Understanding how customer data and privacy is at risk can help call centers beef up security, so we will also touch on some of the potential vulnerabilities inherent in security technologies. Ideally, no call center should be without a multi-layered security strategy.

How are call centers vulnerable to data breaches?

Personally identifiable information (PII) theft

According to Pindrop, data breaches that occur at other companies – usually high-profile attacks on financial institutions and healthcare providers – affect a wide range of enterprises, even in unrelated industries; that includes consumer service companies. These breaches may have a significant security ripple effect on call centers that usually rely on PII to verify a caller’s credentials. If this information – e.g. SSNs or bank card numbers, or customers’ DoB or email addresses. – has been previously breached, a call center’s customers immediately become extremely vulnerable. The Identity Theft Resource Center (ITRC), together with CyberScout, conducts annual studies of identity thefts. In its 2017 Data Breach Year-End Review, the ITRC found that: “Throughout 2017, there were 830 data breach incidents involving Social Security Numbers, representing more than half of the total reported number of breaches. As a result of these breaches, nearly 158 million SSN’s were exposed or 88 percent of the total number of records exposed.” IDology’s Fifth Annual Fraud Report said “40% of businesses reported their contact centers were increasingly being targeted by fraudsters, with social engineering being the most widespread fraud tactic.” In addition, the penalties for not complying with regulations specifying how personal data is managed are high.

Internal threats: Rogue insiders

Semaphone CEO Tim Critchley, writing for ICMI, identifies the top insider call center threat personas as:

The Tempted Temp: May not be 100 percent loyal to their temporary employer and is tempted to wrangle a bonus from fraudsters once they leave their current position. The Credulous Clicker: May accidentally, and quite innocently, expose sensitive customer data when clicking on a malicious link. The Vengeful Victim: Any employee with a grudge and access to sensitive data is a Trojan horse. The Hidden Hacker: The IT department may view sensitive data as a source of additional funds towards their year-end vacation. The Contract Cleaner: All these guys need is “tiny USB sticks, which contain key logging software and a Wi-Fi transmitter” to steal private data.

A 2015 McAfee report (“Data exfiltration study: Actors, tactics, and detection”) found that 43 percent of data loss in data breaches was caused by internal actors, half of these cases being accidental. The study also suggested that data loss prevention (DLP) played a major role in detecting and preventing data thefts.

External threats: Technology vulnerabilities

According to Pindrop: “As network and endpoint security technology has evolved over the years, criminals have had to find other ways to get to the information they want. The same effect has come from the shift to chip-and-PIN technology on credit and debit cards, which has forced more fraud into the phone channel.” Technology is vulnerable to the wily ways of the criminal who quickly learn to change attack strategies and soon master the art of finding software loopholes.

How secure is VoIP?

VoIP vendors claim professionally-installed VoIP systems are secure. However, being Internet-based, they may still be susceptible to malicious attacks. Colocation America’s James Mulvey has some tips to secure VoIP:

Set up a secure firewall between the VoIP server and outside network. Specialist firewalls can detect and preempt DDoS attacks that attempt to bombard a call center with requests the service simply cannot handle. Use data encryption for all data within, entering and leaving the network. Where a predictive dialer is used to place outgoing calls, “some sort of border patrol to prevent network intrusion” must be enforced.

How secure is IVR?

According to Contact Solutions, call centers need to address potential problems in the way data is stored in IVR systems:

Data is stored in the system and subsequently copied to multiple locations, which become targets for fraudsters. Each call should have its own allocated space and resources. Data, particularly unnecessary data, is not regularly “cleaned” between transactions. Data from one call should be erased before resources are made available for another call. Communications are not secured in data transfers. Where possible, transactions should take place in real-time to avoid saving sensitive data in hard-to-find places.

How secure is encryption?

The 2015 McAfee report mentioned above (“Data exfiltration study: Actors, tactics, and detection”) found that 32 percent of data exfiltrations were encrypted. Yes, there is more is more than one weak link in the encryption chain. According to InfoWorld’s Peter Wayner, a single failure in an encryption algorithm or a glitch in the software can create a vulnerability. “One of the most famous algorithms, RSA, is said to be secure — as long as it’s hard to factor large numbers. That sounds impressive, but it simply shifts the responsibility. Is it truly that hard to factor large numbers? Well, there’s no proof that it’s hard, but no one knows how to do it right all of the time. If someone figures out a fast algorithm, RSA could be cracked open like an egg …” Computing power, backdoors, hidden layers, faked certificates and typos are all potentially-exploitable weak links in the encryption chain. The takeaway: choose your encryption method wisely and understand how and why it may not be totally secure. The trick is to use a multi-layer approach to security, with encryption just one layer of protection.

