Protecting customer data at contact centers

Chris Sienko: Hello and welcome to another episode of CyberSpeak with InfoSec, the weekly podcast where industry thought leaders share their knowledge and experiences in order to help us all stay one step ahead of the bad guys. Today we're talking about contact centers. No matter how automated they become, industries like healthcare, insurance, and financial services require person to person contact with the outside world. Because contact centers process and store a host of personally identifiable information, PII, including payment card data and social security numbers, hackers are racing to exploit these information rich targets using both old and new attack techniques to breach and compromise consumers and organizations of all sizes.

Ben Rafferty, Chief Innovation Officer at Semafone is here to tell us how his company is currently providing expertise on the things organizations that require contact centers can do to better protect sensitive customer information from insider and external threats. Ben Rafferty is responsible for heading up product innovation at Semafone, advising on new product developments and new markets and technologies to facilitate customer compliance programs. Ben has been responsible for the deployment of Semafone's award winning solutions and for the overall management of the company's carrier cloud and cloud offering as well as gaining and maintaining Semafone's own PCI DSS compliant status and associated service provider listings.

Ben, thank you very much for being here today.

Ben Rafferty: Oh you're very welcome. That sounds far more impressive than I was expecting.

Chris: We like to roll out the red carpet here at CyberSpeak.

Ben: Thank you.

Chris: Let's start with the usual origin story. How did you first get started in cybersecurity? What interested you about the field?

Ben: Actually I didn't start in cybersecurity. I started in telephony, so I worked in speech recognition and I was doing speech recognition for hospitals in the UK, and [inaudible 00:01:53]. We had probably one of the biggest speech recognition platforms in Europe at the time, so big in fact, we were piping speech minutes under the ocean for the US and providing recognition. And what happened was we were doing everything fully automated and we get to the point of the transaction and we happen to use credit card data, to collect credit card data. And this legislation came in, or rather than legislation, this requirement from the card industry, the payment card industry for card data to be secure, called the DSS or the data security standards.

It meant I had to very quickly get to grips with ensuring the data secure and how it was handled and processed, and I came across Semafone as a startup. When I received a quote for my software, it was not insurmountable, it was quite a large number, but it was several times less than my actual overall program that needed to be run. And rather than run with the software, I applied for the job. Unfortunately for me, the chief exec team knew the chief exec where I was and knew he'd be upset if I left, and so he snapped me straight up.

So I had a cyber security background in learning what the basics of security standard was, and very quickly of course I found it to be fascinating, and I also kind of understood quite quickly from some of the background stuff that I'd done in InfoSec governance, I'd say this was in 2001 at the time, you really need to understand what data you're holding, why you're holding in the first place, what you're doing to protect it, how you're protecting it, where the keys out of the kingdom are, and so from there it really mushroomed out.

Chris: That's interesting. Basically you learned cybersecurity to solve one problem and then decided that was even more interesting than telephony.

Ben: That was it, absolutely. And everybody's got the same problem, everyone. I think the best thing that anyone can say at the moment is that they're not being breached at this time, probably. No one can really say that they're not under attack at any one time.

Chris: Yeah, there's no 100% certainty on that. So today's topic is specifically security issues with regards to contact centers. So as we drill deep into this, let's start with defining our terms. What do we mean when we say contact center? I mean you were talking about your background in Telephony stuff, is this just the phone number that connects the organization with the general public? Does include the customer database or is it more extensive than that?

Ben: Yeah, that's a good question. It is far more than the phone lines for a contact center. When you've got kind of 10 agents, 1,000 agents, 10,000 agents and you've got distributive load balanced software that is queuing calls and identifying the right kind of agent for the call, you've got the applications, the agency using the desktop environment, the network, they might have CCTV in there. A contact center is actually a very large undertaking because you've got real time contact with your customers there needs to be really high uptime availability, and unlike something like a website where you want people to self serve, you are typically in a context of dealing with the most complex transactions, issues, challenges in the customer journey.

So there's a lot of information coming to the fingertips of the agent, including PII. You've got highlighted dates of births and social security numbers in the US. I think the other points is that certainly whilst we've got payment security of any kind of industry, data security standards in place, there's also other legislation and other initiatives going on. So in the UK we've had chicken pin for more than 10 years in the US, you guys have out there, there's standards for the retail cause, there's point to point encryption standards out there now. This is all in the event that... Cyber criminals will always kind of focus on the path of least resistance. And as these historically weak channels become more and more secure, they're moving into the less secure areas or the more exploitable areas, like contact centers.

