Watching (and Preventing) the Hidden Crimes

TMCnet News  |  August 01, 2011

This article originally appeared in the August 2011 issue of Customer Interaction Solutions

The criminal and security threats that are the most worrisome are not the ones carried out with guns and explosives to get at bank vaults or cash drawers but hidden, over IT networks, to access databases containing customer information and to disrupt communications. There have been, as examples, high profile data breaches at well-known companies such as Citibank, direct marketer Epsilon (which has a large client list of household names) and Sony.

Contact centers are at risk to these crimes as they handle sensitive or protected data such as consumer information, financial and legal data and patient student information, reports Adam Boone (News - Alert), vice president of marketing and product management at Sipera. The cost of such “incidents” is high. He points to an Aberdeen Group study which found that a single breach of such protected information could easily exceed $1 million in liability. 

Dennis Usle, senior network engineer for Evolve IP (News - Alert), points out that contact centers should be concerned about three key IT-based or launched threats: availability, phishing and other “social engineering” attacks and insider theft. On availability, contact centers can be knocked offline by online distributed denial of service (DDOS) attacks, as well as by disasters and pandemics.

“Contact centers are the front line and interact with more external and internal customers than any other aspect of the business,” explains Usle. 

Contact Center Risks and Responses

There is some good news reports Matthew Storm (News - Alert), NICE director of innovation and solutions. Enterprises are aware of dangers and have been limiting the opportunities for fraud and ID theft. In most contact centers, the computers and equipment, while valuable, do not hold or store actual customer data. Also, HIPAA, PCI (Payment Card Industry), SAS70 and Sarbanes-Oxley-compliant call recording technologies, screen wipes and encrypted data coupled with call monitoring and fraud pattern analysis protect customers’ data at the contact center level. Storm recommends fusing voice recordings video and captured screens with multimedia incident information from security and IT sub-systems to quickly detect any criminal activity. 

With the aforementioned standards and their compliant tools and monitoring tools in place, contact centers are in a good position on security issues, says Storm. Even with mobile and remote contact center staff, tools on agent desktops ensure that information is limited and is provided on an as-needed basis. There are mechanisms such as remote monitoring and quick-disable to prevent fraud. 

“The criminals are getting smarter, but organizations are also getting much more proactive in handling outside and inside threats,” explains Storm. “Organizations are getting more aggressive with the time-to-response and generally have zero tolerance for using customer information beyond the interaction at hand.”

Contact centers have been employing other measures to limit threats from inside. Among them are deploying network or “dumb” and/or storageless PCs or buying those without external drives and installing lock-fitted workstations to prevent access to computers (see “Dressing (The Contact Center) For Success” this issue).

To limit risk, contact centers need to carefully screen applicants. Contact centers have high staff attrition and a replacement rate that Craig Wilson, director of Strategic Communications Consulting, says challenges HR’s capability to screen candidates for past suspect behavior.

Contact centers use security background checks and perform them periodically throughout their tenure, says Usle. These include alcohol, drug, criminal and credit and personal and professional references.

There are legal limits for employment credit checks though. For example, Oregon’s Job Applicant Fairness Act prohibits employers from obtaining and considering an applicant’s credit history when making hiring decisions. It has a few exceptions, such as for federally-insured banks and credit unions, public safety, where these checks are required by law and where employers can demonstrates that credit information is substantially job-related.

There are also security risks from visitors. Wilson recommends have all their interactions with agents supervised and instruct agents on what is legitimate for a person to ask to see and how to control visitor access to their desktops.

The threats from inside centers are different than those from outside, such as from hacking, reports Wilson. Agents typically have access to customer information on a record by record basis, rather than whole files, so if there is theft it is typically associated with the theft of the information in individual customer data. For instance, there is a risk of an agent using a camera-fitted cellphone to record illicitly obtained information.

“The risk is increased because of the number of agents in a center,” explains Wilson. “There is a much greater potential to find individuals who are willing to consider smaller customer-by-customer infringements but infringements nonetheless.”

