A major concern for any organisation that routinely processes customer card transactions is the risk of fraud or cybercrime. With PCI DSS 3.0 compliance top of mind, call centres go to great lengths to protect online card payments. Experienced at delivering vulnerability testing at call centre sites over the years, I’ve listed the top vulnerabilities to look out for – some old, some relatively new – as a lapse in managing these will leave you vulnerable and therefore pose a serious barrier to PCI compliance.
1. Gaps in Physical Security
A common feature of call centres is high staff turnover making it almost impossible for staff to keep track. To counter this, call centres use a variety of methods including infrared barriers, photo ID cards, and security staff to control access to the building. Even so, it can be relatively easy for determined individuals to trick their way past security.
Free Cyber Security Training! Join the revolution, today!
Once inside, there may be ample opportunity to come across invoices, credit card transaction slips, or Post-it note password reminders left lying around. Simple measures include appointing someone to stay with the visiting group, questioning hot desk visitors, and encrypting devices and network access controls. Also, a casual observer shouldn’t be able to see full credit card information either in emails or on a screen.
2. Plausible Phishing Scams
Constant handling of customer cardholder data makes call centres a regular target for spammers. A classic tactic is to send an email pretending to be from inside the company. A particular favourite and effective phishing attack is the “planned outage.” A spoof email invites the recipient to click a link and log on for further details. Our experience shows the success rate of this simple technique can be as high as 75%. A spear phishing attacks are even more convincing.
To minimise damage from these scams a company should implement tight email filtering controls, use SMTP authorisation to block external emails that pretend to come from inside the organisation, and equally educate staff about the dangers of phishing and tell-tale signs such as links to external websites.
3. Unauthorised USB Devices
Staff often bring their own USB devices in the office from home. Sometimes these devices unwittingly introduce viruses such as Gameover Zeus and Conficker into the network. USB keys can also be used to copy files and take them from the building without authorisation.
Having a combination of good, up-to-date antivirus software and some form of USB device control technology will mitigate these risks, along with some form of USB device control technology.
4. Unauthorised Access Points
Often call centres sensibly insist on a ‘no wireless’ policy. But it doesn’t necessarily stop staff from setting up their own wireless access point. If they only have basic protection in place, outsiders can use these rogue points as a way to hack into the company network. This is where you need to deploy rogue access point protection which scans for rogue access points and alerts IT if one is discovered. Equally manual checks for unauthorised access points is also advisable.
5. Unsecured Bluetooth and DECT Headsets/Phones
Call centre staff may bring their own Bluetooth and DECT headsets or digital mobile radio (DMR) devices into work. These are insecure, and if the Bluetooth is left switched ‘on’ then the device will constantly be broadcasting without anyone realising. Nowadays Software Defined Radio (SDR), capable of eavesdropping on Bluetooth and other devices, only costs around £100. An outsider sniffing for Bluetooth and DECT calls can collect all the cardholder information needed to commit fraud. The remedy is to impose policies that strictly prohibit unauthorised use of Bluetooth or DECT headsets and phones. The policy should be supported by instructing security staff to make regular physical sweeps of the offices to look for unauthorised devices.
6. Insufficient Staff Background Checks
Call centres make attractive targets for criminals. Working in a call centre gives them ready access to credit card and other valuable customer information. Minimise this risk by undertaking thorough background checks when recruiting and note that the PCI SSC also recommend practices such as masking primary account numbers, USB device control and training staff to be alert to suspicious behaviour.
7. Telephone-Based Social Engineering
Anyone can call a call centre pretending to be a customer and attempt to extract valuable personal information about a target individual. Rigorous training in the correct procedures to follow and how to handle a variety of challenging call scenarios is the best way to counter this. It should also be policy that the customer only receive limited personal information over the telephone.
8. IT Administrative Errors
Finally, call centres are no different from any other workplace when it comes to common IT errors. Common IT administration lapses include infrequent software patch management, incorrect server permissions, and ordinary users being given administrator privileges for their desktops as a short-cut to fixing problems. All of these issues can be solved using IT best practices such as regular patch application, regular permissions checks, log management and so on.
To sum up, most of the vulnerabilities covered by PCI DSS 3.0 will already be familiar. Strong encryption and a programme of regular checks can help detect and eliminate configuration or rogue systems issues – both old and new.
By Toby Scott-Jackson, Senior Security Consultant, SureCloud
Toby’s specialist interest is Internet infrastructure, and complex attacks and network weaknesses originating from outside the organizations perimeter.He works closely with a number of ISPs to mitigate serious threats such as distributed denial of service, DNS poisoning and routing/tunneling attacks.
In 2000, Toby founded AIL, a boutique penetration test company servicing the security needs of a growing number of City based companies. After a successful trade sale of AIL in 2005, Toby co-founded SureCloud in March 2006. Toby is responsible for security research and development, and heads up the SureCloud consulting division.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.