Chris: Hmm. So apart from the obvious ones like credit card numbers, what are some of the types of data that are being sought when attacking a contact center?

Ben: Sometimes it's data and sometimes it's access. We could probably roll off date of birth, social security numbers, driving license, policy IDs, premiums, bank accounts, the list would go on and on. But actually what we see, I don't know if you guys have come across phishing, so you have phishing over an email, voice phishing, and it's this social engineering attack whereby you might have a team of attacker finding your contact info, and this is really when you've got the contact center of 5,000, 10,000 agents.

What do you want to do is you want to make a series of incremental calls where you're just gaining a little bit of access each time or you're gleaning a piece of information or you've managed to get hold of the dates of birth and so you can reset a phone number and then you use the next one. Say, "Oh, would you send me a pin request to my new phone number?" But obviously each agent only sees one part of the problem. Then you have these incremental attacks very effectively undertake many thousands of agents to get access to control the account, let alone get ahold of the data on it.

Chris: So it's not necessarily like an out and out breach, they're playing a long game here. You're getting a little bit from here, a little bit from there, and so any sort of call center employees don't necessarily know that they've given another piece to the puzzle or something.

Ben: Yeah. I mean if we were talking about classical cybersecurity, we would talk about snowballing privileges. It's exactly that technique, but used over a series of phone calls.

Chris: So with so many types of potentially compromised types of PII and sensitive data in contact centers, what are some of the average types of security measures that organizations put in place to protect them? Obviously we're going to be talking about how it's not enough or the other things that could happen, but do most contact centers have any kind of security?

Ben: I see lots and lots of different... You usually attitude towards security in the contact center from the most kind of sincere approach to security where it's almost like an airport security. As you get in and there's locker rooms and CCTV, the contact center has no paper and pens, it's whiteboards and dry wipes. You can't use the printer without a pin code. You've got no access to social media, email, no mobile phones or personal communications.

So that's right at the kind of Fort Knox of, we can call it a white room type environment, all the way down to where they put security in thinking that they're doing the right thing, but for example, the one I talk about is we all know what dual factor authentication is when you log onto a machine. So you want to put dual factor authentication in for your agents, but in doing so, all you're doing is your security access to those systems to agents and if you've got 10,000 agents or you've got gig economy workers or people who are doing seasonal variation support, things like Black Friday, and have you done your background research or are you just giving dual factor authentication to someone who's going to compromise you?

Chris: Yeah. So are there other methods apart from social engineering and phishing, are there physical and technical methods that thieves and fraudsters are using to try and gain access to PII in contact centers?

Ben: Yeah, they will test typically the processes that are in place, they will try and escalate privileges, I think we covered that already. They will also try to... The technical attacks are far harder now where you can call the phone lines and tap out or tie in, or take a mirror of the call. So all of the standard attacks that you'd expect are in play, but also you've got this much larger social engineering attack where you're not just got individuals, but you've got the individual following a process and attacking that process at its weak points is also very, very fruitful as well.

Chris: Yeah. So with classical phishing, social engineering and stuff being such a sort of obvious point of entry and as you said, because contact centers tend to have high turnover or temporary employees, what are your recommendations in terms of like a security awareness strategy for contact centers to sort of keep them watching out for this kind of thing?

Ben: There's lots of things you should do. Everyone always leaps straight into training and I think that's very acting, and actually that's good if you're training what you deem to be a trustworthy agent or agent force. If you're providing training to someone who's going to compromise you anyway, then it's without value and probably you're teaching them how to circumvent your own escalation paths and processes. So I kind of say training, yes, it's a good thing to have and probably will reduce the accidental slippages and the accidental folk, and maybe test people's trustworthiness. I think that's a good thing to do when you've got people who you can trust and making sure that you can remove as much opportunity for mistakes as possible.

But if you've got fraudulent insider attacks or you've got, when you are for example, hiring for ethical hackers who are really quite a scarce resource out there, and certainly we are aware of kind of the too good to be true factor. If someone pitches up out of the blue with a perfect record, either they're right at the right price with the right skillset, we kind of have to make sure we're not allowing someone in with keys to the kingdom and make sure you got your background checks. Make sure not only have you done your background checks and your security checks, have you done a fraud check? Have you made sure that they haven't got too much money and you have to wonder where it came from, or have they got too little money and so many... We call it CCJ in the UK, who've got so many judgements against them that actually they could be working nefariously or could be a future threat for bribery.