To combat this he recommends that contact centers tightly engineer their interaction and transaction processes and take advantage of quality monitoring, recording and reporting tools. Doing so permits supervisors to flag any agent behaviors that are inconsistent, such as a higher ratio of transactions per contact than any of their peers.

A process-based approach can also provide for customer confirmation or feedback. If a customer calls their travel services provider to book a flight, a confirmation of that booking can be sent to the customer’s e-mail independent of the agent’s behavior. If system generated, an agent cannot prevent that confirmation from occurring.

“Highly structured processes make it difficult to hide non-authorized activities and provide the ability to flag them in realtime,” explains Wilson. “Reporting and monitoring tools augment the ability to identify anomalies, by providing rich interfaces to data that permit drill-down to the single transaction level.”

Similar approaches and solutions have answered corporate concerns about security threats from home-based agents.

“The notion that home-based agents represent a greater threat to security than office-based agents is a red herring that has been around since the concept of a virtual employee was first developed,” Wilson points out. “There is, to my knowledge, no case of a home-based agent violating corporate where the presence in the home was a significant factor in the contravention of company policies or regulations.”

Authentication and Verification

Deceit has long been in the criminals’ bag of tricks and they apply them in gaining access to data by misrepresenting legitimate customers. To prevent that from happening requires authenticating and verifying those contacting the organizations.

The common standard is two-factor authentication. Wikipedia defines this as requiring “the presentation of two different kinds of evidence that someone is who they say they are.”

Typical automated authentication and verification procedures are almost exclusively focused on passwords or PIN numbers, explains Chuck Buffum, vice president of authentication solutions at Nuance (News - Alert) Communications. Agent authentication typically uses specific knowledge questions such as mother’s maiden name, a dog’s name, or zip code, proving multiple instances of knowledge verification but not two-factor authentication.

Both methods by themselves are vulnerable and are inconvenient. Individuals can and do forget passwords, requiring cumbersome password reset procedures. Moreover there are sophisticated online programs used by criminals to “guess” passwords and PINs.

“There is significant vulnerability with specific knowledge especially among friends and family,” Buffum points out. “One’s offspring knows the answers to those security questions and can easily access sensitive account information or execute valuable transactions.”

Nuance recommends deploying voice prints using voice biometrics. This method is based on the unique characteristics of individuals’ voices that come out clearly no matter if their speech changes on account of fatigue or excitability or if they change accents.

Customers who first call in or register are asked detailed questions to prove their identity. The system then captures the voice prints by asking them to speak a passphrase three times. Once done, they are asked to confirm; the voice biometric software then matches the recorded voice with the one just spoken. When customers next contact an organization, the system then checks the voice against the print before granting access to information or directing them to an agent.

Nuance states that this system is much more secure, reliable and faster than passwords/PINs or specific knowledge alone. It provides higher security two-factor authentication – the voice ID and the knowledge answers.

“The voice print allows you to make a single statement, a customer’s account number or phone number,” says Buffum. “Speech recognition defines who you claim to be through the audio and the voice is filtered through biometrics to provide the first factor of authentication. Then a knowledge question can be asked and answered.  In just two interactions you have a two-factor authentication.”

The one weakness with voice biometrics is that it is not, by definition, available for non-voice interactions, Avaya’s (News - Alert) Wilson points out. And they are becoming significant contributors to contact center traffic.

He recommends considering cross-channel/cross-modal verification especially for critical and high-value interactions and where confirmation is required by law. In this process, the transaction confirmation request must be addressed through a different device or channel that was used to initiate it. Wilson says that this method provides very cost-effective access control.

Let’s say a customer calls their investment firm to execute a stock trade worth over $10,000. They authenticate themselves via a password or PIN, but because the company’s policy requires notification for such high amounts the system initiates an outbound e-mail to the customer to the address on file.

“The agent advises the customer on the phone call that in order to complete the transaction, they must reply to the e-mail,” says Wilson. “They do not have to input any data, just reply as received.”

Edited by Stefania Viscusi