How contact centers have become a prime target for hackers [Q&A]
With growing security threats and compliance being taken seriously, companies are more aware than ever of the need to protect their data.
This means hackers must work harder to try to steal information and contact centers are in the front line. We spoke to Ben Rafferty, chief innovation officer at security and compliance specialist Semafone to find out how contact centers are under threat and what can be done to protect them.
BN: What makes call centers particularly vulnerable?
BR: They've always been vulnerable, but they haven't historically been attacked. What's happened -- certainly in the US with the introduction of chip payment cards and in Europe with chip and PIN -- is that it has become far harder to hack the exposed endpoints of a merchant. That's pushed hackers to refocus their efforts to weaker channels and that means the contact center.
If you look at security as being the cyber perimeter, the physical perimeter and the personnel angle, a contact center has all three. There are humans on the end of the phone, they are using systems with vast amounts of personally identifiable information (PII), and they are in a location which needs to be secured. There are lots of angles to think about and chances are if you have an internet site you have a contact center. So you could have the world's best online security but if you've haphazardly put together your contact center then you could be leaving the back door wide open.
BN: What kind of attacks do these centers face?
BR: The main threat is from vishing (phishing via a voice call). There are single attackers, who will try and do everything on a single call to get as much information as they can. They are typically less successful but may come across information by chance, such as finding a letter in a bin with customer account details on it, making for opportunistic attacks.
A bigger challenge comes from vishing teams, these target large contact centers, making a series of calls, trying to escalate privileges each time. No single call ever tries to get the prize but at the end of a series of calls they may have access to transfer funds or to order goods or services on a compromised account. This kind of attack is hard to prevent because when you are calling a large enterprise's contact center they will have lots of agents and no single person ever sees the big picture. This is why increasingly there are calls for multi-factor authentication in order to verify transactions.
BN: Is part of the answer better training for operators to spot attacks?
BR: It's part of the answer but it isn't a complete answer. Under GDPR rules in Europe it's almost a legal obligation to train people to handle PII properly. There are some operational processes you can use too, so if you're working in a bank, say, and are behind a mainframe screen then there are processes to authenticate the caller and the agent which mean only when the customer passes a verification process will the agent be able to access their details. So, training is important but processes need to be bullet proof too to prevent insider attacks and insider errors.
BN: Does that include using things like multi-factor authentication and biometrics?
BR: There generally needs to be a combination of something that you know and something that you have. But you also need to be able to deliver tokens via separate channels, so if you are on an internet connection you shouldn’t be using the same connection to send tokens for 2FA. People use SMS but that's not secure as it can be intercepted via SS7 attacks or -- if the criminal has access to the phone -- via text messages being displayed on the lock screen.
Ideally you want a combination, so if your are using and authenticator app you need to have a biometric check to open the device in order to access the one-time password.
BN: Isn't it important to strike a balance between protection and ease of use?
BR: Absolutely, and there's another issue here where you risk ring fencing out part of the population. There are still a lot of people without smartphones, there are people who might not have a data signal or have run out of data on their mobile device. You are asking a lot of your customers by demanding that all controls are in force.
Because it's possible to spoof caller IDs and IP addresses the banks have had to up their game. People were refusing to take legitimate outbound calls from their banks because they were suspicious that they could be scams. Both parties need to be sure that the call is genuine. There's a risk for SMEs that don't have the same sort of resources or budget to put into security as large enterprises and therefore become more vulnerable to attacks.
BN: What else can contact centers do to protect PII?
BR: We have a sort of unofficial mantra of, "You can't hack what you don't hold." If you are not holding data the impact of any compromise is far, far less. For example at Semafone our credit card solutions transact on behalf of the merchant do if they are attacked they don't have any card data to steal.
It's also important to understand what data you are holding and look at whether you really need it. Because of GDPR there are hundreds of agencies who will offer advice on auditing your data and that is a good place to start. You also need breach response plans drawn up, forensic investigation procedures in place and more.