Contact Center Authentication

awesome let's get started thank you everyone for coming so I'm gonna be talking about contact center authentication today which can mean a lot of things but I just want to preface this by saying this talk has everything so it's got my social security number get your pens out my mother's maiden name the email that I briefly used back in university about eleven years ago and even some accidental phishing which you might be wondering what that means and we'll get to that so my name is Kelly like I mentioned and when I set out to do this research I wasn't really sure what to expect I didn't know like if this was going to be that interesting

but it turns out that there's a lot of really fun stories that came out of calling all of these contact centers so I work at a company called Twilio if you've heard of Twilio we we make api's for communications so things that have to do with phone calls there's a lot of companies that have built their contact centers on top of Twilio which is what sparked this interest Twilio acquired a company called of--they about five years ago and i specifically work on the of--they api is at Twilio so this is for things like two-factor authentication and phone verification and I also spend a decent amount of my time educating developers and security professionals and the general public about best

practices around identity management and authentication and so that's an interesting part of my job that I get to basically inform people with the best practices they should be using so let me outline what I did in this research this talk is going to get into what what I learned from calling all of these contact centers and some of the best practices I can recommend for you to implement in your own company it's contact centers so how many of you have a have a call line for your company like a customer support hotline all right a few how many of you have called that I was really expected good good well maybe by the end of this you'll be inspired to

call that hotline just to see how your company is doing in security uh so I had to decide who I was going to call this involve places where I had an existing account I wasn't trying to fish anyone besides myself there had to be personal information tied to that account so I was mostly doing information gathering so asking about orders and data I was talking to earlier I would like to redo all this research and just try to reset my password every time I talk to one of these companies I think that would be an interesting follow-up to all this research the customer or the company had to have some kind of phone number that I

could call which surprisingly not everyone does I mostly focused on domestic phone numbers usually these were us-based companies but they at least had a us a phone number that was probably a 1-800 phone number and when I say inbound calls this was anything that I was calling into the contact center and so there is this circumstance where the company will like a Comcast or your utility provider will call you from the contact center and the whole like way to authenticate that outbound call from the contact center is a different problem and so that was outside of the scope of the research that I was doing here here are some examples of the places I called overall

at this point I've called about 45 companies it's pretty interesting and that doesn't maybe sound like that many but when you get put on hold with CBS for 30 minutes and then they immediately hang up on you you know the time adds up so I'll talk through some of these in detail about especially the ones that are doing things well I am NOT going to name names for the companies that do things poorly mostly because as I pointed out these are all companies that I have personal accounts that so please don't attack me so my goal obviously was to get in touch with an agent in all of these places there are a few common ways

to do that so most retail utility insurance those types of companies they make it pretty easy for you to find their customer support number so they have something that you can easily find on their website or through googling now you know something like Comcast support like those types of paces actually want you to be calling them and started using some kind of online support some some of the more sophisticated tech companies are implementing this call me feature and so these are places like Amazon and Walmart they basically allow you to input your phone number and then there's a support agent available they will call you back instead of you having to wait on hold this introduces a lot of like

cost savings and efficiencies into the contact center which is a huge concern for most of these support centers and so that's been one way that people are doing this and then there's places that just don't have a customer support number and so Facebook actually does but then you call into it and they have like an IVR which is the interactive response and they basically make you choose between the Facebook entities that you want to talk to and so they have Instagram whatsapp you know oculus Facebook and when you go through the path to talk to Facebook they just say Facebook does not offer over the phone customer support and then they hang up lift I couldn't find a phone number for

them they might have one for the driver side of things but I'm not a driver I'm just a consumer and so they didn't have anything that I could find with a consumer phone number it sounds like it appeared like they used to have one but that phone number was no longer active but then just for consistency I focused on option one so that I would I would be the one calling into the contact center once you actually get to the contact center and I was trying to talk to an agent every time so that I could get that kind of human interaction there were a few common ways that they would try to identify you the first one was

that they would do basically a caller ID lookup on the number that you're calling in from and they would try to automatically trace your number back to an account based on the number that you're calling with I was always calling with my personal cell phone again that would be an interesting follow-up to this research is to try to call places that did do the automatic detection with a different phone number and see how those companies manage the identification another way that they were tracking you down was through an automated system where you could input some kind of ID number associated with your account and so on insurance companies will do this you can put in

