Hacking Humans 1.14.21
Ep 130 | 1.14.21

As B2C interactions shift online, call centers become new fraud vector.


Umesh Sachdev: A lot of the interaction between businesses and consumers has shifted to either digital or virtual. And therefore, contact centers have played a far bigger role than they used to play in our lives pre-pandemic, which in itself was pretty big.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Umesh Sachdev of Uniphore. We're going to be talking about how call centers have become a new fraud vector. 

Dave Bittner: All right, Joe. Well, let's jump into some stories here this week. I think I'll kick things off for us. So this comes from The Hacker News. This is a little odd one. It's - the title is "Hackers Using Fake Trump Scandal Video to Spread QNode Malware." Let me just stay off the top of (laughter) - my initial reaction to this was, I can think of very few things in this world that I would rather not see than some sort of Trump sex scandal video. 

Joe Carrigan: Right. 


Dave Bittner: But I can see how that, if nothing else, could grab someone's attention... 

Joe Carrigan: Right. 

Dave Bittner: ...Whether they are a supporter or don't like our outgoing president. 

Joe Carrigan: Don't like our. 


Dave Bittner: Don't like our - yeah. Words are hard, Joe. Words are hard (laughter). 

Joe Carrigan: Right, yeah. Some people have a way with words, and other people just not have ways, I guess. 

Dave Bittner: Not have way, yeah (laughter). 

Joe Carrigan: That's Steve Martin. 

Dave Bittner: (Laughter) So there is an email going around. And one of the odd things about this is it's just sort of a mixed-up mess. The subject line of the email is Good Loan Offer with two exclamation points. But it comes attached with a Java archive, a .jar file - a dot-jar file... 

Joe Carrigan: Right. 

Dave Bittner: ...Which is labeled Trump Sex Scandal Video. But it's... 

Joe Carrigan: (Laughter) But it's a Java archive - J-A-R file. 

Dave Bittner: Correct, correct. 

Joe Carrigan: All right, so the reason the reason I laugh at that is because I've done Java development in the past, and I know what a .jar file is. And when I hear .jar file, I immediately think Java Archive, not video. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: But the vast majority of people aren't developers... 

Dave Bittner: Right. 

Joe Carrigan: ...And have no experience with this. And they don't know that the .jar file is actually executable code, probably. 

Dave Bittner: Well, sure enough, if you download this .jar file, it installs a RAT, a remote access Trojan, onto the system. 

Joe Carrigan: Surprise, surprise. 

Dave Bittner: Yeah, yeah. The message in the email says, greeting. We are interested in partnering and investing in that - in your that dream project or business plan. Also, we can grant you a loan with a good return of investment. So it's a standard investment scam. But I don't know. It's kind of strange that - it's almost like they got mixed up on - a little from Column A, a little from Column B (laughter), you know. 

Joe Carrigan: The email is all about a loan, right? Some fake loan scam. 

Dave Bittner: Right. 

Joe Carrigan: But attached to the email is this file called a video that's actually a Java Archive that is executable that runs a RAT install. 

Dave Bittner: Yep. It's always hazardous to try to figure out what they were up to here. But maybe they thought, oh, maybe if I get this email, and I see it, and I say, oh, gosh, this person accidentally attached this sex scandal video, I better check that out - oh, lucky me (laughter). 

Joe Carrigan: Right. You're right. This does kind of stop me in my tracks. It kind of breaks my brain and my thinking, right? I put myself in the shoes of the attacker. 

Dave Bittner: Yeah. 

Joe Carrigan: He's like, all right, I want people to install this thing. Let me just take any spam email I can think of and just attach this malware to it and send it out. 

Dave Bittner: Right. 

Joe Carrigan: But this doesn't make any sense. 

Dave Bittner: No, it doesn't. I mean, I guess this is where we are - where there's no cost, really, to send out emails, of course. 

Joe Carrigan: Yeah. 

Dave Bittner: So why not? Why not try it? (Laughter) And who knows? Maybe this is just an iteration - because these folks do iterate, right? 

Joe Carrigan: Right. 

Dave Bittner: To see what works. So maybe this is just iteration. 

Joe Carrigan: This may be an experiment. 

Dave Bittner: Yeah. 

Joe Carrigan: This could also be a mistake. Who knows? 


Dave Bittner: Right, exactly. Right. What do we say? Never assign malice to that which can be explained by incompetence. 

