On Securing Call Centers

Michael T. Halligan michael at halligan.org
Sun Oct 19 10:44:05 PDT 2003


> This is being hashed over the SAGE list too.

Man, I understand I was asking a loaded question, but didn't
expect NEARLY this much of a response, both of these lists
are usually rather mellow, I was hoping to find another 10-15
items to put on my already 45-item list of "ideal actions
in order to ensure adequate security" document I'm writing
up for my customer...

Unfortunately, I didn't explain the situation enough.  Everybody
assumed that when I said call-center, I meant "undereducated
telemarketers in the midwest".. oddly enough, our application
is to help victims of Identity theft, and our call-center
employees are all very experienced bank fraud specialists.

Our two main "enemies" are information brokers, and script kiddies,
with our two biggest fear being bribery from information brokers,
and database compromise.


> Treating people like they are theives is a fine way to motivate
> them to become theives.
> 
> 
> > - What protections are being taken against telephone taps?
> Switches aren't too hard to access.  If the voice line would
> compromise your security, then you shouldn't be using phones.
> All customers could be issued scrambler phones or you could do
> a cost:benefit analysis and let it go.


Really all we can do to prevent a telephone tap is get a secured
MPO from the telco, which is about $10-$15k, which only provides
a slightly better level of security than using a shared building
wiring closet.. and maybe doing voip to the telco with an encrypted
link, but so far none of the telcos I've talked to can do that
reasonably.


> > - How will you stop cleaning staff from installing listening devices?
> They will have "background checks" which I find, at best, impractical
> in an industry with 200%+ turnover rates.

  Cleaning staff is personally my biggest fear. So far we've had a background
check done on our parent company's long-time cleaning ladies (2 of them) and
we're paying them 3x the rate that our parent company was paying them, as well
as have had them bonded.  Unfortunately, we still understand how bribable
they are.

> That said, for all the C/R devices, SecureIDs and smart cards
> you issue, the best and easiest way in is not to kidnap people
> (great for movies, not so likely in Real Life) - the easiest
> way to get information is to simply pay them.

The former goes into the "improbable but possible risk" category,
while the latter goes into the "probable" risk category.. This
makes us do background checks on them, monitor their comings and
goings, and monitor everything they do on the application server
we've developed.  We've also built things in such a way their notes
on victims (our customers) get locked up and have to be requested
through their manager, and they get access to a very limited amount
of information, only the customers they've worked with.

> Given how motivated *I'd* be to continue to work in this sort
> of env, simply offering them a job where they aren't living
> in Ashcroft's Holiday Camp might be enough.

Luckily everybody we're hiring is used to working in a similar,
if not more secuer environment due to the nature of their vocation,
which is dealing with financial fraud.


> When I call in to places, sometimes I don't have my case number
> on hand.  As soon as I found out we were cut off automatically
> in 60 seconds as a tool to keep employees from getting calls,
> I'm not really motivated to continue doing business with that
> company.

We're feeling our customers are going to feel rather happy with
the extra security measures we take to protect us from ourselves,
especially due to the nature of the business.  Plus a lot
of the phone system concepts still need to be worked out in a practical
sense.

> Really: employees should live on premises for 12 month shifts
> and either be killed or mind-wiped at the end to make them useless
> and incoherent.  Or perhaps sent to holiday islands for a 3 month
> respite (isolated from the World) before their next shift.

Hmm. The mind-wiping sounds complicated, but the 3 month isolation
holiday sounds rather fun.

-------------------
Michael T. Halligan
Chief Geek
Halligan Infrastructure Designs.
http://www.halligan.org/
2250 Jerrold Ave #11
San Francisco, CA 94124-1012
(415) 724.7998 - Mobile




More information about the Baylisa mailing list