Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Contact Center Authentication
Kelley Robinson | OWASP AppSec California 2019
@kelleyrobinson
This talk has everything
• My social security number
• My mother's maiden name
• The email I briefly used 11 years ago
• A...
Kelley Robinson
Contact Center Authentication
@kelleyrobinson
Millennial spends 14 hours on the phone
with customer support agents
Kelley Robinson
@kelleyrobinson
@kelleyrobinson
☎ 🔐👋 $
@kelleyrobinson
🔍 Research Parameters
1. I have an existing account
2. There is personal info tied to my account (i.e. orders, data)
3. Company has a customer s...
• Mostly information gathering (read)
• Limited actions and account changes (write)
- This can and did trigger additional ...
@kelleyrobinson
@kelleyrobinson
☎ Getting in touch
☎ Getting in touch over the phone
@kelleyrobinson
1. Customer support number
2. "Call me"
3. No phone number
i.e. Home Dep...
@kelleyrobinson
📲 On the phone
• Most use Interactive Voice Response (IVR)
to direct you to the correct use case
• Rarely does your IVR input matter if y...
1. Automated with the phone number you're calling from
2. Automated with provided info like account number
3. Manual with ...
@kelleyrobinson
Identity
Authentication
Personal information (i.e. date of birth)
Google-able, probably doesn't change
Pro...
@kelleyrobinson
Identity != Authentication
@kelleyrobinson
https://xkcd.com/1121/
@kelleyrobinson
📊 The Results
@kelleyrobinson
Authentication
Call center identification
@kelleyrobinson
🙌 The Good
👍 The OK
👎 The Bad
😰 The. . . oh. . . oh no
@kelleyrobinson
🙌 The Good
Actually authenticating users
• One time codes for authentication
• Refusing to disclose person...
@kelleyrobinson
🙌
Automated intro:
“Welcome to Netflix. For faster service, log
in to netflix.com and find the 6 digit
servic...
@kelleyrobinson
🙌
@kelleyrobinson
👍 The OK
Room for improvement but still positive
• Recognizing the phone number you're calling from
• Veri...
@kelleyrobinson
👍
Automated intro:
“Welcome back, Kelley. I see you're flying
from Los Angeles to Newark Liberty
today, are...
@kelleyrobinson
👎 The Bad
Phishing risk with minimal effort
• Only asking for one form of identity
• Identity is easily ac...
@kelleyrobinson
Why are Social Security
Numbers Bad Authenticators?
Meet Mrs. Hilda Schrader Whitcher
Social Security Admi...
@kelleyrobinson
“In fact, a valid SSN can be easily
guessed, as they were issued
serially prior to June 25, 2011.
Wikipedia
@kelleyrobinson
😰 The. . . oh. . . oh no
Wait. What just happened? This is problematic.
• Giving out identity information
...
✅ Recommendations
@kelleyrobinson
🤖 Unify authentication systems
@kelleyrobinson
• Use the same rigor for authentication over
the phone as you do on your website
• Honor user settings for...
@kelleyrobinson
Case Study
@kelleyrobinson
Pre-call
@kelleyrobinson
Context
During call
@kelleyrobinson
🤔
After call
@kelleyrobinson
What about
my TOTP?
@kelleyrobinson
💁 Build guardrails for agents
@kelleyrobinson
• Limit caller information available to agents
• Only expose information after a caller is
authenticated
•...
@kelleyrobinson
💁 Build guardrails for agents
Verify caller email address
before continuing:
grace.hopper@gmail.com
Verify...
• Do a risk assessment using provided identity
• Have behind the scenes fraud detection
@kelleyrobinson
💁 Build guardrails...
@kelleyrobinson
🔐 Consider your Threat Model
@kelleyrobinson
• What are you allowing people to do over the
phone?
• Limit sensitive actions if you can't implement
true...
@kelleyrobinson
1 International Differences
@kelleyrobinson
Case Study
@kelleyrobinson
“It’s culturally acceptable to use your
national ID number for identification (e.g.
at the supermarket, the...
What next?
@kelleyrobinson
✅ Actually authenticate users
📵 Don't share personal information
🤖 Unify authentication systems
💁 Build gu...
@kelleyrobinson
THANK YOU!
@kelleyrobinson
@kelleyrobinson
https://twitter.com/patio11/status/1053205207964823552
Contact Center Authentication
Contact Center Authentication
Contact Center Authentication
Upcoming SlideShare
Loading in …5
×

Contact Center Authentication

131 views

Published on

You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?

Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Contact Center Authentication

  1. 1. Contact Center Authentication Kelley Robinson | OWASP AppSec California 2019 @kelleyrobinson
  2. 2. This talk has everything • My social security number • My mother's maiden name • The email I briefly used 11 years ago • Accidental phishing
  3. 3. Kelley Robinson Contact Center Authentication @kelleyrobinson
  4. 4. Millennial spends 14 hours on the phone with customer support agents Kelley Robinson @kelleyrobinson
  5. 5. @kelleyrobinson ☎ 🔐👋 $
  6. 6. @kelleyrobinson 🔍 Research Parameters
  7. 7. 1. I have an existing account 2. There is personal info tied to my account (i.e. orders, data) 3. Company has a customer support phone number 4. USA phone number 5. Inbound calls @kelleyrobinson 🔍 Research Parameters
  8. 8. • Mostly information gathering (read) • Limited actions and account changes (write) - This can and did trigger additional security @kelleyrobinson 🔍 Research Parameters
  9. 9. @kelleyrobinson
  10. 10. @kelleyrobinson ☎ Getting in touch
  11. 11. ☎ Getting in touch over the phone @kelleyrobinson 1. Customer support number 2. "Call me" 3. No phone number i.e. Home Depot, Comcast, State Farm i.e. Walmart, Amazon, Verizon i.e. Facebook, Lyft
  12. 12. @kelleyrobinson 📲 On the phone
  13. 13. • Most use Interactive Voice Response (IVR) to direct you to the correct use case • Rarely does your IVR input matter if you end up talking to an agent @kelleyrobinson 📲 On the phone
  14. 14. 1. Automated with the phone number you're calling from 2. Automated with provided info like account number 3. Manual with an agent @kelleyrobinson (identification)📲 On the phone
  15. 15. @kelleyrobinson Identity Authentication Personal information (i.e. date of birth) Google-able, probably doesn't change Proof of identity, usually with a secret (i.e. one time password)
  16. 16. @kelleyrobinson Identity != Authentication
  17. 17. @kelleyrobinson https://xkcd.com/1121/
  18. 18. @kelleyrobinson 📊 The Results
  19. 19. @kelleyrobinson Authentication Call center identification
  20. 20. @kelleyrobinson 🙌 The Good 👍 The OK 👎 The Bad 😰 The. . . oh. . . oh no
  21. 21. @kelleyrobinson 🙌 The Good Actually authenticating users • One time codes for authentication • Refusing to disclose personal information Bonus Delight: • Apple lets you choose your hold music 🎵
  22. 22. @kelleyrobinson 🙌 Automated intro: “Welcome to Netflix. For faster service, log in to netflix.com and find the 6 digit service code located at the bottom of any web page. ”
  23. 23. @kelleyrobinson 🙌
  24. 24. @kelleyrobinson 👍 The OK Room for improvement but still positive • Recognizing the phone number you're calling from • Verifying multiple forms of personal information • Prompting with relevant account actions
  25. 25. @kelleyrobinson 👍 Automated intro: “Welcome back, Kelley. I see you're flying from Los Angeles to Newark Liberty today, are you calling about that trip? ”
  26. 26. @kelleyrobinson 👎 The Bad Phishing risk with minimal effort • Only asking for one form of identity • Identity is easily accessible public information • Requiring a Social Security Number
  27. 27. @kelleyrobinson Why are Social Security Numbers Bad Authenticators? Meet Mrs. Hilda Schrader Whitcher Social Security Administration History
  28. 28. @kelleyrobinson “In fact, a valid SSN can be easily guessed, as they were issued serially prior to June 25, 2011. Wikipedia
  29. 29. @kelleyrobinson 😰 The. . . oh. . . oh no Wait. What just happened? This is problematic. • Giving out identity information • Allowing account changes without authentication • Asking what phone number to send an SMS token to*
  30. 30. ✅ Recommendations
  31. 31. @kelleyrobinson 🤖 Unify authentication systems
  32. 32. @kelleyrobinson • Use the same rigor for authentication over the phone as you do on your website • Honor user settings for things like 2FA 🤖 Unify authentication systems
  33. 33. @kelleyrobinson Case Study
  34. 34. @kelleyrobinson Pre-call
  35. 35. @kelleyrobinson Context During call
  36. 36. @kelleyrobinson 🤔 After call
  37. 37. @kelleyrobinson What about my TOTP?
  38. 38. @kelleyrobinson 💁 Build guardrails for agents
  39. 39. @kelleyrobinson • Limit caller information available to agents • Only expose information after a caller is authenticated • Have a small subset of agents that have access to do the most sensitive actions • Perform silent authentication 💁 Build guardrails for agents
  40. 40. @kelleyrobinson 💁 Build guardrails for agents Verify caller email address before continuing: grace.hopper@gmail.com Verify caller email address before continuing: VerifyEnter email here vs. ✅ Agent Dashboard 1 Agent Dashboard 2
  41. 41. • Do a risk assessment using provided identity • Have behind the scenes fraud detection @kelleyrobinson 💁 Build guardrails for agents
  42. 42. @kelleyrobinson 🔐 Consider your Threat Model
  43. 43. @kelleyrobinson • What are you allowing people to do over the phone? • Limit sensitive actions if you can't implement true authentication 🔐 Consider your Threat Model
  44. 44. @kelleyrobinson 1 International Differences
  45. 45. @kelleyrobinson Case Study
  46. 46. @kelleyrobinson “It’s culturally acceptable to use your national ID number for identification (e.g. at the supermarket, the cashier will ask you for your ID number to credit your loyalty card). ”
  47. 47. What next?
  48. 48. @kelleyrobinson ✅ Actually authenticate users 📵 Don't share personal information 🤖 Unify authentication systems 💁 Build guardrails for your agents 🔐 Consider your threat model Takeaways
  49. 49. @kelleyrobinson THANK YOU! @kelleyrobinson
  50. 50. @kelleyrobinson https://twitter.com/patio11/status/1053205207964823552

×