Joe Carrigan: Right, exactly. 

Dave Bittner: (Laughter) Right. So I guess the - couple lessons here. It's a pretty obvious scam. Not many people who are certainly listeners to this show would fall for this. 

Joe Carrigan: Right. 

Dave Bittner: But I think you bring up a good point about being wary of anything that's a dot-jar file. 

Joe Carrigan: You're exactly right, Dave. There are a bunch of different files that are executable on Windows. I'm not exactly sure how it works on Mac or Linux. I've never actually received files that are executable on either one of those platforms. I don't use Apple. I do use Linux. 

Dave Bittner: Yeah. 

Joe Carrigan: But I know that when I create a file in Linux that I want to be executable, I have to change it to be executable exclusively - or explicitly, rather. But on Windows, that's not the case. If I get a file that ends in, like, .exe or .bat or .jar - if I have Java installed, Java Runtime Environment - then those things will just run. They will execute. And you really have to be careful about it. And anything that says it's a video may not be a video. And it's really hard to tell because those icons are very small, right? 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: And one of the things that Windows does to try to help you is it hides file extensions, right? So you can't even tell what it is. When I install Windows on my machine, which I have to do from time to time, the first thing I do when I get a new machine or I do a new install is I enable the ability to show that extension so I know what I'm looking at because another social engineering trick is to put another extension before that extension, right? So I could rename this file Trump Scandal Video dot-mp4, dot-jar, right? 

Dave Bittner: Right, right. 

Joe Carrigan: And if the user is hiding the extensions, they'll only see Trump Scandal Video dot-mp4, and it will look like it's a movie. 

Dave Bittner: Right, right. That's a really good point. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. Yeah. All right. Well... 

Joe Carrigan: The icon will still be the .jar icon, though. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: Pay attention. Actually, the best thing to do if you get something like this in the mail and you want to look at - first off, you should never open any attachments. But if you're suspicious about it, just go to VirusTotal and upload the file and see what it says. 

Dave Bittner: OK. All right. Well, that's my story for this week. Joe, what do you have for us? 

Joe Carrigan: Dave, I want to talk about a couple of terms that we may have talked about before, but I just want to clarify them first. 

Dave Bittner: OK. 

Joe Carrigan: You're familiar with swatting, right? 

Dave Bittner: I am. 

Joe Carrigan: This is when someone places a call to emergency services while spoofing the victim's phone number, and then they report some kind of terrible crime currently occurring at the victim's place, and the police show up in force to respond. 

Dave Bittner: Right. 

Joe Carrigan: This is remarkably dangerous to do to people. One police officer was shot while going into the wrong house. Fortunately, he was wearing a bulletproof vest, so he only suffered minor injuries. There was another one where an unintended victim was gunned down by police in responding. 

Dave Bittner: Right, right. Tragic. 

Joe Carrigan: So it's something that people do in gaming forums or in gaming competitions. It's ridiculous. It's stupid. And frankly, it's dangerous. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: People shouldn't do this. The other term I want to talk about is credential stuffing. And we talk about this from time to time on the CyberWire podcast. But because we have an audience that may be somewhat nontechnical, I'll explain what this is. Credential stuffing is when an attacker takes a list of known good usernames and passwords - like, maybe they've breached some email service or something - and then they try those usernames and passwords on other sites, like Netflix or Disney+ or another mail service or something. Because people tend to reuse passwords, this actually becomes a very effective way to break into other accounts. 

Dave Bittner: Right. 

Joe Carrigan: But one of the advantages of credential stuffing is that it can be automated. And there are kits out there that let you do this for specific sites for, like, $6. If you're a good Python programmer, you can write your own in minutes. It's really not that hard. You just parse a file and then make a bunch of web requests and see if you get a login success or a login failure reply, and then log the successes to another file. And there you have all the credentials for getting into this new service. Really simple attack. 

Joe Carrigan: Now let's put credential stuffing attacks together with the very popular IoT implementation - Internet of Things implementation - home security devices, such as doorbells, right? We all have these new doorbells - or I don't have one, actually. My doorbell's still the old-fashioned wire doorbell with the transformer in the basement. 

Dave Bittner: (Laughter) Oh, you Luddite. 


Joe Carrigan: You know, I'm really not a Luddite, but I'm really not into adopting all these new surveillance technologies. 

Dave Bittner: Yeah. 

