Many organisations live and die by their ability to keep our data safe, which is why billions of pounds a year are spent on doing just that. However, a chain is only as strong as its weakest link and for many organisations, the humble contact centre can be an often-overlooked vulnerability that ends up being its downfall.
Their chaotic environment, high staff turnover and often lax security practices means that data loss, whether via criminal activity or simple carelessness, can become a significant issue if ignored.
We spoke to Matthew Bryars, CEO of Aeriandi (opens in new tab), to analyse the threat of insider fraud and find out what contact centres can do to minimise risk.
Why are contact centres particularly at risk?
One of the main reasons is the close proximity between sensitive payment data and contact centre agents operating in a chaotic environment that often suffers from lax security measures. It can be a recipe for disaster. Furthermore, it’s made worse by the growing threat coming from organised criminal gangs looking to capitalise on this vulnerability in a variety of different ways.
As the threat landscape changes, contact centres are increasingly becoming prime targets for credit card fraudsters because of the high volume of Card Not Present transactions that take place daily. CNP transactions refer to payments made online, by telephone or by mail order. Thanks to regulation and security advances such as 3-D Secure, online payment security has vastly improved, leaving telephone and mail order payments an increasingly attractive target.
What makes Card Not Present (CNP) payments more difficult to secure?
The trouble with these payments is that it is very hard to implement second layer authentication, such as Chip and Pin, and so prove the cardholder really has authorised the payment. When firms review their CNP transaction safety in the context of the contact centre, it’s important to take into account threats coming from outside and within, digital or physical, covert or brazen. Usually, it’s a mixture.
The threats from within the organisation in particular are a major concern. Not only do insiders already have access to much of the sensitive information needed to commit fraud, but they are vulnerable to coercion from criminal gangs looking to get their hands on this information. Insider threats can be both willing and unwilling participants, but the threat they pose is equally concerning.
Can you share some examples of security threats created by the contact centre ‘insiders’?
In my line of work, I have witnessed some classic security blunders. For example, correctly disposing of payment details should be obvious. And yet one security auditor at QSA CIPHER (an independent security auditor and Quality Security Assessor) was proudly told that the contact centre’s business continuity procedure was to jot down payment card details lest the IT systems crash mid-transaction.
If for whatever reason these payments failed, the details would be thrown into the bin, totally intact. The auditor was then shown an unlocked office in which the successful payment details were kept, in bundles secured by bulldog clips to keep them ‘safe’.
Another example is where a CIPHER was asked to investigate suspicious activity for a bank that had noticed unauthorised use of credit cards taking place. It was able to track the problem back to a contact centre employee who was entering the building outside of their normal shift pattern, and using a colleague’s computer to access customer card details. It was later revealed that the employee in question was part of an organised crime gang, who had compromised over 15,000 credit cards in this manner.
What can be done?
Just as important as physical security is IT security, which also requires careful planning. Here, too, basic procedures are often lacking. Still we find networks are not consistently segmented. Still we find payment details being entered manually into payment systems. Still we find inadequate access controls governing what information agents can see.
The latest update to the PCI DSS standards came out in April this year and by following this, firms will go a long way to achieving good practice. However, compliance with PCI DSS or other information security standards does not necessarily guarantee cardholder information will be safe.
Call centre workers can be vulnerable to coercion from fraudsters looking to get hold of this information, or they can willingly participate in the crime – the threat posed is equally concerning.The best way to protect cardholder information is to make sure it never enters the contact centre environment in the first place. After all, criminals can’t steal what isn’t there.
Is it possible to keep cardholder information outside the contact centre environment?
Separating out the transaction is possible with solutions such as Dual Tone Multi Frequency (DTMF), a secure phone payment processing system. With DTMF payment technology, the customer enters the card details into the telephone keypad instead of reading it out loud to the agent. These tones are then captured before they enter the contact centre, so the contact centre agent never comes into contact with the information. On the agent’s screen, asterisks appear instead of numbers as the customer enters the details, and he/she receives conformation once the payment is successfully processed.
This system achieves a number of goals. Improved security means peace of mind for the customer, it removes temptation from a petty or opportunistic criminal and it protects call centre agents from coercion by serious criminals.
Contact centres can go further still: any manual records and/or legacy call recordings should be destroyed wherever possible, or kept securely stored off-site with an accredited service provider if it is necessary to keep them for compliance reasons.
Ultimately, contact centres have a duty of care towards customers and staff. Protecting customer data and employees from fraudulent activity requires immediate action to review the processes and technologies currently in place. The most effective way to minimise the threat of insider fraud is to stop payment data from ever entering the contact centre.
What last words of advice would you give?
Don’t be left counting the cost. The costs of internal fraud can be extremely high – aside from the sanctions and financial penalties imposed by regulators, often it is the associated reputational damage that organisations never recover from.
The irony is that organisations need not take any risk at all with payment card data. Secure phone payment solutions can completely eliminate the need for this information to enter the contact centre environment at all, making them a far less appealing target for criminals and removing the associated risks to the organisation.
Image Credit: Gustavo Frazao / Shutterstock