project than it sounds.