Contact Center Authentication

1. Contact Center Authentication Kelley Robinson | OWASP AppSec California 2019 @kelleyrobinson

2. This talk has everything • My social security number • My mother's maiden name • The email I briefly used 11 years ago • Accidental phishing

3. Kelley Robinson Contact Center Authentication @kelleyrobinson

4. Millennial spends 14 hours on the phone with customer support agents Kelley Robinson @kelleyrobinson

5. @kelleyrobinson ☎ 🔐👋 $

6. @kelleyrobinson 🔍 Research Parameters

7. 1. I have an existing account 2. There is personal info tied to my account (i.e. orders, data) 3. Company has a customer support phone number 4. USA phone number 5. Inbound calls @kelleyrobinson 🔍 Research Parameters

8. • Mostly information gathering (read) • Limited actions and account changes (write) - This can and did trigger additional security @kelleyrobinson 🔍 Research Parameters

9. @kelleyrobinson

10. @kelleyrobinson ☎ Getting in touch

11. ☎ Getting in touch over the phone @kelleyrobinson 1. Customer support number 2. "Call me" 3. No phone number i.e. Home Depot, Comcast, State Farm i.e. Walmart, Amazon, Verizon i.e. Facebook, Lyft

12. @kelleyrobinson 📲 On the phone

13. • Most use Interactive Voice Response (IVR) to direct you to the correct use case • Rarely does your IVR input matter if you end up talking to an agent @kelleyrobinson 📲 On the phone

14. 1. Automated with the phone number you're calling from 2. Automated with provided info like account number 3. Manual with an agent @kelleyrobinson (identification)📲 On the phone

15. @kelleyrobinson Identity Authentication Personal information (i.e. date of birth) Google-able, probably doesn't change Proof of identity, usually with a secret (i.e. one time password)

16. @kelleyrobinson Identity != Authentication

17. @kelleyrobinson https://xkcd.com/1121/

18. @kelleyrobinson 📊 The Results

19. @kelleyrobinson Authentication Call center identification

20. @kelleyrobinson 🙌 The Good 👍 The OK 👎 The Bad 😰 The. . . oh. . . oh no

21. @kelleyrobinson 🙌 The Good Actually authenticating users • One time codes for authentication • Refusing to disclose personal information Bonus Delight: • Apple lets you choose your hold music 🎵

22. @kelleyrobinson 🙌 Automated intro: “Welcome to Netflix. For faster service, log in to netflix.com and find the 6 digit service code located at the bottom of any web page. ”

25. @kelleyrobinson 🙌

26. @kelleyrobinson 👍 The OK Room for improvement but still positive • Recognizing the phone number you're calling from • Verifying multiple forms of personal information • Prompting with relevant account actions

27. @kelleyrobinson 👍 Automated intro: “Welcome back, Kelley. I see you're ﬂying from Los Angeles to Newark Liberty today, are you calling about that trip? ”

28. @kelleyrobinson 👎 The Bad Phishing risk with minimal effort • Only asking for one form of identity • Identity is easily accessible public information • Requiring a Social Security Number

29. @kelleyrobinson Why are Social Security Numbers Bad Authenticators? Meet Mrs. Hilda Schrader Whitcher Social Security Administration History

30. @kelleyrobinson “In fact, a valid SSN can be easily guessed, as they were issued serially prior to June 25, 2011. Wikipedia

31. @kelleyrobinson 😰 The. . . oh. . . oh no Wait. What just happened? This is problematic. • Giving out identity information • Allowing account changes without authentication • Asking what phone number to send an SMS token to*

32. ✅ Recommendations

33. @kelleyrobinson 🤖 Unify authentication systems

34. @kelleyrobinson • Use the same rigor for authentication over the phone as you do on your website • Honor user settings for things like 2FA 🤖 Unify authentication systems

35. @kelleyrobinson Case Study

36. @kelleyrobinson Pre-call

37. @kelleyrobinson Context During call

38. @kelleyrobinson 🤔 After call

39. @kelleyrobinson What about my TOTP?

40. @kelleyrobinson 💁 Build guardrails for agents

41. @kelleyrobinson • Limit caller information available to agents • Only expose information after a caller is authenticated • Have a small subset of agents that have access to do the most sensitive actions • Perform silent authentication 💁 Build guardrails for agents

42. @kelleyrobinson 💁 Build guardrails for agents Verify caller email address before continuing: grace.hopper@gmail.com Verify caller email address before continuing: VerifyEnter email here vs. ✅ Agent Dashboard 1 Agent Dashboard 2

43. • Do a risk assessment using provided identity • Have behind the scenes fraud detection @kelleyrobinson 💁 Build guardrails for agents

44. @kelleyrobinson 🔐 Consider your Threat Model

45. @kelleyrobinson • What are you allowing people to do over the phone? • Limit sensitive actions if you can't implement true authentication 🔐 Consider your Threat Model

46. @kelleyrobinson 1 International Differences

47. @kelleyrobinson Case Study

48. @kelleyrobinson “It’s culturally acceptable to use your national ID number for identiﬁcation (e.g. at the supermarket, the cashier will ask you for your ID number to credit your loyalty card). ”

49. What next?

51. @kelleyrobinson ✅ Actually authenticate users 📵 Don't share personal information 🤖 Unify authentication systems 💁 Build guardrails for your agents 🔐 Consider your threat model Takeaways

52. @kelleyrobinson THANK YOU! @kelleyrobinson

53. @kelleyrobinson https://twitter.com/patio11/status/1053205207964823552

Contact Center Authentication

Contact Center Authentication

Recommended

More Related Content

Similar to Contact Center Authentication

Similar to Contact Center Authentication(20)

More from Kelley Robinson

More from Kelley Robinson(20)

Recently uploaded

Recently uploaded(20)

Contact Center Authentication