Super short post today, I recently rebuilt a PC and had to go through the process of activating Windows for the 6,000th time. As many of you who have gone through the process of activating Windows know, Microsoft has a few different ways set up for you to be able to activate your operating system. For this specific post, I was using a license key from Windows 7 Pro, which was not being recognized as a valid key when I tried a few times to input it, to ensure it was not user error on my side.
First off, if you did not know, when you are performing a clean installation of Windows 10 (which I was), you are asked to verify that you have a product license key while you are running the initial installation wizard for Windows 10. When I was asked for the key during the initial installation, I typed in my key wrong, about three times. After this, I eventually typed in the correct key, and windows installed.
Once installation was complete, I shut down my PC to transport back to my house, as I was working on it with a friend (he was helping me troubleshoot some wires that I put in the right spot, but apparently they needed to be vertical instead of horizontal, even though the old motherboard had everything horizontal, and the documentation that came with the new motherboard said nothing about it, but that is a different issue) and after my friend and I got the PC up and running, and I transported it back to my house, when I turned it on, I noticed in the lower right-hand corner of the screen, there was a message telling me to activate my copy of Windows.
I was sure that I typed in the license key correctly while initially downloading Windows, yet somehow the key had not been verified, and my copy of Windows was not recognized as genuine. So, I did what any other Windows user would have done in that situation, I selected “change product key” and entered the same exact key as before, multiple times, each time being met with a message saying that my key was not valid, or some other error message (I forget exactly what it said).
Eventually, I decide it would be easier to talk to a Microsoft representative, or even the automated activation system they had set up via telephone, which I had used for Windows 7 just a month ago, while rebuilding a PC. Well for whatever reason, I did not have the option to activate by telephone, and the internet told me to hit the “Windows key” and the “R” key to bring up the “Run” dialogue box, and type in “SLUI 4” and hit enter, well I kept doing this for a good fifteen minutes, with no response, and then I decided to look for a customer support phone number online.
I created a ticket on Microsoft’s website, and about five minutes later it was my turn to talk to someone. This is how it went:
- I was greeted and immediately asked for my email address
- Once I gave the representative my email address, the first thing I was asked to do was go to my email inbox and read the verification code I had just been sent, back to him
Yes, I know, that is exactly what a scammer would do, to steal a verification code to get past two factor authentication (2FA) and get in to my account, but I promise, this was a genuine Microsoft representative, and a genuine email from Microsoft, and it was only used to verify that the Microsoft representative was speaking to the person that I was claiming to be.
This may not seem like some big cutting edge verification tactic, but I have never had to go through something like this with any company to receive assistance on any account I have ever had. This could surely be annoying for many, needing to open their email inbox and read back a verification code. To the majority of the customers, they probably hate it, and don’t understand why they need to do it, but to me it shows initiative. It shows me that Microsoft is hardening all aspects of the services they provide, even making it harder for unauthorized parties to try to get anything done by a Microsoft representative.
We all have heard of Social Engineering, we all know that it is the most commonly used tactic to get access to things that you otherwise would not, and should not have access to. Many of us probably know how SIM swapping works, many times involving contacting a mobile phone carrier and claiming to be the person who is being targeted, answering the ridiculously weak security questions that most companies use to protect their customers, and then once a malicious actor gets through the verification process, which could contain absolutely no verification codes or 2FA methods, the malicious actor now is inside of the victim’s account, and able to have their SIM “swapped” into a new phone, which the malicious actor has control of, thus having what is essentially the victim’s legitimate phone in their hand, to do with as they please.
Obviously, SIM swapping is a bit more involved than that, but that was a brief overview to point out the shortcomings of customer service being conducted over telephones, and just to further stress my point that I believe Microsoft is doing something very smart with this “phone + email” 2FA method.
Thank you for checking out my post, I hope that you found something I discussed interesting, and maybe even learned something new!
