CAN I TRUST DUO?

It is our opinion that you should not trust DUO with critical components in your infrastructure (like Multi Factor Authentication).  DUO is owned by a networking company trying to rebrand itself as a security company. 

Here is our direct experience on why we do not trust them:

In October of 2020, one of Varpath’s company DUO accounts became inaccessible and was deleted.  This was one of Varpath’s MSSP accounts.  Paid for, owned, and managed for over 5 years.   

After investigating, it was discovered that DUO had, without notification, warning, or confirmation of  their intent, transferred ownership of the cloud account over to a helpdesk User Administrator.  This user admin had access to the account to help users with their VPN.  He worked for our client, and not for us.  It is very normal for an account owner to assign administrators within a helpdesk to help the users. 

Since we were never notified, we did not see this coming.  As billing was not changed, and kept billing the Varpath company credit card, we did not notice a problem until two things happened. 

    1. We didn’t get a monthly bill for the first time in many many years.  That started an investigation on our end.

       

    2. We needed to change an Administrator on the account, and we were not able to log in. 

Then to top things off, while all this was happening, the customer deleted the account out from underneath us.  Luckily for Varpath, this was not malicious, but it certainly serves as a wake up call on the reliability of using a solution that can be so easily back-doored. I have no assurance on the quality of or security of any of DUO’s engineers working on Duo’s back end.  However I do have email logs.  My email logs tell me that on the third request from the helpdesk engineer, after having been denied twice, and warnings sent to me about this, DUO FAILED at social engineering and switched over my account.  

If DUO had looked at who was paying for the account, it would have seen 5 years of payments from  “Variable Path, Inc.”  Maybe they would have caught things? Who knows. 

The take away is that if you build your whole company security infrastructure on a solution that can be re-assigned by a support tech on the back-end like what happened to us with DUO, you are not building a very trustworthy system.

How can you trust a MFA solution provider that can and does do this?  Cisco DUO still has not refunded our money, they still owe us thousands of dollars.  They asked us not to complain to our credit card about this and promised they would refund us… 5 months ago.  And their AP team ghosts us.  

Consequently, we are releasing this information about our experience with DUO and clawing back as  many of the charges as we could on the credit card.  We were able to reclaim 6 months of charges this way from DUO.  I suggest you look at other providers for your MFA.

Our suggestion?  Look at AuthPoint from WatchGuard.  We are checking with them right now on their policies and procedures for reassigning accounts and will publish it here for you.

From: Joe P***** (s****) <s****@cisco.com>
Sent: Friday, November 13, 2020 8:05:20 AM
To: ************
Subject: Re: Duo Support follow up

 

Howdy ******,

I have spoken with our Finance team about this issue and a refund.  In order to process a refund for this account we would like to confirm the dates and amounts to be refunded. Could you please provide a list of charges to reverse with the dates and amounts and the last four digits on the card that was charged? Once we have that I will share it with Finance to work on the refund.

 

Best,

Joe

 

 

From:  <******@varpath.com>
Sent: Tuesday, November 10, 2020 5:14 PM
To: Joe P***** (s****) <s****@cisco.com>
Subject: Re: Duo Support follow up

 

Hi Joe,

 

So is a correct take away: 

An admin account can request ownership if the owner does not reply?  

 

For my part, I saw the email and I did act on it as instructed.  I very specifically told **** he could not have owner.  Checking with ************ HR is completely irrelevant because I never worked for ************.  Regardless, it was not their account.  It was an account owned by Variable Path, Inc.  

 

If I was removed from the account, I don’t think I should be paying for another company’s services.  I’d like to be reimbursed from when I lost control of the account.

 

Also, XXXXXX@XXXXXX.XXX was definitely the owner account.  You can email me at that address and I’ll receive it if you have details to share.  

 

Thanks,

*****

 

 

 

From: Joe P***** (s****) <s****@cisco.com>
Sent: Tuesday, November 10, 2020 2:12:16 PM
To: 
Subject: Duo Support follow up

 

 

Howdy *****,

 

My name is Joe P**** and I am the Security Operations Manager for Duo Security. Our customer support team reached out and shared your emails and concerns about a Duo owner account XXXXXX@XXXXXX.XXX with me. I investigated this issue and reviewed the emails that you shared with customer support. 

 

After reviewing the case it appears that this owner account was transferred to Business Wire in August 2019. This transfer occurred because Business Wire requested an owner transfer, their HR confirmed that you were no longer with the company, and were able to prove they had admin control of the Duo account. While validating this transfer we sent emails to XXXXXXX@XXXXXX and the phone number associated with it in order to confirm this transfer should move forward but we didn’t hear back.

 

Since you are not currently an account owner I am not able to provide more details on this account or its billing. However if you can share with me the details you are disputing on your credit card statement, I can follow up with our finance team and get back to you.

 

Best,

 

Joe

Here is the original request, which I was able to capture since it was sent to us.  This was the only warning the account was about to be re-assigned.  Keep in mind we did call the person who originated this request, and told them to stop “messing around”.

There was NO FURTHER WARNING FROM DUO.  The only notification was this casual mention in the below ticket (that could have easily gone to SPAM) to connect with the ticket requestor.  
 
 
 
Regarding your Duo Support ticket 00369551

 on behalf of 

Fri 7/12/2019, 11:01 AM
 
 
 
To help protect your privacy, some content in this message has been blocked. To re-enable the blocked features, click here.
 
To always show content from this sender, click here.
 
 

Hi XXAdmin,

     Please reach out to XXXX XXXXX (Administrator, XXXXXXXXX@XXXXXXX.com) from XXXXXXXXXX.
     As you are the Owner on this account, they require assistance but are unaware of who you are. 

Thank you,
Chad
 
Duo Security Support Team – Support Page https://duo.com/support
 
 
ref:_00D70Mjg8._5000g281xah:ref

——————————
From: XXXXXXXXXX@XXXXXXXXXX
Sent: 7/11/2019 6:09 PM
To: support@duosecurity.com;support-noreply@duosecurity.com
Cc:
Subject: RE: [EXT] Regarding your Duo Support ticket 00369551
Hello Chad,

Thanks for your help with this. I did verify in my department and no one seems to be the Admin/Owner on the account. Please advise? How else can we solve this problem?

Thanks,
XXXXXXXXXX

From: noreply@salesforce.com <noreply@salesforce.com> On Behalf Of support@duosecurity.com
Sent: Thursday, July 11, 2019 4:48 PM
To: support-noreply@duosecurity.com; XXXXXXXXXX <XXXXXXXXXX@XXXXXXXXXX>
Subject: [EXT] Regarding your Duo Support ticket 00369551

CAUTION: External Email, Do NOT click links or open attachments unless you recognize the sender and know the contents are safe.

[https://duo.my.salesforce.com/servlet/servlet.ImageServer?id=01570000001uV9R&oid=00D70000000Mjg8]

Hi XXXXXXXXXX,

XXXXXXXXXX was not the Owner on the account and only an Owner can make changes to administrator accounts. The owner on the account appears to be a generic account with a domain address from XXXXXXXXXX.XXXXXXXXXX. That Owner account is in regular use. I suggest talking to your other Administrators to identify the Owner. Then they can remove XXXXXXXXXX.
https://duo.com/docs/administration-admins#deleting-an-administrator

Thank you,
Chad

Want to know what we’re up to? Subscribe to our Release Notes in the Duo Community!<https://community.duo.com/t/about-the-release-notes-category-and-how-to-subscribe-to-updates/614>
Duo Security Support Team – Support Page https://duo.com/support

ref:_00D70Mjg8._5000g281xah:ref
——————————
From: support-noreply@duosecurity.com<mailto:support-noreply@duosecurity.com>
Sent: 7/11/2019 1:15 PM
To: XXXXXXXXXX@XXXXXXXXXX<mailto:XXXXXXXXXX@XXXXXXXXXX>
Cc:
Subject: Re:Duo Account Owner change request
Thank you for contacting Duo Security Support!
Our support team is currently working hard to prioritize and reply to all customer requests. We look forward to working with you shortly!

Your case number is 00369551.

