While banks scramble to tighten security for Web and mobile transactions, there's an emerging vulnerability in phone centers as crooks try to extract sensitive data from recorded conversations.
"Call centers are a big footprint. You have all of this data and ongoing conversations about customers and data," says Julie Conroy McNelley, a research director at Aite.
Companies that offer call center recording and coaching technology, such as CallCopy and NICE, have products that halt recording when a phone dialogue includes information that may tempt crooks. As old as the call center may be, it's still a channel in which crime prevention has some catching up to do.
"Fraud at the contact center has existed for a while, but there's a threat as fraudsters perceive it to be the path of least resistance. Institutions are shoring up their online and mobile channels. And since there's a human on the other end of a call, certain types of attacks such as social engineering can be easier at the call center," McNelley says.
The prevention tools also come with an element of compliance. The Payment Card Security Industry Data Security Standards Council says recordings of personal information, such as Social Security numbers and payment card numbers, that are exchanged during phone payments, fall under scope for PCI DSS compliance.
That has call center tech providers pushing recording controls. "We are making a big push around adhering to those PCI requirements," says Patrick Hall, chief marketing officer for CallCopy.
CallCopy recently had Coalfire, a PCI security assessor, audit CallCopy's call center workflow tech for PCI compliance. It found CallCopy's workflow optimization application can be removed from PA-DSS validation scope, which means the application does not expose sensitive information during the payment process.
CallCopy's technology includes a blackout feature that uses start-and-stop triggers that define the beginning and end of the portions of calls that contain sensitive information. It pauses the recording of the voice and screen activity during that segment, so the sensitive data isn't stored. It also uses secure sockets layer encryption during all recording and playback, and includes a tracking system that provides a history of all activity within the application, allowing the bank to determine who accessed any recording for playback or export.
"We monitor the behavior of what's going on at the customer service rep stations. When the agent at a sensitive screen, where they would be taking someone's Social Security number and other sensitive data, we temporarily halt the recording," Hall says. An additional auto archiving tool allows records to be auto-archived or purged in compliance with business rules or government regulations. And user permissions include the ability to deny a user the right to reset his or her own password, which is designed to prevent the creation of overly simple passwords.
Hall says that while CallCopy has voice recognition technology, it relies heavily on screen navigation to trigger the recording pause, since Hall feels tracking screen navigation is a more reliable tool to gauge when a call center session has reached a point in which sensitive data is being exchanged. "We don't feel phrase detection is there yet to be used for this purpose," Hall says.
CallCopy competes with firms such as NICE, which offers desktop analytics that, based on the agent's screen activity, trigger pause-and-resume of call recording; as well as a set of access-control tools that include strong password management.