Kelley Robinson's talk addresses the challenges of contact center authentication, particularly highlighting vulnerabilities such as the reliance on easily accessible personal information. The presentation emphasizes the need for improved security measures, including the unification of authentication systems and the implementation of stricter identity verification protocols for customer support interactions. Recommendations include establishing guardrails for agents and considering the threat model to limit sensitive actions without proper authentication.

1. Contact Center Authentication
Kelley Robinson | OWASP AppSec California 2019
@kelleyrobinson

2. This talk has everything
• My social security number
• My mother's maiden name
• The email I briefly used 11 years ago
• Accidental phishing

3. Kelley Robinson
Contact Center Authentication
@kelleyrobinson

4. Millennial spends 14 hours on the phone
with customer support agents
Kelley Robinson
@kelleyrobinson

5. @kelleyrobinson
☎ 🔐👋 $

6. @kelleyrobinson
🔍 Research Parameters

7. 1. I have an existing account
2. There is personal info tied to my account (i.e. orders, data)
3. Company has a customer support phone number
4. USA phone number
5. Inbound calls
@kelleyrobinson
🔍 Research Parameters

8. • Mostly information gathering (read)
• Limited actions and account changes (write)
- This can and did trigger additional security
@kelleyrobinson
🔍 Research Parameters

9. @kelleyrobinson

10. @kelleyrobinson
☎ Getting in touch

11. ☎ Getting in touch over the phone
@kelleyrobinson
1. Customer support number
2. "Call me"
3. No phone number
i.e. Home Depot, Comcast, State Farm
i.e. Walmart, Amazon, Verizon
i.e. Facebook, Lyft

12. @kelleyrobinson
📲 On the phone

13. • Most use Interactive Voice Response (IVR)
to direct you to the correct use case
• Rarely does your IVR input matter if you end
up talking to an agent
@kelleyrobinson
📲 On the phone

14. 1. Automated with the phone number you're calling from
2. Automated with provided info like account number
3. Manual with an agent
@kelleyrobinson
(identification)📲 On the phone

15. @kelleyrobinson
Identity
Authentication
Personal information (i.e. date of birth)
Google-able, probably doesn't change
Proof of identity, usually with a secret
(i.e. one time password)

16. @kelleyrobinson
Identity != Authentication

17. @kelleyrobinson
https://xkcd.com/1121/

18. @kelleyrobinson
📊 The Results

19. @kelleyrobinson
Authentication
Call center identification

20. @kelleyrobinson
🙌 The Good
👍 The OK
👎 The Bad
😰 The. . . oh. . . oh no

21. @kelleyrobinson
🙌 The Good
Actually authenticating users
• One time codes for authentication
• Refusing to disclose personal information
Bonus Delight:
• Apple lets you choose your hold music 🎵

22. @kelleyrobinson
🙌
Automated intro:
“Welcome to Netflix. For faster service, log
in to netflix.com and find the 6 digit
service code located at the bottom of any
web page.
”

25. @kelleyrobinson
🙌

26. @kelleyrobinson
👍 The OK
Room for improvement but still positive
• Recognizing the phone number you're calling from
• Verifying multiple forms of personal information
• Prompting with relevant account actions

27. @kelleyrobinson
👍
Automated intro:
“Welcome back, Kelley. I see you're flying
from Los Angeles to Newark Liberty
today, are you calling about that trip?
”

28. @kelleyrobinson
👎 The Bad
Phishing risk with minimal effort
• Only asking for one form of identity
• Identity is easily accessible public information
• Requiring a Social Security Number

29. @kelleyrobinson
Why are Social Security
Numbers Bad Authenticators?
Meet Mrs. Hilda Schrader Whitcher
Social Security Administration History

30. @kelleyrobinson
“In fact, a valid SSN can be easily
guessed, as they were issued
serially prior to June 25, 2011.
Wikipedia

31. @kelleyrobinson
😰 The. . . oh. . . oh no
Wait. What just happened? This is problematic.
• Giving out identity information
• Allowing account changes without authentication
• Asking what phone number to send an SMS token to*

32. ✅ Recommendations

33. @kelleyrobinson
🤖 Unify authentication systems

34. @kelleyrobinson
• Use the same rigor for authentication over
the phone as you do on your website
• Honor user settings for things like 2FA
🤖 Unify authentication systems

35. @kelleyrobinson
Case Study

36. @kelleyrobinson
Pre-call

37. @kelleyrobinson
Context
During call

38. @kelleyrobinson
🤔
After call

39. @kelleyrobinson
What about
my TOTP?

40. @kelleyrobinson
💁 Build guardrails for agents

41. @kelleyrobinson
• Limit caller information available to agents
• Only expose information after a caller is
authenticated
• Have a small subset of agents that have access to do
the most sensitive actions
• Perform silent authentication
💁 Build guardrails for agents

42. @kelleyrobinson
💁 Build guardrails for agents
Verify caller email address
before continuing:
grace.hopper@gmail.com
Verify caller email address
before continuing:
VerifyEnter email here
vs.
✅
Agent Dashboard 1 Agent Dashboard 2

43. • Do a risk assessment using provided identity
• Have behind the scenes fraud detection
@kelleyrobinson
💁 Build guardrails for agents

44. @kelleyrobinson
🔐 Consider your Threat Model

45. @kelleyrobinson
• What are you allowing people to do over the
phone?
• Limit sensitive actions if you can't implement
true authentication
🔐 Consider your Threat Model

46. @kelleyrobinson
1 International Differences

47. @kelleyrobinson
Case Study

48. @kelleyrobinson
“It’s culturally acceptable to use your
national ID number for identification (e.g.
at the supermarket, the cashier will ask
you for your ID number to credit your
loyalty card).
”

49. What next?

51. @kelleyrobinson
✅ Actually authenticate users
📵 Don't share personal information
🤖 Unify authentication systems
💁 Build guardrails for your agents
🔐 Consider your threat model
Takeaways

52. @kelleyrobinson
THANK YOU!
@kelleyrobinson

53. @kelleyrobinson
https://twitter.com/patio11/status/1053205207964823552