It's harder for me to order a pizza than it is to gain access to your personal information.
When I order pizza, I am always asked for my phone number. On occasion, restaurants have also called me back before sending the order. We all know why they do this, to ensure that they are not being victimized by pranksters. So, it certainly makes one wonder why it seems so easy to gain personal information from corporate call centers using what we call "pretexting".
This is a term that has been in the news a lot this week due to the scandal involving attempts by Hewlett-Packard to ferret out a leak on their board of directors. HP investigators allegedly used false pretenses to fool call center agents and gain access to phone records which included those of nine reporters. Investigators, con artists and hackers have been using the technique known as "social engineering" for years to obtain private and personal information.
If you've ever seen The Rockford Files on TV, then you have seen pretexting in action. In that show, Jim and his lackey, Angel, used social engineering again and again. It's easy enough to dismiss the ease with which he managed to get sensitive and confidential information out of people as Hollywood fantasy, but this actually occurs quite often in the real. I even admit to making use of this technique in my radio days for research. I would sometimes "allow" someone I was trying to pump for information to believe I was just an ordinary citizen rather than telling them up front I was a broadcaster. I didn't lie to them. I simply allowed them to believe what they wanted to.
Info-Tech Research analyst Ross Armstrong puts it this way: "The easiest way for a hacker, con artist or private investigator to gain access to confidential information is not through technical means, but rather, by duping employees into divulging password information to systems and customer accounts. This is skilled scamming targeting the weakest link in the system -- people."
So why are we the weakest link in this chain? For starters, ten dollars an hour doesn't do much for your talent-recruiting efforts. It's hard for anyone to stay motivated when they are underpaid and under stress. This "de-motivation" leads to carelessness and muddled thought processes. Add to this a lack of correct training, high turnover due to bad working conditions and priorities which focus on low call times rather than quality of service and you have a front line of workers who operate more as automatons than people who think for themselves.
Armstrong says companies can safeguard against pretexting by educating frontline employees about social engineering tactics, creating a call-back policy whereby customer service representatives call the person back at their registered phone number to verify identity, issuing PIN for customer access to personal records and accounts and making no exceptions to the use of PIN.
Mr. Armstrong is certainly right (although most of us don't want yet another PIN to remember), yet it's not just about training and policy.
It's also about working conditions and motivation. When you immerse employees in systems and procedures which don't require anything more than the ability to read a script from a computer monitor, you guarantee they will not use the most potent tool at anyone's disposal: Common sense.
There is definitely something wrong when it's easier for me to get a stranger's personal phone records than it is to order a pizza with double anchovies.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.