Fight Social Engineering of Call Center Agents

Make Your Priceless Data Completely Worthless to Combat Fraudsters

By Ben Rafferty

When a new wall goes up, criminals will always search for a door in or a way around. It’s in their nature, and it’s ultimately what fuels them. We are witnessing this transition in the cybersecurity space today.

Companies are investing more in defending their security perimeters and are using daily penetration testing to identify and remedy holes a hacker could potentially exploit. According to the SANS Institute, about 9 percent of IT budgets have been allocated to security in 2016, up from 4 percent in 2014. So-called next-generation endpoint products will surge to a predicted level of nearly $4 billion by 2020. Cyber criminals are watching a substantial wall being built between them and their targets. The skill set required to obtain the same valuable information is increasing and ever-changing. Or is it? Just because some direct methods criminals used in the past will no longer be available to them, unfortunately there’s always another way.

Security involves people and processes in addition to technology. The most logical weakness is the human component – you and me. Hackers caught on to this years ago, and we’ve become incredibly familiar with weak spots that result in “social engineering” attacks that often involving tricking people into breaking normal security procedures. Phishing emails hit our inboxes daily, trying to convince us to approve wire transfers from our “boss,” or click a link to “save” our sick Aunt Nancy, potentially installing malware, or more recently, ransomware.

What to Watch Out For: Digital disruption in the financial industry has led to a rise in third-party payment systems. The Amazon Store Card, Apple Pay, and Google Wallet are just a few examples. And with them, we’re far less likely to actually use our credit and debit cards at the point-of-sale. In fact, our physical use of cards is arguably becoming obsolete.

This trend isn’t going anywhere, and because of it we will continue to deliver more of our personal and account information over the phone, email, and Internet to banks and retailers without thinking twice. But when this information reaches the contact centers that facilitate these interactions, it can be a goldmine for fraudsters and criminals – especially with the rise of massive data breaches exposing huge amounts of personally identifiable information (PII).

Most organizations don’t have the time to carefully vet every phone and digital interaction in order to ensure they are not being socially engineered. If a caller provides accurate information, it’s often all he or she needs to pass through the gates. And we’re not just talking about one crafty individual pretending to be someone else; criminal groups have systematized these intelligent attacks.

One year ago this seemingly simple tactic wounded one of the tech industry’s biggest players, Apple. A flurry of fraudsters took advantage of the Apple Pay authentication process by convincing contact center employees to activate Apple Pay accounts with stolen credit card information. The actual Apple Pay activation was then initiated between Apple and the bank, and Apple gave the bank stolen credit card information to open the account, including the details relating to their iCloud.

Vishing or “voice phishing” calls involve a series of phone calls to a contact center, each one taking minor actions to slowly gain incremental access to an account or turn off alerts by warning of an impending “trip out of town.” Essentially, in two or three phone calls, criminals are able to escalate privileges into user accounts and commit fraud. In this particular instance, fraudsters loaded iPhones with stolen, card-not-present card information and turned that data into physical cards via Apple Pay. This type of attack is very difficult to identify and defend against because one contact center might have thousands of agents, and it’s highly unlikely an attacker would reach the same agent twice.

How to Stop It: Social engineering in the contact center environment is something US organizations have to address, and fast. But unfortunately things are likely to get harder before they get easier.

A US-wide move to chip-card technology has the potential to grow the threat of these attacks. While the transition is intended to help reduce overall fraud rates – its introduction in the UK reduced card-present fraud by 32.5 percent in seven years – in reality it is more likely to simply shift the ways fraud occurs. Fraud that leverages a contact center environment is likely to be exactly where most new fraud attempts will occur, a trend already seen in the UK, according the UK Payments Administration.

Humans have always been, and always will be, the weakest link in the security chain. As more and more cyber criminals target contact centers, contact centers must do everything they can to make sure criminals are not able to socially engineer their employees.

The most effective means of stopping this – and many other types of fraud – is to ensure that even if the human element is misled, other measures are in place to prevent the looting of payment cards and personal information. Many would agree that an effective means of protecting against social engineering is to simply leave the data in some format unusable by the criminals.

For example, tokenization can be used to replace sensitive data with a unique and meaningless equivalent (known as a token) that has no exploitable value. This token is then stored by a tokenization system and acts as an empty stand-in and director for the sensitive information. Many organizations use this to increase the security of critical data and keep it out of the reach of cyber criminals.

Technologies will improve, but humans will always be duped. Acknowledging and preparing for that eventuality is the only true way we can combat social engineering.

Ben Rafferty is the global solutions director at Semafone.

%d bloggers like this: