We Need To Talk (About Security)

It’s easy to forget, but the most basic social media channel of all is. . .talking. And when it comes to banking, that’s come to represent a glaring security flaw.

Most financial services institutions are hyper-vigilant about building information security defenses into their online and mobile channels. It’s not just required by law, thanks to dozens of compliance mandates, it’s also good for business. More to the point, as documented on this site, many banks have launched education and marketing campaigns to spread the word about the security measures that they take, and what their customers should do to prevent theft, fraud and other forms of abuse.

However, that still leaves one key variable—call centers. It’s a curious dichotomy: many of us take those anonymous voices on the other end of the phone for granted (unless they can’t provide the answer we need), yet we freely give them all kinds of sensitive data, everything from addresses and social security numbers to account-specific information. Let’s face it, we have to give it to them to get the answers we need.

It’s almost reassuring to know that the calls are being recorded, since this helps improve customer service, and gives us a backup. It also means those calls are being stored and archived somewhere—and that presents a problem.

For the record, there are certainly regulations governing these practices. The PCI-DSS (for Payment Card Security Industry Data Security Standards) Council says such recordings fall under the scope of PCI compliance, but it’s clearly an area that has received less attention with regard to security.

There are several issues here that deserve scrutiny.

First, any kind of information exposed through voice communications offers a goldmine for social engineering scams. The range of tactics used varies widely, but they mostly involve manipulation for the purpose of gaining confidential information.  In the past, these attacks were of a random and mass-market nature. Now, thanks to the wealth of personalized information available through social media channels, they’ve become far more targeted and sophisticated. Every nugget gleaned through hacked voice communications offers a major step forward for the bad guys.

More broadly, so much of call center work is outsourced that it’s sometimes difficult to ascertain where the voice on the other end of the call is physically located, and where the calls are being stored. (In some cases, the company that wins the contract in turn outsources the work to a call center located in a different country.)

While the practice gained popularity as a means of greater business efficiency, outsourcing has in the past few years become a volatile political issue.  Legislation introduced in Congress would, among other mandates, require business to disclose to callers when their calls are transferred abroad, and potentially give them the option to be transferred to a U.S.-based representative. While U.S. employment is clearly the primary driving factor, security is frequently cited as a key issue.

More regulation may be inevitable, but as always, the industry itself is best qualified to implement the best security, not because it’s forced to but because it’s good for business.

Just as technology enables optimal communications, it also enables optimal security. For example, there is software that automatically halts recording when key words with sensitive information are used.

In some ways, call centers represent old-world banking, while the threats they face are quite new. What really matters, however, is that whatever the means of communication, it’s up to us to protect our customers, and that means protecting every kind of data we receive.

Written by Banking.com Staff