In the meantime, you may be able to find the answers you need at one of the links below:

Current system status and known issues: https://status.duo.com
Setup documentation: https://duo.com/docs
Help Center: https://help.duo.com
Duo Community: https://community.duo.com
Release Notes: https://community.duo.com/t/about-the-release-notes-category-and-how-to-subscribe-to-updates/614
Support Page: https://duo.com/support

Thanks,
Duo Security Support

=================

ref:_00D70Mjg8._5000g281xah:ref

[http://duo.my.salesforce.com/servlet/servlet.ImageServer?oid=00D70000000Mjg8&esid=0180g00000zc7qW]

ref:_00D70Mjg8._5000g281xah:ref

Please Note:

The information in this Business Wire e-mail message, and any files transmitted with it, is confidential and may be legally privileged. It is intended only for the use of the individual(s) named above. If you are the intended recipient, be aware that your use of any confidential or personal information may be restricted by state and federal privacy laws.

If you, the reader of this message, are not the intended recipient, you are hereby notified that you should not further disseminate, distribute, or forward this e-mail message. If you have received this e-mail in error, please notify the sender and delete the material from any computer.

——————————
From: support@duosecurity.com
Sent: 7/11/2019 4:47 PM
To: support-noreply@duosecurity.com;XXXX@XXXXXXXXXX.com
Cc:
Subject: Regarding your Duo Support ticket 00369551
[Inline image URL : https://duo.my.salesforce.com/servlet/servlet.ImageServer?id=01570000001uV9R&oid=00D70000000Mjg8] 
Hi XXXXXXXXXX, 

     XXXXXXXXXX was not the Owner on the account and only an Owner can make changes to administrator accounts. The owner on the account appears to be a generic account with a domain address from XXXXXXXXXX.net. That Owner account is in regular use. I suggest talking to your other Administrators to identify the Owner. Then they can remove XXXXXXXXXX.
https://duo.com/docs/administration-admins#deleting-an-administrator <https://duo.com/docs/administration-admins#deleting-an-administrator>

Thank you,

Chad

Want to know what we’re up to? Subscribe to our Release Notes in the Duo Community! <https://community.duo.com/t/about-the-release-notes-category-and-how-to-subscribe-to-updates/614>

Duo Security Support Team – Support Page https://duo.com/support <https://duo.com/support>

ref:_00D70Mjg8._5000g281xah:ref

——————————
From: support-noreply@duosecurity.com
Sent: 7/11/2019 1:15 PM
To: XXXXXXXX@XXXXXXXX.com
Cc:
Subject: Re:Duo Account Owner change request
Thank you for contacting Duo Security Support!
Our support team is currently working hard to prioritize and reply to all customer requests. We look forward to working with you shortly!

Your case number is 00369551.

In the meantime, you may be able to find the answers you need at one of the links below:

Current system status and known issues: https://status.duo.com
Setup documentation: https://duo.com/docs
Help Center: https://help.duo.com
Duo Community: https://community.duo.com
Release Notes: https://community.duo.com/t/about-the-release-notes-category-and-how-to-subscribe-to-updates/614
Support Page: https://duo.com/support

Thanks,
Duo Security Support

=================

ref:_00D70Mjg8._5000g281xah:ref

ref:_00D70Mjg8._5000g281xah:ref

——————————
From: support-noreply@duosecurity.com
Sent: 7/11/2019 1:15 PM
To: XXXXXXXXXX@XXXXXXXXXX
Cc:
Subject: Re:Duo Account Owner change request
Thank you for contacting Duo Security Support!
Our support team is currently working hard to prioritize and reply to all customer requests. We look forward to working with you shortly!

Your case number is 00369551.

In the meantime, you may be able to find the answers you need at one of the links below:

Current system status and known issues: https://status.duo.com
Setup documentation: https://duo.com/docs
Help Center: https://help.duo.com
Duo Community: https://community.duo.com
Release Notes: https://community.duo.com/t/about-the-release-notes-category-and-how-to-subscribe-to-updates/614
Support Page: https://duo.com/support

Thanks,
Duo Security Support

=================

ref:_00D70Mjg8._5000g281xah:ref

 
 
 
 

ref:_00D70Mjg8._5000g281xah:ref

Thanks to Chad I now know that any helpdesk person at DUO can reassign a role.