So really do your background checks thoroughly, and I think the final thing that's really easy to do, and doesn't need software to do that, but if you have an agent and your agent is talking to your customer, your agent shouldn't have access to all customer data. They should have access to one customer's data at the point where it's relevant to do so and after a successful ID and V check, so not just ID getting them but verifying the ideas who that they say they are. And then only when the agent has been satisfied or the process satisfies access then the agent can then say that one customer record or data or the data point, whatever that's been interrupted. I think that's very simple, very straightforward, and isn't enforced enough in my opinion.

Chris: Yeah. I mean changing over to a system like that where you only have access to one a client account at a time, is that sort of an in a box kind of thing that you can implement or does that require several different people to-

Ben: I think this is a business systems thing. So this is probably something that banks have done for a long time where you have to make sure that you pass your customer ID and V check, but actually all you're doing is making sure that you block out your free for all access and just make sure that your business systems are set up to responding, that's all. I don't think you need to buy anything out of the box to do that, I think this is a simple business process thing that you make sure that you've verified that you have in place.

Chris: Okay. Yeah, just flipping the right switches. So what are some skills or techniques that lawful contact center employees could utilize to detect and stop insider threats? Like obviously you know the old phrase, if you see something say something, but what red flags should employees be looking for if you're like, "Boy, that guy sure seems to like his job or he sure likes to ask a lot of leading questions" or whatever. But is there... Because there's so much with insider threats, is there also sort of insider defense?

Ben: That's that's a great point. At Semafone we have a solution that is collecting credit card data using DTMF digits. When you get to the point of payment, the caller presses the key pad on their phone and the corresponding digits get passed through our system, but they're not on cyber [inaudible 00:15:50] just get the data from the contact center. The reason I talk about that is actually because what we're trying to do is prevent data being accessed by the agent. Even if you've got an insider threat, if you're not holding data or unnecessary data, and this has been true in certainly in the UK with GDPR, I'm certain it's going to become more prevalent in the US with the California Privacy Act which was enacted in 2020, you need to understand the data you've got.

You need to assess it from a threat level, what kind of risk are you exposing yourself by holding it, is it necessary to hold it, why haven't you tokenized if you don't need it, why don't you just change it into metadata if you don't care about the individual, you just care about the interaction? So the point I'd make is, and I probably make over and over again, you cannot hack what you can't hold. And this is where tokenization is a really key thing where you've got tokens for your PII, your data points, but actually it's useless if it's exposed or ripped off, and essentially you get into the cupboard and it's bare.

Chris: Yeah, I'm glad you brought that up. What are your thoughts on GDPR and or California's privacy law in terms of how contact centers are going to be run in the future? I assume it's going to be mostly sort of positive changes, but what are some of the issues that could come up as well?

Ben: Well firstly I think they're both fantastic and long overdue, and actually I reviewed the act and last year and I was really impressed by the standards of the act in California in particular had set, and I really liked some of the things that's coming there around juvenile data as well with the kind of data you can hold on minors. I think that's superb. What it's meant though, and certainly for GDPR in the UK, is that people have had to actually put a business plan in place to look at the data that they hold, give a good reason to hold it, remove it.

I think it's been fantastic for those people who've realized that they might have whole tranches of data that they don't need or don't use or could just simply wash with a de-anonymization tool, or an anonymization tool with a reverse capability. So they all talk about training the agents on what happens if there's a breach, where they clear escalation points are, so I think it should bring lots of robustness to contact centers and certainly people who not necessarily operate just in telephony, but the people who support business systems for the agents and all have to get themselves aligned and realize that the world has changed. People, consumers care deeply about how their data is handled and how it's mishandled.

Chris: Yeah. So I'm going back to sort of insider defense and stuff, we talked a little bit about sort of at the interpersonal level, but if you are like a newly hired CSO tech tasked with defending your contact center, what are some top-down policies you could implement to make it more secure?

Ben: So if I came in and it was a real mess, I mean the first thing that would be my data review. I would always start with a risk analysis from the data, and I think from a technology perspective, as a CSO, I would use something like the DREAD scoring system. For my technical estates I do... so I don't know if you know about DREAD scoring but you take your data points on what do you think is a vulnerability and you do discoverability, reproducibility, export ability, the access to get to it, and then the damage that it could cause, and you get a really good weighted score at the back end. So you can start to prioritize your technical estate.

Then I would look at the training plan and the agents themselves, when were the background checks covered, have any of them expired, are they worth doing, what's the churn, how do we handle seasonal data and seasonal trends, and how do we staff for them? I would empower the people within the contact center to workflow their own processes such that we've got the known escalation points and that we can very easily see the process from a 50,000 foot view and however it could be simplified so we're handling less data. So there's lots of things that you would do and I think that would probably take three to six months just to get that into place, depending on the aggression of the business and whether or not there've been a breach. The funding would allow me to do that faster or slower.