Top 10 call center security rips for protecting consumers – What do the experts say?

Bearing the vulnerabilities mentioned above in mind, let’s take a look at some layers of protection a call center’s security strategy should include:

1. Dump the auditory Q&A process

Asking customers to read SSN and credit card numbers out loud is an outdated and insecure procedure. Instead, “… adopting dual-tone multi-frequency (DTMF) masking technologies […] will allow customers to enter private information via telephone keypads and cannot be captured on recording or deciphered.” (Mandi Nowitz, writing for TMCNET)

2. Thwart the rogue insider with technology

Not always deliberately malicious, the rogue insider may be blackmailed or trapped by manipulative social engineering techniques. DTMF is a good option but does not take into consideration callers who cannot use the keypad. Another option for a call center is to implement rigorous (and expensive) in-house safeguards, e.g. a “white room.” Even better, cloud-based telephony systems allow cardholder data to be routed “to the Payment Service Provider (PSP) via a secure private cloud, without the information entering the contact centre.” In addition, the call is muted to the operator for the period while the caller is giving their personal details using Automatic Speech Recognition Software (ASR). (Nick Ismail, writing for Information Age)

3. Make vulnerable data less accessible

One way to do this is ensure all data in rest and in motion is encrypted, so that even if a rogue employee steals it, it is useless to them. Implement role-based access to sensitive data. (TeleApps)

4. Regular penetration testing

Pentests can identify weaknesses in a call center’s security and are usually undertaken by IT professionals, either in-house or by a consultancy. (InfoSec Institute)

5. Anticipate attack – Use proactive, specialist security software

Telephony Denial-of-Service (TDoS) attacks can overwhelm a call center simply in terms of call volume. A workaround to this is the use of “firewalls devised exclusively for VoIP connections that can filter and redirect the incoming calls in case they are detected as a possible threat.” (Nishant Kadian, writing for Call Center Hosting)

6. Enforce strong access controls

The Internet abounds with stories about criminals who stole the identities and access credentials of staff who had long since left the company. According to Winn Schwartau, founder of security awareness certification company SCIPP International, “It may well be the human resource function’s policy to revoke access—but human resources doesn’t control the network.” In addition, he comments that while offering productivity gains, “single sign-on increases the risk of data loss (or damage) in the case of password theft or misuse.” Beware. (Malcolm Wheatley, writing for CSO Online)

7. Practice fundamental security basics

Keep software updated; enforce anti-virus protection, use a password manager, educate staff on social engineering tactics, anticipate divert detection and forwarding, and always use two-factor authentication.

8. Control access at document level

Use a digital document management solution that controls access to documents by role and encrypts documents that leave the center in case they are sent to the wrong customer. (Mia Papanicolaou, Chief Operations Officer for document security specialist, Striata Inc., writing for TMCNET)

9. Thwart the outside infiltrator with high-tech solutions

Humans cannot always identify subtle patterns of behavior or keep track of vast amounts of calls, even with audit trails. “The contact centre advisor’s best line of security lies in multi-layered fraud detection technology. Where other voice biometric technologies fall short is in their inability to differentiate between devices or to identify patterns in user behavior. Phoneprinting can identify specific components about each call, such as the call location, device, and repeat call behavior.” (Call Center Helper, with thanks to Matt Peachey at Pindrop)

10. Multi-factor authentication (MFA)

The use of one-time passwords, biometrics (e.g. voice prints), near field communications (NFC), risk-based authentication and roles-based access to systems for customers and in-house operatives can improve both security and the customer experience. (Jeff Carpenter, writing for Crossmatch)

Why improve your call center security?

If you don’t, you could:

Lose your reputation in the industry Attract penalties or fines for not enforcing regulatory standards Lose business due to bad customer experiences Face additional costs having to patch your systems after the fact Struggle to hold on to staff for much longer than the time taken to train them Become the laughing stock of social media

Where to next?

InfoSec Institute can help you secure your call center. To get started, understand the basics of what you are up against:

Read about how to secure VoIP or take a course on VoIP security Watch a video on how malware can bypass anti-virus software Under basic encryption concepts Learn how to identify people that attempt to socially engineer conversations to steal information by implementing security awareness training programs for employees

Sources