Combating insider threats in the contact center
Advances in security technology are making many payment channels safer than ever for consumers, however, they are also forcing professional fraudsters to concentrate on an ever-diminishing number of more vulnerable targets. One of these is the traditional contact centre, where the huge volume of daily Card Not Present (CNP) transactions being processed, combined with often lax physical security measures, is making them an increasingly attractive target for criminal gangs.
CNP transactions (consisting of online, telephone and mail order purchases) remain the Achilles heel of the card payments industry, largely due to the difficulty in implementing a second authentication layer such as Chip and PIN. The recent introduction of 3-D Secure has had a positive impact in securing online CNP transactions, but telephone and mail order payments remain extremely vulnerable.
This risk is magnified in the chaotic contact center environment. Customers often don’t realize that when they make a phone payment via a contact center agent, they are handing over all of the details needed for someone else to use that same card fraudulently. They are placing the security of their card information in the hands of someone who is, for all intents and purposes, a complete stranger.
Long-term solutions to this security loophole are in development, but until they are ready for global roll-out, the contact center will remain a weak link in the chain. As a result, criminals will undoubtedly continue to try and make hay while the sun shines. One of the difficulties in securing contact centers is the sheer number of attack vectors that can be exploited by criminals. Threats can come from both outside and inside, they can be online or physical, brazen or covert. In short, contact centers and the organizations responsible for them face a major uphill battle to successfully fend off all the attackers.
The threat from within an organization in particular is a major concern. Not only do insiders already have access to much of the sensitive information needed to commit fraud, but they are vulnerable to coercion from criminal gangs looking to get their hands on this information. Insider threats can be both willing and unwilling participants, but the threat they pose is equally concerning.
For example, a few years ago, CIPHER (an independent security auditor and Quality Security Assessor) was asked to investigate suspicious activity for a bank that had noticed unauthorized use of credit cards taking place. It was able to track the problem back to a contact center employee who was entering the building outside their normal shift pattern and using a co-worker’s computer to access customer card details. It was later revealed that the employee in question was part of an organized crime gang, who had compromised over 15,000 credit cards in this manner.
And whilst we’re talking anecdotes, not all insider threats have malicious intent. During a recent contact center audit, a site auditor witnessed agents manually writing down phone payment as part of the companies continuity policy in case the IT systems went down mid-transaction. This information was then entered into a pin pad to complete the transaction. If the transaction failed for any reason, the pin pad slip and hand written card details were simply discarded into bins under the agents’ desks, information intact. After seeing this, the auditor asked where the successful transactions were kept. He was taken to an unlocked office full of pin pad slips, where his proud host told him the bull-dog clips held the slips in place and secure, against any draft or wind that may mix them up!
These are of course, two extreme examples. There have been some amazing advances in technology in recent years and generally there is much better awareness of the threat against our personal information, especially cardholder data. However, there are still very few advanced security controls in place to guard against the insider threat. Consistently, networks are not segmented, while cardholder data is still often manually entered into payment systems. As long as these practices continue, contact centers will remain a top target for fraudsters until a long-term phone security solution is in place.
What can be done?
Many organizations have taken the route of outsourcing their contact centers, wrongfully thinking that they are transferring the risk. Arguably, even if the legal (litigation and compensation) risk is transferred, the much more costly residual risk to the brand and customer loyalty perception is still present, no matter who operates the contact center. Therefore the risk remains for the organization, as well as the outsourced contact center.
If contact centers comply with the latest PCI DSS standards they will go a long way towards improving security within their estate. However, it is a big mistake to assume that PCI compliance automatically means all cardholder information is safe. Ultimately the best way to ensure cardholder information is safe is to make sure it never enters the contact center environment in the first place. After all, criminals can’t steal what isn’t there.
Solutions such as Dual Tone Multi Frequency (DTMF) secure phone payment processing can do just this. With DTMF payment technology in place, the customer is asked to enter their card number into the telephone keypad instead of reading it out loud to the agent. These tones are then captured before they enter the contact center, so the agent is never exposed to it. Instead, they see asterisks appearing as the customer enters their details via the keypad, and receive a confirmation once the payment has been successfully completed.
Not only does this improve customer peace of mind and remove temptation from the opportunistic thief, but it also protects agents from criminal coercion, greatly reducing the threat posed. For further protection, any manual records and/or legacy call recordings should be destroyed wherever possible, or securely stored off-site with an accredited service provider if it is necessary to keep them for compliance reasons.
As the threat landscape changes and fraudsters are increasingly funneled down the few remaining paths of least resistance, organizations have a duty to ensure they protect themselves, their employees and their customers from fraudulent activity. Until credit card companies can roll out a viable global solution to the remaining CNP security vulnerabilities, contact centers will continue to be a prime target. However, by taking steps now and stopping payment data from ever entering the contact center environment, organizations can greatly reduce their chances of becoming the next victim.