your insurance subscriber number Apple does this if you call an Apple support I mean you can input your device ID number on your on your phone or your other device Apple device and they will automatically look up your account with that information and then finally and this is a pretty common is just manually with an agent once you start talking to them they'll look up your account by asking you for information about details that are tied to your account but identifying you is not the same thing as authenticating you right and so I can give you my phone number but there's a lot of people that have my phone number you know i if you give somebody a call

center agent my phone number that's not guaranteeing that you're me right and so the authentication side of things is how we prove that identity identity is any of those static pieces of information they're probably google-able and these are things that aren't going to change so this is like your phone number your email address your date of birth and these are all incredibly common things that call centers are using to try to identify you which is fine but they're not actually going through that extra step of authenticating you and the authentication in this case is doing something that proves that identity this is generally done with a secret and so you talk about the different factors for

authentication something you know like a password something you have like a phone or something you are there like your fingerprint or something like that and there's very few places that are taking advantage of the authentication route when you're trying to do the identity management over the phone and this is a problem because they're not the same thing identity is not authentication but we're constantly using identity and aspects of our identity to prove other aspects of our identity and this is not good because I don't want to have to give my social security number to an agent on the phone so that they know who I am and this is very very common in contact centers and there's reasons for

this there's there's the the user experience that we have to consider it's not the same as on a website we can't ask people to input their password on a website or on the phone like you do on a website you know yelling at people to use a password managers not going to be the answer here because you don't want people that have to spell out a 16-digit multi-character special character password over the phone so let's take a look at what I found so here are some of the results of the types of identifiers zip companies were using when I called in unsurprisingly phone numbers were the most common so there is a lot of places

that we're using their phone number to try to identify me I grouped together things like account numbers on here so that you could this would be anything like like the Apple device ID that insurance numbers so things like that word that were tied specifically to that account um that was another pretty common way email is obviously very common but but sadly only a few places actually used any type of authentication in the research that I did and so these are all at the tail end of this chart and these were things like in numbers one time pins this is something that 18t does sms 2fa was more common than other types of secrets but still not very common service codes I'll

talk about how those were used there's this password that was used that that wasn't actually like a verbal password or anything that was intended for the the phone experience that was a shipping company actually just asked me for my online login password I think they wanted to impersonate me and that was the only way they knew how to do and then calling me is also a form of authentication I Verizon does this and so I called them and they're like in order to authenticate you we're gonna call you back at the number listed on your phone because you know phone number spoofing is an option that people will use to try to attack your account but

now let's look at some of the more qualitative data and break it down into what some companies are doing well all the way down to the things that kind of scared me so the good things here this is pretty straightforward so anytime anybody actually used authentication it was generally a better experience and so this was doing things like one-time codes and also refusing to disclose personal information I this is like sometimes I would ask about what email address was associated with my account or ask about the address of my account and the places that had well trained agents or good security would refuse to disclose that information to me which is good because like we saw that identity

information can be used to verify your identity and other platforms and could be used by an attacker to get more information about you so that they can attack you in another in another aspect random bonus delight here I was put on hold a lot and Apple lets you choose your hold music so like would you like to listen to jazz and I was like yes please that was pretty cool so Netflix is an example of a company that does authentication pretty well when you call into Netflix their automated intro says welcome to Netflix for faster service please log into your Netflix account and look for the service code at the bottom of the page it was

like what the heck is a service coat and so I do this I look at the bottom of the page there is this thing at the bottom that says service code and when you click on that it gives you a six digit one time pin this is a pretty good way to handle this type of authentication because if you have a Netflix account you've probably logged into it on a computer this is probably something that you can expect your users will be able to do and this code does refresh I'm not totally sure how often it's not tied to your session because I tried logging out and logging back in and that did not change

the code but once I checked it again a day later the code had changed and so theoretically this isn't too hard to implement it's some kind of time-based one-time password much like you would get with a service like of--they or Google Authenticator this is something that you could put on your website tie it to a session an account and then you would be able to generate this code that could be used in your contact center as well and this is really nice right this is a good experience for the user and it's actually a form of authentication that offers some of this like hybrid platform security that they can use on their on their device where they already

have authenticated themselves to get this information back another example of good authentication came from American Express this was interesting because this authentication only happened after I tried to take an action on my account and so when I was trying to get information about my account they only verified my identity with my phone number and maybe my email or date of birth I don't totally remember but once I had to get them to send me a new credit card they first connected me with a security specialist which I thought was interesting and then they sent me this asommus which said this is a one-time fraud code please provide this to the person on the other end and they

were able to use that to authenticate me so to send a credit card to my new address the only thing that I'm not a huge fan of here is they don't really provide any context here about what this code is about Amazon is an example of somebody else that does SMS 2fa and they in there their password or their one-time password text message they say are you trying to call Amazon and I think that's an interesting way to do it because they indicate what this one time code is for especially in the case of you trying to if someone's trying to fish you most companies fall into this category if it was pretty ok and maybe

they had done the done the math on this and decided that it wasn't really worth it to implement better security but I still think there's room for improvement in this category I think this is where we start to see a lot of like the user experience fall into here and so I highlight people that are automatically detecting the phone number that you're calling in from because that's a good experience and it makes it slightly harder for people to try to impersonate you because if somebody has the phone number that they want to look up your account with it's much easier for them to give that to a support agent rather than try to impersonate your

phone number verifying multiple forms of personal information and so if you're not going to do true authentication at least trying to get me to give you like three parts of my personal identity is going to be a lot better than only asking for one and then prompting with relevant account actions I think this is something that both saves the call center time and directs me to a use case it's probably going to be more relevant for what I'm calling into so I know how much we all love United Airlines but I think they do a pretty good job of this and so when you call in they say hi Kelly welcome back they recognize the phone

number that I'm calling from and then we'll give some information about are you flying I see that you're traveling from from San Francisco to Newark is this what you're calling in about and this is good because chances are that use what I'm calling in about and that saves everybody time but it also provides some identity information to to me to jump ahead in that process if you do try to change anything on your account with United they will ask you to verify your identity with your date of birth and so I think that's another way they're asking for those multiple forms of identification again like this is something that there's a lot of room for

improvement in the security process here but you know a United maybe that was a threat model that they had considered and they don't really care about implementing more security or they just haven't implemented it yet because it hasn't affected them as much as it could and the only thing that I will mention here is that there does there's a little bit of a risk here because they're providing some location data back about my personal location this is probably would tell anybody that we've gotten to this point that I am currently in San Francisco but this is I'm okay with this because it's useful to me as a caller and this is a femoral data it's not like

they're giving my home address back when I call in which people did do so some of the bad things that I saw and this is basically I label this as a phishing risk with minimal effort and so these are companies that if you had one piece of information about me you could probably get access to everything on my account and this was also very very common so identity that they're using especially if it was only one or two pieces of identity it would be very very easily accessible public information so these would be things like my phone number or my email or my date of birth there are a lot of people that know that information

about me that could probably use us to attack my account and then there's requiring a social security number which I don't have time to get into today but social security numbers are not secrets they're not secrets they are public information and they were issued serially until 2011 it was anybody here born after 2011 no we can probably narrow down your social security number just if we know your date of birth which a lot of people know don't use social security numbers so these are the really really bad things that I saw so there were companies that were just giving out identity information and so this happened with multiple utility companies that I called this was them trying to be

helpful in a way that I do not like which you call in they recognized my phone number and they say hi are you calling about your account at 1 2 3 Main Street and I'm like ooh that's a little much because that address information if somebody was trying to docks me or attack me that would be a really easy way for them to get that information and it's also something that's not gonna change very quickly like a flight schedule that that's information that could be used in a lot of harmful ways this also came in the form of people that were offering kind of the affirmative questions like is your username Kelly 1 2 3 4 and that's

another way that they're the agents are trying to be helpful but they're giving me information about myself that is could be used for me to attack that account and so this happened when I call the financial services firm this was really bad because they let me reset my 2fa and my password these were things that I legitimately needed to do but they only ever asked me for my phone number and they let me reset my 2fa and my password and in that context of that call they gave me my username without me ever asking for it that is very very bad the agent should not be able to do that but in this category is where I

accidentally fished a major hotel chain and so this this happened a couple months ago I I called in to get a copy of my latest stay neither the email receipt so that I could expense it so the system immediately said it didn't recognize the phone number that I was calling in from so please input your phone number and will look up your account that way so I did that I inputted my phone number and I got connected to an agent the agent looks at my stay based on my my name and the the hotel the specific hotel that I had stayed at and then sends me the receipt she says you know it's gonna she asked

me for my email to send it to and she said you know I might take a couple minutes for it to send I'm like yeah you know I know that can happen so I didn't really think much of it when I didn't get the email right away and so I asked her about the phone number thing from the beginning just kind of wondering if me inputting my phone number it actually like pulled up my account and she said no I looked up your account based on your email I was like okay cool like what is the phone number of my account then like this is the only phone number that I would probably put on that she

gives me that phone number I'm not trying to be malicious here I was genuinely just confused at this point she gives me the phone number attached to that account it is not my phone number I write the phone number down because I'm very curious and so after that the worst part about this is she's like would you like to change it to your phone number because I reacted being like oh that's not my phone number I was like yes I would like to change this to my phone number not thinking that I was you know on someone else's account at this point I was just like some information got switched around here that I want to update to my own so I

hang up the phone I go check my account online and sure enough there's no phone number attached to that account I still haven't gotten this email receipt at this point either and so I look up the phone number because I work at a company that has an API to do this this is a very public API again I wasn't doing anything nefarious here but his phone number belonged to a Cathy Robinson my name is Kelly Robinson so my working theory is that this woman the the call center agent decided to or misheard me or I missed gave her my email and she was operating off of Cathy's account this entire call I'm really sorry Cathy

I changed my phone number or you might your number to mine on that account agents are just trying to be helpful here right like I don't blame this agent for doing that she was trying to get me the information and the the the there were no guardrails in place for her not to be able to do that and it's up to us as the technologists and security people that build these systems to help them the agent succeed without being insecure sorry again Kathy if any of you are named Kathy by the way come talk to me after this person was also Bay area-based so I'll give you details so the recommendations here what what can you

do about it PS all the people in stock photos of contact centers always look so happy and it's not that the people that I was talking to didn't look happy but like I don't think they were in offices that had that much natural light so the first recommendation match the rigor of your web authentication and we talked about this a little bit because this can be challenging because you can't ask people to input long long secure passwords that are randomly generated per website it's it's not a good experience and that's not something that we can expect people to do but there are other factors that you can use to authenticate there are there secrets that you can use that aren't a factor or

that aren't a password and you can use something you have a factor or there's something you are a factor in other ways and so this is you can take advantage of things like the voice platform you can use things like either voice recognition or verbal passwords verbal passwords are something that I've seen banks I think Vanguard does this they have like a verbal password that you can set up with an agent on the phone this is something that I don't know how they store it if it's a recording but it's never like written down so you're not trying to be like yes my mother's maiden name is X Capital i-37 that's another hint for security

questions you can save them in your password manager that's what I do I'm a little paranoid though so there's other things that you can do here which is to honor user settings like to FA and so this is something that I saw you know I hate to pick on Amazon here because overall they do a really really good job of over the phone authentication this is what happens during the call with Amazon they automatically send you this text message before you even get talking to an age and so they verify and authenticate you before you actually get connected to the agent by sending you this text message I'm assuming this is sent to the the

number that's connected to your account I don't know exactly how that that gets set up but I like this because it's also it's hard enough you have to type back yes so it's not something that you're gonna like accidentally approve if this is not something that you're doing and it specifically asks you are you calling Amazon but what about my TOTP I have to efface set up with Amazon through authy like this is not something they ever asked me for when I was calling them and so this is a disconnect there this is something that they they're not quite the same thing they're still using a to FA for for authentication but over the phone it's actually just more of like a

one-off a because they're not asking for another factor in that situation and so this is something that we see this the rigor is not always met with these systems and Amazon's like a very very like good example somebody that's doing security well but this is still a disconnect there and there's a lot of companies that maybe have like you know like my bank they have a password and 2fa turned on you know I actually happen to have a bank that has two a favor they prompt me for sometimes which is great but when I call them they never asked me for any of that information they never ask me for a password they never asked

me for two FA they're only asking me to verify things with pieces of identity information so some some strong authentication options here that you can use to increase the rigor of these systems or one time pass codes use something that people have either through an app based like push note on something like those service codes through Netflix or the SMS based 2fa I mentioned voice recognition and verbal passwords this is not something that I personally use but this is something that could be used in the voice because this platform does support voice and then there's this idea of hybrid platform security and so one example that we saw of that was the service code through Netflix but I think of this

example all the time with the TV security and so this is something when you're logging into like YouTube or Netflix actually Netflix doesn't do this at least on my TV but there's these TV apps and and people seen this this where you have to like type in a one time code this is great right because it's the same problem you can't really type in a password using your TV remote like you can but it takes forever nobody likes doing that and so what they do is they display this one-time passcode after you give them your email or something and then they ask you to go verify that with ace logged a an authenticated session in

your web account this works really well for services where you can expect the person has access to that web account and can log in through their computer the next recommendation is to build these guardrails for agents right we want to make sure that our agents are able to succeed in helping the customers and we don't want to make it easy for them to mess up and so one way we can do this is limit caller information that's available to agents like you could display everything about the the user record but the agent probably doesn't need to know all that information depending on what the user is trying to do especially if they're just calling in

for basic information maybe about the orders on their account they may not even need to know the address that those owners were shipped to you can only expose information to the agent after the caller is authenticated and so this is a little bit harder to implement because you have to have that kind of like tied in together but this is something that also limits the the exposure to the to the caller and to the the company that's building the call center and this is something that I am exten having that small set of agents especially trained to do the the high security options and so that's limits the scope of who you have to train in

the extra security and that also makes sure that like those people are probably going to have a better better experience overall because they're more likely to be connected to somebody that knows how to detect fraud and help them out in a good way and then there's this idea of silent authentication and so these are things that you can do to save yourself time so this is these are things that you can do before you ever actually get on the phone with the the call it connect to the caller and the agent together these are things you can do by looking up a phone number of providing risk and information about the caller their services out there that will like

fingerprint and provide a risk score for the person that's calling in you can detect the line type is it mobile or VoIP if somebody's calling from a VoIP number it's probably more likely that that's going to be correlated with fraud it's not necessarily that but these are things that you can use to try to detect fraud that will save the agents time so here are two options for an agent dashboard I think the option on the right is a little bit more secure because this is something that like the agent isn't going to unnecessarily give me back the email on my account if they have to type it in and so this happened when I called

a major retailer they looked me up they looked my identity in my account based on my phone number and they asked me to verify my identity with my email I gave them my email and they were like that's not the email on your account I was like well is it this or this and they said no no it's not that and so I was genuinely confused I didn't know what email was being used for this account and so what they did is they ended up giving me the domain that that email had it was my university domain and so once I they had that I was like oh yeah obviously I know that email and

it was much easier for me to recall that email once I had half of it but at that point an attacker would also probably be able to give them that email as well so option two is obviously going to take a lot more time and so you might get pushed back on implementing something like that but this all kind of leads us nicely into this idea of we have to consider our threat models so those are things like what are you allowing people to do over the phone you don't have to allow them to do every action over the phone think of the common use cases that you want or need to support and if

there's something else that they you don't want to support over the phone depending on your company you might just have to redirect people back to your website to do that I think it was ups that I was talking to who I was trying to get them to change the address associate it was my account they said yeah we can't do that over the phone like you just have to do that on the website and that's fine especially because that was an account that I had to create on the website I wasn't calling about a password reset and so it was likely the case that I was able to access that account you know a lot of

these situations where things that I normally would have done online anyway and then I was just trying to see how this would happen over the phone so what are we gonna do next again everyone in this photo is just so happy so there's a lot of options here I think we are going to see more things with actual authentication moving forward the future of call center authentication I think is going to be this kind of in-app experience so if your user already has an app that they're logged into on their phone this is going to offer the more that like hybrid platform approach and there's also all this stuff that you can do with finger printing around data

users and their phone numbers this might sound like a little creepy but it's it can be if it's used for security and you inform them of how it's being used in the right way I think that can offer a lot of security and save them time in the end so what do we want to take away from this talk identity is not authentication if at all possible please use real authentication and implement that in your systems don't provide personal information to the caller if it's not necessary match the rigor of your web authentication think about how you've built it for your website and apply that rigor to your over the phone call experience on our user settings for

things like 2fa make it hard for your agents to mess up don't let them access more information than they need don't display that information to them if they don't need to see it and finally figure out what makes sense for your business this is something that you're going to have to you know do this do this work and figure out if this is something that you need to implement additional security if you're in a bank this is probably something that you want to do if you're like a flower shop I don't know maybe not but that's obviously this is one of those conversations like everything in software and security is it depends for you so like like there's

no perfect solution here but I hope I've given you some ideas for how you can think about the security of your over the phone authentication systems if your company has a customer support line call it take notes think about the holes in your system and if you were a hacker how you would be able to penetrate it come find me after this if you have any questions once again my name is Kelly not Kathy and thank you for listening so we have a Q&A session right now so there's two microphones in this room just go ahead and raise your hand and we'll bring you the mic and Kelly can answer some questions so we have our

first question up here and I'll be right up there hi Kelly I'm Maria so my company specifically doesn't do contact center stuff but we do have customer support that's online what would you say would apply and what would be different if we're talking about email specific contact centers that's a really good question so I if you're in a different medium you have to think about what's like useful for that medium and so emails are also something that you can impersonate but you can look at the email that's being associated with their account if they're trying to do sensitive actions either starting the thread up again with the email that's already connected to their account as an

option that's kind of like the call me feature I'm the Verizon used to authenticate me and then just also sending notification emails that somebody is trying to change something on their account when they do this there is also a way that you can if it's something that maybe you want to make sure that somebody has a secure platform is something with your company that they have like sales reps or somebody that would know them yeah so I mean there's there's options here that you can use to authenticate them in other ways but I think like the the automated solution that I would suggest there is basically trying to either restart the conversation that the email

that they have connected to their account verifying that email address to make sure that's something that they are able to field security or account questions with your support team with um so basically doing that kind of account verification process

hi Kelly a lot of your suggestions which were great by the way assumed that the user could log into their account and I have a sense that it's a fairly common situation for people to call a support line because they can't log in do you have any specific suggestions there or you know what what which of those options that you mentioned still exists yeah account recovery is a totally different like scope of problem here and as I mentioned kind of at the beginning I think that's kind of like the next level of research that I'd like to do is call back all of these companies and try to reset my password I don't necessarily have

recommendations for that right away because a lot of that's going to depend on like the security and threat models of your company and what you want to allow for password resets and account recovery in that type of situation it's something that we think about a lot with authy especially being like a security tool we go through a pretty rigorous we make the process pretty rigorous for people to recover their of--they accounts if they no longer have access to that because people can use that on a lot of nefarious ways if we end up making the recovery account to an attacker Cathy sorry clearly so the California consumer Privacy Act it's going to come into play

in about less than a year and one of the mandatory methods is a 800 number in order to do that so I'm looking at this in thinking that we should be kind of worried because it you know one of the things they have to do is a good authentication otherwise there's a risk of breaching and then now they have an issue and write a private action on a breach so seems like this is pretty opportunity yeah I don't know a ton about that legislation and if like my suggestion there is if you're somebody that needs to then have a 1-800 number but you want to still like limit this is sensitive actions that are available to

do over the phone that could be an option I don't know if the legislation prohibits that and makes you be able to do everything over the phone that you can do online I would be kind of surprised if that was the case but of course I could be very wrong about that yeah we should all be concerned that's that's a major takeaway of this right every security talk be more paranoid do we have any more questions from the audience I'll be around all day if you have any other questions come find me today or tomorrow thank you thank you and we have lunch set up for you at City View so please enjoy lunch and we will be back here at

1:30