Joe Carrigan: But - and that's what these are because some of these services come with the ability to call police from the device itself. And there's an article over on Threat Post by Becky Bracken, where she talks about an FBI warning that they issued on the ic3.gov site, which is the Internet Crime Complaint Center, that malicious actors are probably using credential stuffing attacks to get access to these doorbell cameras because these doorbell cameras have web services that you can access. 

Dave Bittner: Right. 

Joe Carrigan: You know, web portals that you log into to see what's on your doorbell or the app - you log in over the internet. You don't log in directly through your network. This thing reaches out, and then you log into a web service, and bam - you can see your video. Well, if somebody does that using a credential stuffing attack and you're reusing a password, then they get into your doorbell cam, and this doorbell has the ability to call the police. Guess what you got? 

Dave Bittner: You got a swat. 

Joe Carrigan: That's right. You got a swat. And that's what some of these folks are doing, is they're out there penetrating these doorbell cameras, and then they're swatting the people that own the doors. And they are actually streaming this on streaming services because, for some people, this is entertainment. And you get to see the cops show up at some unsuspecting guy's house. And usually the crime's... 

Dave Bittner: Right, guns drawn. 

Joe Carrigan: Right, guns drawn. Usually they'll say things like, there's a hostage situation. It can be a terrible situation when this happens. And there are reports of it happening to elected officials and things like that. It's awful. 

Dave Bittner: Yeah. 

Joe Carrigan: Becky also talks about a case a year ago where someone gained access to a Ring camera that was in a child's room, and this person started talking to the child. And at the time, Ring had multifactor authentication as an option, but now Ring makes it mandatory, right? So... 

Dave Bittner: Good for them 

Joe Carrigan: Yeah, you have to have multifactor authentication on your Ring account or you won't be able to access your doorbell, which is good. A few years ago, I was on one of the local TV stations talking about a security camera that was being used as a baby monitor that was accessed by someone over the internet. And I think that was a default password situation, if memory serves me right. Like, they just never changed the username and password, and somebody just found it and logged into it and then started yelling at the baby, which was terrifying to the parents. So the FBI didn't name the manufacturer in these swatting attacks. But my guess is it's probably not Ring. It's probably not one of the big manufacturers. 

Dave Bittner: Yeah, because ring has MFA, so that makes it harder. 

Joe Carrigan: Right. It does make it harder - not impossible because I think it's just text-based multifactor authentication, but - so you can get around it. But that's not something that somebody who's swatting people is going to try to get around, right? They're... 

Dave Bittner: Sure. 

Joe Carrigan: They might, but it's easier just to penetrate a system that doesn't have multifactor authentication on it to get your streaming views, I guess. The problem here is that attackers are taking care of human inertia, right? The perceived difficulty that people have about changing passwords or implementing good password hygiene or using multifactor authentication. So I recommend using different passwords on every single account you have, and use a password manager to help you implement that. And use multifactor authentication wherever you can. 

Dave Bittner: Yeah. You know, I think this brings up a good point. This combination of elements that you've described here brings up a good point, which is I think a lot of people, when it comes to password reuse, they think to themselves, oh, well. I mean, they're not going to be interested in me. 

Joe Carrigan: Right. 

Dave Bittner: You know, like, I don't have - you know, there's all these people out there, and, oh, I'll probably get away with it. But as you point out here, these things are automated. 

Joe Carrigan: Right. 

Dave Bittner: They don't care who you are. 

Joe Carrigan: Right, exactly. 

Dave Bittner: You're just a name on a list. 

Joe Carrigan: Yup. 

Dave Bittner: And if you've been part of any breach - and these days, odds are you've been part of a breach. 

Joe Carrigan: I don't think we say odds are anymore. 

Dave Bittner: Yeah, that's true. 

Joe Carrigan: We say you have been part of a breach. 

Dave Bittner: Yeah. Count on it. 

Joe Carrigan: Right. 

Dave Bittner: Right. Yeah. Good point. 

Joe Carrigan: And, Dave, when I do talks, the very first thing I do is convince people that malicious actors are interested in you. It doesn't matter why. You may think that you're not significant. You are significant because you are a target, and these people will do it. 

Dave Bittner: Right. All right, well, interesting story for sure. Of course, we'll have links to all of our stories in the show notes. Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from listener Christian (ph), who says, got another good one in my company's spam filter, had my office laughing pretty hard. So, Dave, why don't you read the email they got? 

Dave Bittner: All right. It goes like this. 

Dave Bittner: (Reading) Hello. Good day to you. And how you doing? I'm sorry to encroach on your privacy in this manner. I want to solicit your attention to assist me receive two trunk boxes on my behalf. I am an Army officer with the USA military and currently in Baghdad with the combat support squad, U.S. Base Camp Speicher, Baghdad, Iraq. I'm on my third deployment to combat war zones. I'm also among the squad that will be redeployed to Afghanistan in about a fortnight. And in view of this, I urgently need your help in assisting me receive for safe keeping the two trunk boxes containing some moneys. But I'll tell you what. No compensation can make up for the risk we are taking with our lives here. You can confirm the genuineness of the findings by clicking on this website. If you can be trusted, I will explain further on the modalities of how we will realize the safe shipment of the boxes to you for safekeeping without the breach of the law when I get a response from you. Note, for security purposes, you can get back to me through this private email. Kind regards, Captain Derek (ph), United States soldier on peacekeeping in Afghanistan. 

Joe Carrigan: (Laughter) This is a great one. 

Dave Bittner: (Laughter). 

Joe Carrigan: It's a typical trunk box scam, right? It even contains... 

Dave Bittner: It even says trunk box. 

Joe Carrigan: Trunk box. 

Dave Bittner: I mean, like, they didn't even bother to not say trunk boxes. The name of the scam is the trunk box scam. 

Joe Carrigan: Right (laughter). 

Dave Bittner: And they said, help me with my trunk boxes. How lazy can you be? 

Joe Carrigan: Well, I love your voice. It sounds a lot like R. Lee Ermey - the late R. Lee Ermey, who is awesome, by the way. I loved him. 

Joe Carrigan: At the bottom of the email, it contains a link to click and go fill out a Google form, which probably just collects some information and lets them know that you're ready to be the sucker in this one. 

Dave Bittner: Right. 

Joe Carrigan: Yeah. This is just the opening of a trunk box scam - exactly right. And like you say, it even says so right on the label. 

Dave Bittner: (Laughter) Yeah, yeah, yeah. All right, well, thanks to our listener for sending that in to us. 

Joe Carrigan: Thank you, Christian. 

Dave Bittner: We would love to hear from you. If you have something you'd like us to consider to use on the air, you can send it to us. It's hackinghumans@thecyberwire.com 

Dave Bittner: All right. Joe, I recently had the pleasure of speaking with Umesh Sachdev. He's from a company called Uniphore. And we were talking about how call centers have become a real vector for fraud. Here's my conversation with Umesh Sachdev. 

Umesh Sachdev: It's a very interesting phenomenon that has happened in the world during the pandemic. As all of us around the world in every single country have been prevented from going to a physical bank branch, going to a retail store, going to places that we were used to to do business or entertainment or shopping, a lot of the interaction between business and consumers has shifted to either digital or virtual. And therefore, contact centers have played a far bigger role than they used to play in our lives pre-pandemic, which in itself was pretty big. 

Umesh Sachdev: Now, we know the statistics show that contact centers worldwide field more than 100 billion calls every month. Let that number sink in. That's 100 billion calls every month happening in call centers. 

Dave Bittner: Wow. 

Umesh Sachdev: This is an industry, Dave, that employs over 15 million call center workers. And for some of our customers, since the pandemic, the call volumes have been up three or four times what they used to be pre-pandemic. So this is one where, you know, call centers have almost played an essential role in keeping businesses and consumers interacting with each other, solving issues, raising complaints, getting things done, serviced, et cetera. 

Umesh Sachdev: Now, we know that it's been hard on the contact center operator side - that, you know, given the surge in demand, some contact centers have had the double whammy or the one-two punch of not being prepared with the elastic human capacity to increase three or four times because of traffic demanded it, but because of the pandemic, much like all of us, the call center workers themselves have been displaced out of their offices, and they're all taking calls from their homes. 

Umesh Sachdev: This is unprecedented because this is one industry where the word contact center - the second word, center, represented a physical location. The profession itself assumed that people will always work together in a group in a large setting where they'll be given the equipment and the right software and hardware and security, and they'll be doing calls to, you know, billions of people around the world. But all of them have been displaced, and they're working from home as we speak. 

Umesh Sachdev: The projection that we are getting from some of our partners and customers is that close to 70% of this workforce will now never return back into a physical contact center even after the pandemic is done. The reasoning there is now that we've gone through the pain of shifting logistics all from our offices and to the homes of these contact center workers, it's also a big cost advantage - and contact centers run on razor-thin margins around the world - that, you know, the reverse transition would probably not take place for more than 30% of the workers. 

Umesh Sachdev: Now, this has opened up a very interesting set of security paradigms which probably did not exist when the workers were in the office. And here is first some statistics and then some anecdotes. One in every 1,700 calls is a fraud attempt. And the data is coming from research done by the (unintelligible) group. And it says 61% of all fraud originates from the call center. 

Umesh Sachdev: And that's significant because earlier, when the call center worker was in the office, there were a few sets of regulations which were working. Remember; as soon as you call a bank or a telecom service provider, the entire PII, your entire information - what billing pack you're on, what credit card have you put on file - shows up on the screen of the call center worker. And they need to validate some of that information even to know who you are before they can service you or give you your account details. So it's a chicken and egg problem that your information does flash up. 

Umesh Sachdev: Now, what that means is how easy it is for the contact center worker to use their camera phone and, as soon as your information flashes, just take a screenshot or take an image and have access to real PII of millions of customers. 

Umesh Sachdev: Well, it turned out it wasn't that easy when they were in the office 'cause, you know, they were more often than not made to lock up their camera cellphones in a locker before they went to their call shifts, and not until they were done with their call shifts could they have access to some of those devices, et cetera. So there was some amount of physical security. 

Umesh Sachdev: There was also tools and software monitoring these calls within the network as these were happening so that fraud could be caught up early or security breaches could be caught up early. Each of these call centers - they have signed up for hundreds of millions of dollars of penalties in case they are responsible for data breaches. So the world is getting smarter. Now that we have the data that 61% of the fraud originates from call centers, the world wants them to be more accountable, and these call centers are accountable. 

Umesh Sachdev: But here's the issue. Now with all of your workers working from home, all of the processes that have been developed for decades that have stabilized are no more in action, no more relevant. And so new processes, new techniques need to be developed quickly to make this new environment as secure as it used to be and probably even better than before. 

Umesh Sachdev: And so the problem of how do you make sure data security, data privacy, agent authentication, all of these problems and more are tackled in the work-from-home environment, that's the new paradigm that we all live in. 

Dave Bittner: And so what are some of the things that are available or that are on the horizon? What are some of the potential solutions here? 

Umesh Sachdev: Before we talk about solution, the approach that, you know, I have taken is I've spoken to at least 20-plus CEOs, many operation leaders of our customers, potentials and partners around the world to really first dig into one of the problems that they're facing 'cause, remember; some of these problems were not anticipated, were not planned for as the pandemic hit, and they had to overnight move people into their homes. 

Umesh Sachdev: So the first couple of months were more about, is everyone back online? Are our workers back online? Do they have the infrastructure, do they have the hardware available at their homes? 

Umesh Sachdev: Only then did the new problems start in March (ph). So some of these are net new problems that nobody, whether on the solution provider side or on the operation side, had been imagining. So the three ones that are strikingly large right now - the first one is as trivial as how do you know if the contact center agent that you're talking to is the one who is authorized to be on this call? 

Umesh Sachdev: Because people are working from home and, you know, because in some cases, they are billed to the hour and they're paid by the hour, if they have to take a break or, you know, go for a bio break or they're tired, there are chances that the contact center worker can have his neighbor or her cousin or a relative in the home to say, why don't you attend the next few calls while I take a break? So the identity and authentication of the call center worker on each call - not just in the shift, but on each call now - becomes important, which wasn't the issue when they were working in the physical center. 

Umesh Sachdev: The second problem is because, like in the past, when you call, your information needs to be flashed on the screen for the agent to be able to authenticate who you are, that information is now susceptible to be captured, screen shared, screen captured or taken an image by a camera phone and, worse still, may not even be done by the agent herself. Could be somebody who's next to her in the room and sees that information flashing up. It's a wholly unsecured physical environment in the home. 

Umesh Sachdev: And the third problem is now this information is traveling sometimes in the clear to various parts of the world because, remember; the calls could be getting routed to Asia, where somebody's working the night shift to take your calls, and it's going to that person's home. And, you know, the level of encryption in the network, et cetera, is not as robust as it used to be in the contact center. 

Umesh Sachdev: So let me summarize the three big issues that we've been hearing. The authentication and identity of the agent for every single call is important. The fact that consumer and customer information and PII flashes on the agent's screen in an unsecured home environment is a big security concern. And the third - that information could be traveling in the clear because it's now a distributed call center environment with people's home acting as call centers - that transmission breaches is a concern. So these are the three new - net new concerns from a call center fraud perspective that we picked up from our customer base, from our partners and people around in this industry. 

Dave Bittner: That's fascinating. So again, what are some of the potential solutions here? 

Umesh Sachdev: So this is where innovation and ingenuity, Dave, plays a big role. And I personally get fascinated - although these are real challenges and we as humanity need to come together. It wasn't that somebody wanted this to happen. The pandemic has forced us. But this is where, you know, innovation and human ingenuity trumps and comes forward. 

Umesh Sachdev: First, let's look at the issue of authenticating and assuring identity of each agent on each call. We've had access to technologies such as face ID and voice ID, using voice as a biometric identifier and facial recognition as a biometric identifier. We've had access to these. Combined with artificial intelligence and figuring out at what point in the call is the right time to run these authentication checks, you are now able to, in a passive manner, use voice biometrics and face ID to authenticate the right agent at various points in the call to address issue No. 1, which was, is the agent the right one who was supposed to be on this call? 

Umesh Sachdev: The second, which is the larger issue in my mind of, well, consumer data needs to be shown to the agent, otherwise, how will the agent authenticate or validate the consumer? And this is where, again, we went back to the drawing board, spoke to some of our peers in the industry. And we said there's an opportunity to use a combination of AI again and combine it with RPA, robotic process automation. 

Umesh Sachdev: So now as a consumer is calling into a call center and before the consumer could be serviced, their data needs to be validated. The agent now can say, I've just sent you a text message with a link. If you click on the link, you will see your information on your phone. And if you're able to authenticate and validate that for me, I'll be able to service you faster. 

Umesh Sachdev: Now, what happens with this process shift is that the agent never gets to see the consumer's information. The consumer gets to see his or her own information. And there's a robotic bot, robotic process automation bot, which is AI powered, which matches that information with what's in the database. All the agent sees is a green checkbox to say consumer has been validated. Let's move on and service the consumer as they like. 

Umesh Sachdev: So using a combination of RPA and artificial intelligence that works in the background, we are able to mask the information from the agent. And yet, for the enterprise, we are able to automate the step of making sure you're not giving out somebody's health care records to, you know, people who they don't claim to be who they are. So that's step No. 2. 

Umesh Sachdev: And then the third one on the network and encryption - again, we've been able to use AI in a big measure to detect anomalies, to detect quality of service issues, et cetera, as data gets transmitted. You can now do it in a far more secure manner, even if it's going to a distributed environment like the contact center agent's home. 

Umesh Sachdev: So the net of it, Dave, is AI has been around for a while. Voice recognition, voice biometrics, facial ID, robotic process automation - all these technologies have been maturing independently. The innovation in the last few months, which has been extremely rapid, has been to bring these technologies together to create these solutions - to authenticate the agent, to mask the customer's data and to use AI to make sure the network transmission is more secure. 

Dave Bittner: Yeah, it's fascinating to me how, you know, this pandemic, with all of the, you know, terrible things that it's brought to us globally, has really been a catalyst for folks to step up and innovate in many spaces like this one and provide. On the other side of this, we're going to come away with better security. 

Umesh Sachdev: Absolutely. And like I said, not only the better security, but, you know, the world probably would be better - there - make no mistake, there are tremendous upsides on the human capital perspective of allowing agents to work from home. You can now allow a mother with a young kid to do a few hours of call center work from the comfort of her home, which was impossible without these security tools. And she would have had to go, physically, to a contact center and work longer hours. 

Umesh Sachdev: Now, the pandemic forced the change, but the innovation that has happened in the last few months in the area of security and otherwise has really made sure that this environment can be sustained for the future and is actually the right operating inner model that should have been in place all along. 

Dave Bittner: All right, Joe. What do you think? 

Joe Carrigan: That was a good interview, Dave. Call centers are more important now than they ever have been in the past, right? Because we're doing a lot of things remotely. It's really hard - I can't go, actually, to one of my banks and walk inside right now, so I have to call the call center. I found these statistics fascinating - 100 billion calls a month. That's mind-boggling. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: There are only 7.8 billion people on planet right now. I like saying on planet because there's seven people not on planet. 

Dave Bittner: (Laughter). 

Joe Carrigan: But hopefully in the future that number will increase. But I do like saying that. That's an average of 12 to 13 calls per person each month. 

Dave Bittner: Right. 

Joe Carrigan: And that number has now gone up three to four times. That is huge. I mean, just imagine the surface area that that represents, if you think of attack surface as a part of your threat modeling. And that's what Umesh is talking about for the bulk of this interview - he's talking about threat modeling. Close to 70% of these workers will continue to work from home. This is not surprising to me. I think that's going to be not unique to call centers. I think that a lot of organizations are going to have people working from home. 

Dave Bittner: Yeah. 

Joe Carrigan: And that's going to be a permanent fixture. I'm not sure how I feel about that. I know that a lot of people probably like it. I don't know. I think it offloads a lot of business costs onto the employee. And I'm not... 

Dave Bittner: Yeah, that's true. 

Joe Carrigan: I don't think that's fair. But that's not what we're talking about here. We're talking about the call centers. So 1 in 1,700 of the inbound calls is a fraud attempt and that 61% of fraud begins this way, with an inbound call into the call center. 

Joe Carrigan: I think the threat modeling part that Umesh talks about is really interesting. Threat modeling is when you sit down and you think about how your data can be breached or what can happen to you or what are the bad things - this is what a lot of security practitioners have to do all the time. It's the thing that makes people look at me and go, why do you think like that, right? 

Dave Bittner: (Laughter) Well, Joe... 

Joe Carrigan: Yeah. 

Dave Bittner: ...It's not the only reason people think that about you (laughter). 

Joe Carrigan: Right. Well, yeah, that's true. But, you know, whenever you have a security professional who says something horrible, just understand they're doing threat modeling. That's threat modeling. That's what that is. They're not... 

Dave Bittner: Right, right. It's their job to be in that dark place (laughter). 

Joe Carrigan: Right, exactly. So the insider threat of taking - just taking a picture of someone's personal identifiable information while they're viewing it, that's a real threat. These environments used to be controlled environments where they'd lock up their phones. Now they don't have that anymore. 

Dave Bittner: Yeah. So I used to work in the video side of things, and quite often clients would say, you know, businesses would say, you know, how do we protect this file? How do we protect this video from people who we don't want to see it? You know, maybe something has trade secrets or something like that. And we would tell them, you know, you can protect the file, you can protect access to viewing the file, but once you make something viewable, once someone can see it with their own eyes and hear it with their own ears, there's nothing to keep someone from pointing a camera at the screen and grabbing a picture of it. 

Joe Carrigan: Right. Yep. 

Dave Bittner: So, you know, that's something you can't really protect against. And that's exactly what's going on here. If someone can be looking over your shoulder, taking pictures of the screen, there's not a whole lot you can do about that. 

Joe Carrigan: Yeah. The remote location is a completely unsecured physical environment from the company's point of view, right? 

Dave Bittner: Right. 

Joe Carrigan: Which is vastly different from the centralized call center that they used to have and, from what Umesh is saying, they're not going to have any more. It's just not going to be a thing. I agree that these problems are not insurmountable, and I like a lot of the solutions that he poses. I like his solution to the imposter problem of having authentication via facial recognition software... 

Dave Bittner: Right. 

Joe Carrigan: ...To make sure that the person sitting at the computer actually is the person that's supposed to be there and not the cousin. That's a different threat model that he talked about that's pretty good. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: And that's actually something that's implementable right now with software because the hardware is already in place, right? Every laptop has a webcam on it. 

Dave Bittner: Yeah, it's really an interesting evolution. You know, as you say, this - largely driven by the pandemic, so many people have moved remotely. And in this case, you think about something like a call center - if you say to me, call center, what I picture in my mind is a big room of people sitting at cubicles... 

Joe Carrigan: Right. 

Dave Bittner: ...With their little headsets on and making calls. 

Joe Carrigan: Yeah. 

Dave Bittner: And that's probably not the future of call centers because we've realized people can do this from anywhere. And why rent a building full of cubicles when people are willing to just do it from their coat closet (laughter), right, you know? 

Joe Carrigan: Right. And there are reasons that people would be willing to do that, plenty of good reasons as well. 

Dave Bittner: All right. Well, our thanks to Umesh Sachdev from Uniphore for joining us. Interesting conversation, for sure. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.