We investigate how fraudsters try to steal information from the contact centre, before highlighting how to stay safe, in this article written by Charlie Mitchell.
If a fraudster can get into a physical contact centre, perhaps posing as a cleaner or through social engineering, it’s open season.
For just £50, an attacker can buy a hardware keylogger from Amazon. This sits between the keyboard and the desktop system, recording and storing every keystroke.
If advisors are taking payments and typing up the customer’s card information, keyloggers present a real risk to contact centre security. Even if this is not the case, attackers can still retrieve lots of information.
“I was first introduced to this threat in 2002. Since then, the technology has advanced massively,” says Jim Seaman, Director of IS Centurion Consulting.
“The attacker would previously have to enter the premises and then return to retrieve the device. Now, they are internet-connected and act in a passive mode. This means that they go undetected by security systems and the fraudster doesn’t have to return to retrieve the information.”
There is a risk of advisors being intimidated into placing such a device on a colleague’s computer.
Yet this is not just a matter of restricting access to the contact centre. There is a risk of advisors being intimidated into placing such a device on a colleague’s computer. It can only take financial problems or harassment to nudge an advisor in this direction.
Fortunately, wireless keyboards prevent this risk. DTMF technology, which enables customers to submit their payment details through their phone keypad, also helps to ensure card details aren’t taken.
Finally, encouraging advisors to give their workstations a quick sweep for clandestine devices can work well too.
2. Side-Channel Attacks
Using £150-worth of radio equipment to detect computer emanations, fraudsters can sit in the car park and steal card details as they appear on an advisor’s screen. This is called a side-channel attack (SCA).
While many thought that once we moved away from CRT computer systems and towards flat-screen technology, this problem would go away, it’s still a serious security threat. Worse yet, it’s impossible to detect, unless security challenges unauthorized personnel in the car park.
Using an antenna to pick up emanations, the technology reconstitutes the information from an advisor’s screen onto another device. Such equipment works not only through windows, but through other obstructions – including walls – as well.
It’s just a matter of time before criminals start to see this tactic as an area of opportunity, especially as it requires no access to the contact centre itself.
For now, however, many contact centres see this as a tolerable risk. But it’s just a matter of time before criminals start to see this tactic as an area of opportunity, especially as it requires no access to the contact centre itself.
3. Social Engineering
Fraudulent calls are the most common source of contact centre fraud, as attackers try to manipulate advisors and contact centre systems into giving away customer details.
Becoming more sophisticated, criminals will not try to immediately access a customer’s card details but will gather as much information about the customer to later pose as them.
Examples of how a fraudster might do just that include:
- Asking an advisor to change the victim’s contact information
- Tricking an advisor into revealing customer data
- Testing stolen data in the IVR to identify accounts
The first two are examples of social engineering, as the criminal gathers enough pieces of the jigsaw to put doubt into the advisor’s mind that they’re right.
So, how can contact centres protect themselves from this threat? Security training is a go-to technique. This involves coaching advisors to identify signs of fraudulent behaviour on inbound calls, such as when the customer fails to:
- Answer security questions
- Answer questions related to their previous business with the company
- Stay calm when the advisor follows simple security protocols
In addition, Steve Sullivan, Founder of Channel Doctors, recommends that contact centres “Think about how to turn the instinctual into a process. This is important too because, while many advisors are good at picking up on fraud signals, it’s very difficult to say what they are and target them in training.”
Yet it’s not just a matter of guarding advisors against social engineering. If attackers can gain information from an organization’s systems, they can use this tactic on customers too…
An Example of Social Engineering in Action
In 2020, The Ritz Hotel in London was subject to a social engineering attack. The criminals hacked into the booking system. They then phoned customers, using booking references, dates and times to give them credibility.
On the phone with the customers, attackers told them that their card payment hadn’t gone through properly, before offering them the chance to cancel their booking or resubmit the payment. The payment would then go directly into the criminal’s back pocket.
