Blog
24th May 2016 by GCI

Spike in Call Centre fraud

A recent article in SC Magazine and Dark Reading identified that over the past 3 years there has been a 45% spike in call centre fraud, using social engineering techniques – the art of manipulating people so that they give up confidential information. The so-called human factor.

 

With that in mind, any businesses involved in taking card payments over the telephone will almost certainly rely on the need for some network-based technologies and people interaction. So, while we can harden the systems (to reduce the exploitable vulnerabilities) the question remains how do we harden the human factor?

The insider threat

In Verizon’s 2016 Data Breach Investigations Report (DBIR), they identified that a staggering 77% of the breaches were caused by the insider threat – be that someone carrying out a deliberate, negligent or accidental act.

 

insider-threat

 

Given those alarming statistics (a 45% spike in call centre fraud with 77% being attributed to insiders) one might ask how any contact centre could ever hope to continue in business… and how might they reduce the associated risks?

So, with Rugby League’s Magic Weekend[iii] still fresh in my mind, it got me thinking: are there any lessons that can be learned from the disciplined (some might say robust) approach of the Rugby League?

What lessons can we learn from Rugby League

From receiving the ball, the home team has just 6 tackles to touch the ball down and score a try.

In order to do this successfully, they need to catch the ball cleanly… run like a bandit and employ different tactics to evade and dodge the attention of the opposition. More simply, scoring involves 13 players (all with differing skills and abilities) working as one cohesive team to successfully thwart the opposition!

The game is governed by a set of rules that must be adhered to and is monitored by the referee and line judges. And, should either team be judged to have breached these rules, they will be penalised. It’s as simple as that!

Hunting down the opportunity to exploit a mistake

But, and here’s the killer point, as either team attempts to get the ball across the line, the opposition is ever-vigilant, always looking, focusing and hunting down the opportunity to exploit a mistake: that dropped ball, that stray pass, that poorly placed kick.

Each mistake, each momentary lapse of discipline, could lead to the opposition being able to breach the defences and score. And that’s not good!

The slide into oblivion

Now fast forward. The more tries scored by the opposition, the greater the impact on the club and it spectators. Morale fades, confidence ebbs, league position falters… the fan base wobbles. So what? Well, ultimately a lower fan base leads to less money coming through the gates – and that’s not good at all!

Now fast forward a bit more. Things worsen, relegation looms, die-hard fans take to social media to blame the management, directors churn, a dark cloud forms!

Back to basics

But wait. It doesn’t need to be that way. So how does a club try to reduce the chance of relegation? It’s about simple things: find a good coach; secure the best players; invest in training, skills development and knowledge transfer. And it’s about practice, practice, practice.

Playing the PCI DSS Call Centre game

So, In the game of PCI DSS, the Rugby League elements are replaced as follows:

the-game

Now, let’s imagine that each set of tackles represents a payment journey… but in the same way that the ball will not always make it over the line, not every call (carrying payment details) will make it across the line either. And that’s the danger that PCI DSS team needs to guard against. More simply, they need to ensure that no balls are dropped to avoid the opportunity for the opposition players to benefit from a poorly executed pass, kick or wayward ball.

All very complex… but it doesn’t need to be!

Fortunately, help is at hand. Within the PCI DSS environment, businesses have a number of alternatives to spending time and resources developing (and hardening) their own league team.

  • We could make it difficult for opposition players to identify the rugby ball!
  • We could move the goal line! (make it closer to first receipt of the ball)
  • We could reduce the number of players needed to handle the rugby ball!
  • We could gain a home team advantage by recruiting the Dream Team!
Step forward the Dream Team

In the call centre environment, PCI DSS compliance can be expensive, resource intensive and difficult to maintain. However, there is an alternative approach, namely engage the Dream Team to do it for you! Now, in the case of card payments made over the telephone the Dream Team takes the form of fully managed platform (a solution) with Dual-Tone Multi-Frequency (DTMF) capability. Exciting stuff. DTMF is critical because it thwarts the opposition (the hackers, the bad guys).

With such a solution, the home team are represented but instead of being akin to an amateur pub team (training and playing around existing commitments) they take the form of a professional, highly skilled squad of 13 full time players. Still with me?

The bottom line is that the DTMF masks the payment card numbers. And the old adage that you can’t hack what you can’t see makes it a winning solution (sorry, I mean a winning team!).

Going for Gold

It goes something like this: the home team’s call centre agent receives the initial call (he walks onto the pitch) but at the point that the payment card data is required (kick off) the call is transferred to the DTMF platform (the Dream Team) where the payment card data (the rugby ball) is safely used to make the purchase (score a try)! Got that?

Fast forward. The team continues to score and win, their league ranking soars, their fan base swells, season ticket sales hit record levels, business prospers… and life is good!

 

[i] http://www.scmagazine.com/cybercriminal-use-stolen-data-for-call-center-fraud-study/article/496172/

[ii] http://www.darkreading.com/vulnerabilities—threats/call-centers-in-the-bullseye/d/d-id/1325508?

[iii] http://www.rugby-league.com/tickets/magic_weekend

[iv] http://www.rugby-league.com/the_rfl/rules