This page forms part of the Moodle security guidelines.
What is the danger?
Moodle is so secure that Evil Hacker gives up on trying to crack the software. Instead, he decides that the users are the weakest link.
For example, he may get the phone list for your organisation, and start making bogus calls:
"Hello, I'm from the helpdesk. It's not very clear, but I think I have a message here saying you are having trouble logging in? Is that right?"
Eventually, he hopes to someone will get tricked:
Gullible user, "Err, yes. I am having trouble logging in, but I don't recall asking for help."
Hacker, "Well, I am here now. Let me go through it with you, now what is your username?"
User, "It's ..."
Hack, "And the password?"
You get the idea. In can work the other way. Someone phones the helpdesk pretending to be a helpless teacher who wants to increase a particular student's grade, and the person on the helpdesk kindly does that for them.
One very well known form of social engineering is phishing.
How Moodle avoids this problem
This is not a problem that can be solved with technology.
What you need to do in your code
- There's not a lot you can do.
What you need to do as an administrator
- All you can do is to try to educate your users. However, don't be too hard on them if they are tricked. They were probably only trying to be helpful.