The insider threat is becoming ever more prevalent. Matthew Bryars, CEO of Aeriandi discusses what businesses can do to protect themselves from this growing security issue.
As security technology becomes increasingly advanced, many payment channels are more secure than ever. While this is great news for shoppers, unfortunately it means that criminals and fraudsters are increasingly turning to the small number of less secure avenues that remain.
The customer contact centre is one such avenue, where high volumes of daily Card Not Present (CNP) transactions, coupled with often-lax physical security and high staff turnover makes robust data security an ongoing issue.
CNP transactions themselves (consisting of online, telephone and mail order purchases) also remain a challenge in the payments industry, due to the difficulty in implementing a second authentication layer (such as Chip and PIN) into the process. Fortunately, online CNP transaction are becoming more secure through the deployment of 3-D Secure technology, but telephone and mail order transactions remain exposed. Customers are often unaware that when they make a manual payment over the telephone via a contact centre representative, they are providing that agent with all of the details necessary to use their card fraudulently if they were so inclined.
Long-term CNP security solutions are in development, but until they are ready for global deployment, the contact centre will remain vulnerable, particularly when combined with the risk posed by insider threats.
Insider threats appear in all shapes and sizes…
One of the main problems with mitigating the risks posed by insider threats is identifying perpetrators before it’s too late. Contact centre employees have access to most of the sensitive payment information needed to carry out fraud by default; but it can be difficult to tell if those accessing it are doing so legitimately or with malicious intent. Furthermore, contact centre employees can be vulnerable either to criminal coercion or simply to accidental disclosure; two scenarios at opposite ends of the spectrum but both are equally dangerous in their own way.
For example, a few years ago, CIPHER (an independent security auditor and Quality Security Assessor) was asked by a bank to inspect suspicious activity in the form of unauthorised use of credit cards taking place. The problem was traced back to a contact centre worker who was found to be on the premises outside of their normal shift pattern and using a colleague’s computer to illegally gain access to customer card details. It was later discovered that the perpetrator was part of an organised crime ring, who had gained illegal access to over 15,000 credit cards through this method.
But as mentioned above, not all insider threats have malicious intent. During a recent contact centre assessment, a site auditor observed agents manually writing down phone payment details as part of a policy to ensure continuity in the event that IT systems went down mid-transaction. This payment data was then inputted into a pin pad to complete the transaction. If the transaction failed or was abandoned, the pin pad slip and hand written card information were simply thrown into bins in the corner of the office, with the data still intact. The auditor then asked where the records of completed transactions were stored. He was shown an unlocked office full of pin pad slips containing payment information, whereby his guide proudly explained the bull-dog clip system they used to prevent the slips being blown away by a gust of wind!
These particular stories are of course, extreme cases. Technology has made some incredible advances in recent years and largely, people are becoming much more tuned in to the threat against personal data, particularly cardholder data. However, there are still not widely enough distributed or developed security measures in place to eliminate the insider threat. Generally, networks are not segmented, while cardholder information is still widely entered into payment systems manually. As long as exercises such as this continue, contact centres will remain a key target for fraudsters.
How can this be solved?
If contact centres meet the latest PCI DSS compliance standards they will make big steps towards improving security within their domain. There are various ways to achieve compliance but one of the most cost effective is to use secure phone payment technology to ensure sensitive card information never enters the contact centre environment in the first place. Instead, payments are routed via a secure payment platform, meaning agents can see the transaction is taking place but crucially, have no visibility of the customer’s card numbers or data. With no sensitive data taken, processed or stored on site, the risk of insider fraud is almost completely removed and the agents themselves are protected from potential criminal coercion. Secure payment systems can also boost customer confidence as they no longer need to verbally hand their details over to an agent.
There’s no reason to take the risk
If a breach should occur, the costs of internal fraud can be extremely high. Aside from the sanctions and financial penalties imposed by regulators, often it is the associated reputational damage that organisations struggle to recover from.
The irony is that organisations need not take any risk at all with payment card data. Secure phone payment solutions can completely eliminate the need for this information to enter the contact centre environment, making them a far less appealing target for criminals and removing the associated risks to the organisation.
Dispelling the Myths of PCI DSS Next Post:
Do You Know Where Your Archive Call Recording Data Is?