Chris: Okay. Have you seen any test cases of organizations who have revamped their security strategy to such an extent that the chances of having a data breach in this have now been minimized or brought to near zero?

Ben: Yeah, I mean you're more than welcome to go have a look at the Semafone website and we've got Amica on there, we've got a great case study of how they used our technology. We have seen some people, because risk is always about risk transferal, risk reduction, risk removal and you want to get some risk removal. And what we've found is because you're not holding data, we've actually seen some of our customers actually have a reduction in their cybersecurity policy because the risk has been entirely removed. Even if you're using a tokenization approach, you've got a reduction approach there because that tokenization still relates to the customer and you can do some things pretending to be a merchant with that data.

Chris: Right.

Ben: So-

Chris: Okay, go ahead.

Ben: No, go on.

Chris: No, I'm sorry, go ahead.

Ben: Yeah, so I think the other thing is whilst security is one aspect of this, the other is these are businesses and as they're businesses, they want to ensure that they've got a really good customer experience, a really good human customer journey, that it's frictionless. I'm sure everyone who's ever stood up in an eCom website still scratches their heads as to why they might have bailouts at checkout. Now is that down to it not being frictionless, is it down to additional billing for transport of goods or services, is it the wrong card types, is it because they didn't support one of the e-wallets that's being used?

Chris: Right.

Ben: So you need to finely balance the security posture without making your customer jump through too many hoops or changing the experience too much.

Chris: Well, that leads me to my next question here on the other end of the phone line, what are some things that savvy customers can do to ensure that their data is being used properly and not falling into use by imposters or-

Ben: Well, I can tell you, I mean I buy things occasionally over the phone and I now don't read my credit card data out and they say, "Oh that's okay, you can email it to me." Of course I'm not going to email it to you if I'm not going to read it out over the phone. I'm not going to email it to you.

Chris: This isn't 2001 anymore.

Ben: No, that's right. So consumers are generally more aware than they have been, like I don't read my card data out anymore. I don't read my card data out in public places, I wouldn't dream of doing that. I wouldn't dream of doing it with an enterprise now. So customers should be aware. I think the other thing is, I mean the big red flag for me is outbound dialing. So when you receive a call, there's absolutely no way I would provide my card data, ID and V or otherwise that I provide my card data to an outbound call. So there are some very simple things that can be done.

Chris: Okay. So what are some things that if you're looking at the website, you're sort of shopping around for a healthcare or insurance provider, can you go into sort of like their terms and conditions or their privacy policy or whatever, what should you be looking for in terms of payment processing or things like that? "We use this" or "we use that."

Ben: Yeah. So we have a patented solution and there are lots of people out there copying the intent without copying the process, which is very flattering for us. This mechanism of transferring to an IVR or a robo call to collect card data, even things like that, which are terrible journeys start to show the consumers that people are starting to take it seriously. A real time DCMS solution like Semafone really kind of puts the icing on the cake for me where you can see that the enterprise or business that you're working with, finance, healthcare, really has thought about they don't want this data in their contact center. They really don't want to be handling cart data unnecessarily. They're going to pass it to somebody who's vetted securely by third parties and they want the results of the transactions and they want the money, but they don't want the data.

I think that's really, really important. I think the big problem where you're reading cardholder data out isn't necessarily where's the agent, it's the call recorders of the backend. Most people would expect you to read out a credit card number and then the short code on the back, the CVV or the four digit on the front of an Amex, and the data centers really clear, it says you shouldn't be collecting that. There's absolutely no reason why you should collect that. However, if you've got call recording, then you tend to record them accidentally or inadvertently and now you've got full card data and you can do all sorts of wonderful things once you've got the full cart data.

Lots of people put in place kind of stop gap solutions to prevent that, things called pause and resume, or stop start call recording. The agent will trigger a field to notify the call recorder to stop, collect the cardholder data, and start it again. But if you think about the amount of data that you might collect in call, you could end up with multiple holes in your call recording and then you've got no evidence to prove that you have or haven't miss-sold something to the customer at a later point. You turn up to court with a call recording like that, it's going to end badly for you. So yeah, it's a real, real challenge and there's some stopgap solutions that people are putting in place thinking they're doing the thing and just creating other problems for themselves.

Chris: Okay. So let's sort of tie everything up and put a big bow on top. So what in your mind is the ideal combination of sort of privacy regulation, software, hardware modification, social behavioral changes that would reduce contact center fraud to near zero?

Ben: Obviously I'm going to talk about DTMF, I believe in and I think that's a great solution to have in place. If you're preventing contact centers from collecting data in the first place, then actually you're solving everything upstream. The example I give quite regularly is work at home agents, there's a really big drive for enterprises with large contact centers and even small contact centers with unsociable hours to host agents at home, and the airport security that I talked about at the beginning, you've absolutely got no hope of trying to implement that at a thousand people's houses. Even trying to put CCTV in, even if you've put a kind of thin line on the desktop and secured the hard line, there's still someone that you've given full access to those systems to that place.

So with these work at home agents, do you really want to be piping secure data to them? The challenge is as real as it is in an unsecured context center that that enterprise will house. So using something like a DTMF solution will be really, really pretty valuable. I think the second point is we also talked about the screens and the phones and the contact center agent and the network. The other point is if you aren't popping all of this really expensive to lose for your brand equity, your business reputation into your applications, which are then attacked from a cyber criminal or even with these Trojan viruses that are encrypting them with crypto log and expecting bitcoins to decrypt them, you're not handling that data at a business systems level as well.

So I think with the kind of three things, the social, the physical, and the technological parameters at play, a solution that focuses on all three is this what you really should be looking for.

Chris: Okay. So to close things up it sounds like you have a very good solution for sort of present day issues, but do you see any other sort of security issues on the horizon, 2020 and beyond that will require different solutions? We're always sort of a couple of steps behind hackers and hopefully eventually hope to be at pace with them, but where do you see these issues going in the future?

Ben: I mean what you're asking is what's my job really here. I could spend an hour talking about this, I'll do my best to summarize. Absolutely, yes, the challenge is changing and people are pushing security perimeter back to people and back to people's own devices. I think internet of things is going to cause some big challenges and until we have a general standard for hardware security modules on IOT devices, I think that the payments are going to be late coming to those devices until you're ready for your fridge to buy you your milk. So I think there's huge amounts of change in the marketplace. I think Bitcoin's got a huge... it's coming off the hype cycle and it's started to have real world applications and they're starting to come to fruition now.

The challenge that we have is that every time we add a payment type or payment process to the mix, we're not taking one away. So cash is going, we obviously still have cash crimes. Check hasn't been rescinded or deprecated and you still have check fraud. Credit card data is still going to be flying around as is. And people want to pay however they want to pay them, and honestly, businesses will take their money however they can take them and they want to take them security. So that's kind of in a nutshell a start to answer that question.

Chris: So as we wrap up here, tell us about Semafone's products and solutions. You've talked a little bit about it for reducing contact center data breaches and if listeners want to learn more about Semafone, where can they go?

Ben: By all means, hop onto Semafone.com-

Chris: That's S-E-M-A-F-O-N-E.com.

Ben: That's correct. And we've got some YouTube videos as well and some videos on there. I think the easiest way to explain it is you want to buy a policy if you're in insurance or healthcare and your customer says, "I spent 40 minutes with you," detailing four or five of their family members that they want coverage for, and at the end of the call historically the agent would say, "Can you read out your credit card number?" And so they do. So at that point the agent could be writing it down, there could be someone wiretapping, someone could be scraping the call recording, and the business system could be attacked, the business network could be attacked, there could be a microphone attached to the headset.

The attacks just go on and on and on. So our solution, we sit either in the network, or on premises or with your carrier, we've lots and lots of different solutions. At the point of transaction, the agent triggers a secure mode and we stopped passing cardholder digits down the lines. So when we ask them to type them in, we actually collect those up and we interact with your bank on your behalf or we transact on behalf of you to a tokenization hub for repeat payments, this kind of really, really neat Uber experience. We pass those either back to the bank or we pass them back to the business if they need to do clever things with repeat payments, and the contact center agent doesn't see it, they don't hear it, the business systems don't touch it, it's not in their databases.

We do all that across the contact center and then of course the contact center will have other ways to transact as well, so there'll be web chat solutions and face to face billing, paper billing. So we cover all of those with a variety of techniques.

Chris: All right, well Ben Rafferty, thank you very much for joining us today.

Ben: Very nice to speak to you. Thanks Chris.

Chris: Thank you all for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to YouTube and type in CyberSpeak with InfoSec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search CyberSpeak with InfoSec at your favorite podcast catcher. To see the current promotional offers available for podcast listeners and to learn more about our InfoSec Pro live bootcamps, InfoSec skills on demand training library, and InfoSec IQ security awareness and training programs, go to www.InfoSecinstitute.com/podcast or click the link in the description below.

Thanks once again to Ben Rafferty and thank you all for watching and listening. We'll speak to you next week.