Phishing campaigns are no longer the stereotypical “Prince of Nigeria” scams. Now, they are very well crafted emails.
Fraudsters may just change the font of an email address, so an email appears to be coming from a legitimate address, yet one letter within it will have been ever so slightly tweaked.
“Phishing emails are now so sophisticated that you could spend all the time in the world doing phishing simulations and security awareness campaigns. It only takes one mistake,” says Jim.
“It only takes one person in the contact centre who has access to email and access to payment information on the same system, to click on that malicious attachment. This would open up a whole world of hurt inside the secure domain.”
Again, DTMF technology would prevent payment data from being lost. Another solution could be to implement a dual system, so when an advisor starts processing a payment, they can flick a switch to move from a vulnerable environment into a “secure bunker”.
However, in the case of both solutions, scammers can still access other customer data for future social engineering projects.
5. Network Jacks
If a criminal can socially engineer their way into the contact centre, they will have access to network jacks. This means that they can connect a rogue device to the network. This is a backdoor to accessing sensitive information.
In a physical contact centre, this is more of a challenge, but if a fraudster can enter the house of a remote worker and compromise the VPN, that presents a major security risk.
Remember, remote advisors don’t have a receptionist, access controls or proximity card readers.
However, the most likely way that fraudsters will use network jacks to breach a contact centre is through other parts of the organization. Barclays and Santander were the targets of such a scam in 2013…
An Example of Attempted Fraud Through Network Jacks
Organized criminal gangs targeted Barclays and Santander in 2013, trying to breach the corporate network through compromising the network jacks within branches of the banks.
Dressed as engineers, they tried to attach KVM (keyboard video mouse) switches to steal customers’ account details and put fraudulent debits on customer accounts.
How to Prevent These Security Risks
No doubt, there are lots more examples of contact centre fraud out there. To protect against these and the examples above, let’s explore some key security protocols.
Think People, Processes, Systems
Here is a list of just some of the ways in which contact centres protect their data.
- Administering the network
- Making sure the network is patched
- Keeping antivirus software up to date
- Configuring systems
- Installing access controls
- Implementing physical security controls
- Logging and monitoring
- Running through security testing
All of these duties need to be assessed for potential vulnerabilities, in terms of people, process and systems. In each case, pay close attention to the data flow.
The more people, processes and systems connected to the data, the greater number of potential attack surfaces the contact centre is exposed to. Try to minimize these. To do so, remember the four T’s…
Remember the Four T’s
As alluded to above, be sure to follow the data flow, analyse every possible opportunity for risk and remember the four T’s. Can the contact centre…?
Every contact centre is going to have its own risks. So, assess all possible attack surfaces, run risk scenarios, and if potential problems emerge, apply a solution to achieve one of the four T’s.
Risk scenarios will help to highlight insider risks, malware threats, ransomware threats, network connectivity issues, social engineering possibilities, accidental risks and theft dangers.
Being Compliant Doesn’t Mean You’re Safe
Treat the contact centre based on risk. Put customers first and think about the customer’s data journey. Are you happy with the risk?
If not, consider how to minimize that data journey. The more data points connected to people, processes and systems, the greater the risk.
Of course, follow the PCI and GDPR guidelines too, but it’s important to look beyond them and think about the risks associated with the individual contact centre.
For instance, PCI stipulates that the contact centre should lockdown its operation to only those who are authorized to have access to it. Yet certain cleaners may have out-of-hours access to the contact centre, and they could theoretically place a keylogger into an advisor’s desktop.
If there’s such a risk, contact centres should go beyond guidelines and issue a standard operating procedure. This will ensure that advisors check the back of their desktops at the start of their shifts for keyloggers and other clandestine devices.
Such an example shows the value of not only following the necessary guidelines but thinking like a fraudster and monitoring the environment to reduce possible attack surfaces. Even the simplest computer checks in the morning can keep fraudsters at bay.
For more content that provides insights into keeping the contact centre safe and secure, read our articles: