Last week’s media coverage of a disturbing Victorian court case involving identity theft, has security implications for all contact centres.
It involved the conviction of a Melbourne woman on six charges of stalking. For several years the woman acted as a catfish, posing as people she wasn’t, on the internet. She was behind the fake profile of a former Home and Away actor, and misled two of her victims to believe they were in a relationship with him. She harassed and stalked them on the internet, and on their mobile phones.
There are many sickening parts to this horrific story, which we won’t repeat in this article. Full details are disclosed in this ABC News article.
However, there is one aspect which is particularly disturbing for the contact centre industry – which is how this fraudster managed to dupe Optus contact centre staff, many times over.
When one of the women realised she had been conned, she changed her mobile phone number.
However, as the catfisher had already obtained her basic details by this stage (ie: name, date of birth and old phone number), they were used to contact the telephony provider’s live chat team and obtain the new phone number. She cleverly manipulated the customer service agent to obtain access to her victim’s account. The stalker now had her victim’s address and even further personal details.
The victim changed her phone number again and put the account under her father’s name and secured it with a pin code. The stalker kept contacting the provider’s live chat team and duping operators into revealing the new number, in one instance claiming she’d forgotten her login details, and also the email address she’d registered her account under.
In total, the victim changed her number six times, and each time the stalker was able to get the new number through customer service live chat.
The telephony provider advised that human error was to blame for the release of information to the stalker. The company said it has “ceased high-risk transactions” within its Live Chat platform, including changes to email addresses and SIM swaps. New security measures were introduced, including extra fraud awareness training for staff, and compliance audits for front-line staff.
Identity theft and fraud is on the rise
Most identity theft is used for financial gain and criminal activity, not for malicious stalking. No matter the reason behind it, however, the fact is that contact centres are prime targets for people committing identity theft and that fraud awareness and tight security measures are crucial.
According to the Australian government, around 5% of Australians are affected by identity theft every year, costing victims, businesses, and government agencies $2.2billion. To put that into perspective, someone is impersonated every 20 seconds.
Emails, addresses, and phone numbers are readily available to hackers in online marketplaces, and passwords are often easy to crack.
In 2018, data breaches compromised the personal information of millions of people around the world. Some of the biggest victims included Marriott Hotels, Cathay Pacific, Quora, Facebook, Google, and Orbitz.
Already in 2019 in Australia the Early Warning Network, the Victorian Government and First National have all been attacked.
How to combat fraud
Combatting fraud and identity theft involves implementing procedures and technology that make it extremely difficult for fraudsters to dupe contact centre team members.
The Australian Government Cyber Security Centre recommends using multi-factor authentication. In essence, multi-factor is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. It could be
- something the claimant knows (e.g. a personal identification number (PIN), password or response to a challenge)
- something the claimant has (e.g. a physical token, smartcard or software certificate)
- something the claimant is (e.g. a fingerprint or iris scan).
This significantly improves security, however it’s use is not yet widespread in contact centres, because two-factor or multi-factor authentication is considered incompatible with one of the main aims of any organisation dealing with today’s consumers: delivering an experience that is streamlined, convenient, and easy to use.
The conundrum lies with striking the perfect balance between customer security and usability. The Gemalto global survey on data breaches found: “The modern-day consumer is all about convenience and they expect businesses to provide this, while also keeping their data safe.”
Voice has become the new identity authentication medium for many organisations, as each of us has a unique voiceprint, like we have unique fingerprints. Voice biometrics has become a key customer validation method for many financial institutions in Australia and overseas. The use of biometric authentication methods are predicted to rise in coming years, particularly in access control, workforce management, banking and payments, immigration, law enforcement, and government services.
Take security action now
It is a sad fact of life that while the advancements of technology have brought countless benefits to modern life and society, it has also provided malicious individuals and organised crime with even more ways to perpetrate their crimes, and more ferociously at that.
However, technology can also help to thwart their efforts. We urge every contact centre to review their security, look for holes in procedures and systems, and to ensure that they have the technology to support modern security practices.
We all need to be well-prepared when it comes to protecting our clients’ identities and data. We all need to take action to combat identity theft and its terrible consequences.