That the Equifax breach will be a major watershed moment in the history of data security, impacting consumers nationwide for years to come, is not a terribly controversial point. The real concern is that the most personal of data — names, Social Security numbers, credit card numbers, addresses, birthdates, driver’s license numbers — of basically the entire adult population of the United States has disappeared into the dark web.
All the permutations of trouble that will grow from this one event — well, that is the mystery box we as a nation are still opening. Even in these early days, the initial move by cybercriminals, newly armed with all this data, is somewhat surprising. One might have expected a rush to the web for some fraudulent purchases.
Yet fraudsters, noted Karen Webster in conversation with IntraNext CEO Patrick Brown, are great fans of following the path of least resistance and striking what they perceive are the weak points in the system.
Enter the call center: A place where fraudsters are now equipped with the knowledge to pass all the usual authentication checks with flying colors — courtesy of Equifax, of course, who has given them the consumer identity gift that keeps on giving.
“It is bad news when the bad guy already had access to much of the data he or she needed to fool standard authentication,” Brown said. “Word on the street is that the big worry … now [is] that hackers can really start going hard after financial institutions — where all the real money is.”
Banks and investment houses, he said, have been a longtime target of cybercriminals, and call centers have always been a favored weak spot for hackers. It’s why — even before the Equifax data breach — firms were exploring advanced technologies to improve security, such as biometrics. But even that, Brown said, may require a reset, since fraudsters are finding ways to hack biometrics and lock a real user out.
Unfortunately, Brown admitted, that isn’t even the bad news in this story.
“The scariest part of all of this? There is no silver bullet for fixing it. Historically, in a multifactor authentication scheme, the combination of all those data elements was what prevented the bad guys from getting access. Now, much of that data has been exposed.”
So, is it time to give up? Lock your Social Security number (SSN) and resolve to pay only with cash for the rest of your life and only use those services at which you can pay in person?
Not quite, Brown said. There may be no silver bullets, but there are mitigations to the situation.
Protecting Data in the Post-Breach Era
Account takeover and the creation of false accounts, Webster and Brown agreed, will be the massive twin issue that financial services players will have to address rather quickly.
From the consumer side, he said, one can freeze their SSN or work with a service that will monitor their identity for the rest of time (though Brown did note that other than some insurance protections offered by those firms, consumers could probably do most of what would be provided for them on their own).
From the bank’s side, it will have to be a multifaceted approach. Banks can, Brown offered, modify the kind of data they need to authenticate a consumer. A popular variation is asking consumers the amount of their last transaction or the amount of their last deposit.
“These are things that a consumer should know or have pretty easy access to … [it’s] not a piece of data that would be easy for a fraudster to see until you have full access to a consumer’s account.”
Asking for this kind of information, he said, will require better training of call center staff, who want to be helpful to consumers and will sometimes bend the rules on authentication in the name of helping someone out. Which is a great thing, he noted, when the customer is who they say they are — less of a great thing, however, when the “customer” is a fraudster who also happens to be a decent actor.
Beyond fixing hackable humans, Brown said, there are technological improvements that call centers can make so that it’s easier to see fraud in action — even if all the data checks out.
“It’s pretty easy to spoof caller ID … it is a lot harder to fully fake where the call is coming from, and there are a number of companies out there that can tell where a call originated. So, if a call center application sees that this call should be coming in on a Verizon network mobile phone, but it is actually coming from a VoIP (Voice over Internet Protocol) from a foreign land, that’s a pretty good sign something’s not right,” Brown explained.
The good news? That technology exists.
The not so good news? Time’s a-wasting.
In some sense, a bad data breach is good business for companies that are in the business of securing call centers. A 143 million person breach quickly puts data security at the top of mind for all kinds of players in the finance and commerce world, meaning IntraNext has been hearing the phone ring a bit more lately.
“I don’t want to mislead anyone about our capabilities and intent — and this is a large-scale data breach … while we can do an awful lot to help players on [the] transactional side of the house, we can’t prevent a data breach,” Brown said. “What we can help with is fighting back the account takeovers and consumer hacks that are now going to be ongoing.”
He explained that IntraNext specializes in protecting consumers from having to reveal data to an agent — although that situation is, of course, complicated when the fraudster doesn’t need to trick the data out of the customer service representative, because they already have it. But IntraNext also specializes in integrating various technologies to help expose bad actors at the beginning of a transaction.
“I think this is a very challenging situation, and it is absolutely a massive problem if the bad guy has all the right data,” Brown said.
While there are ways to address the security challenges that have emerged following the Equifax data breach — by tracking where calls and web inquiries are coming from, revamping the types of authentication that are necessary for consumers and even installing things like voice biometrics — the problem is that the data is already out there. The white hats that trying to prevent fraud are racing against the clock with the black hats who want to cause it.
“These changes aren’t a switch you can throw on; this stuff isn’t a do-it-overnight deal. It can be done quickly, but right now is the time to be getting a jump on it.”
While Brown said he generally considers himself an optimist about these things — which is a rarity for someone whose job it is to come up with ways to repel fraudsters day in and day out — in this case, with so much consumer data available on the dark web, it’s hard not to feel pessimistic about what comes next.
“I’d have to say from what I’ve seen so far, this is going to be very painful before it gets fixed.”