Contact centre workforces are typically susceptible to coercion from criminal elements that want access sensitive customer data. According to CIFAS, the UK’s Fraud Prevention Service, the number of confirmed contact centre insider fraud incidents is rising fast. In 2012 it leapt a massive 126% and in 2014 CIFAS announced members had reported 48 cases of employees unlawfully accessing or disclosing customer data – with over 129,500 cases of identity-related fraud report also being reported. CIFAS went onto warn the true scale of insider contact centre fraud may be much higher, as many cases go unreported or unnoticed.
So, why is the contact centre an increasingly attractive target for criminals? In part it’s due to the recent advances in security technology which have made other payment channels – like e-commerce – safer than ever for consumers.
However, the traditional contact centre, in which huge volumes of Card Not Present (CNP) transactions are processed on a daily basis, and where customers call and speak their card details to agents, makes them an increasingly attractive target for professional gangs of fraudsters.
A neglected issue
Insider fraud isn’t new. Back in 2006, Strathclyde Police told BBC Newsnight Scotland that one in 10 of Glasgow’s financial call centres had been infiltrated by criminal gangs by planting staff inside offices, or forcing current employees to provide sensitive customer information.
In recent years the ongoing push to secure contact centre data from external attack threats has driven criminals to refocus their efforts on penetrating the contact centre to perpetrate fraud from the inside.
Just a few years ago, CIPHER (an independent security auditor and Quality Security Assessor) was asked by a bank to investigate the unauthorised use of credit card details. It found a contact centre employee was entering the building outside their normal shift pattern and using a co-worker’s computer to access customer card details; it later transpired this employee was part of an organised crime gang that had compromised over 15,000 credit cards in this manner.
When it comes to CNP transactions, the contact centre continues to represent a point of vulnerability when it comes to the theft of card data. According to a recent report from industry group Financial Fraud Action, the value of CNP fraud losses in the UK reached £331.5 million in 2014, an increase of 10% from the year before, with card ID theft up 14%.
What’s the problem?
While the introduction of 3-D Secure has helped bolster the security of online CNP transactions, the difficulty of implementing a second authentication layer, such as Chip and PIN, means telephone payments remain extremely vulnerable.
It’s a risk that’s amplified in the chaotic contact centre environment where operational processes and frameworks are designed to process transactions as quickly as possible, and intrusive security controls can be counterproductive to this goal. Complex internal processes designed to allocate data across multiple agents to reduce CNP data compromise can prove unworkable or unrealistic for environments such as multi-channel contact centres.
What’s more, during site audits CIPHER has witnessed examples of agents writing down phone payment details as part of a company’s continuity policy in the event of IT systems falling over mid-transaction. It also frequently finds contact centres have limited advanced security controls in place; networks aren’t segmented and, while log data is collected, it’s never analysed or subjected to the deep packet network inspection required to identify internal threat.
Countering the threat
If contact centres comply with the latest Payment Card Industry Data Standard (PCI DSS), they can go a long way to improving security within their estate. You can put controls around safeguarding your data which is never completely safe and will be hard work – or you can remove the data and therefore the risk and effort. The most cost effective ways to achieve compliance is to ensure cardholder information never enters the contact centre environment in the first place. This is exactly what security technologies like Dual Tone Multi Frequency (DTMF) secure phone payment processing enable. Using their phone to enter personal data means customers don’t have to verbalise sensitive personal information. Tones are captured before entering the contact centre and are kept isolated from contact centre staff or call recording systems.
Using preventative measures such as DTMF has multiple benefits. Agents are shielded from data, minimising the risk of temptation and protecting them from the risk of potential criminal coercion, while customers gain greater confidence when it comes to payment security. And, without any data to steal, the contact centre’s obligations with regard to PCI-DSS are significantly reduced.
Counting the cost
Dealing with the repercussions of internal fraud is costly – alongside sanctions and penalties imposed by regulators, organisations face the time and expense of investigations and disciplinary procedures. Plus, any publicised data breach has significant implications for brand reputation, customer loyalty and trust.
But using DTMF suppression secure payment processing technologies eliminate any need for payment data to enter the contact centre environment in the first place, making the contact centre a less appealing target for insider fraudsters.
Matthew Bryars is CEO of Aeriandi