Blog: Red Teaming

Authenticating your call centre when everyone is remote

Tony Gee 06 Apr 2020

Some unique challenges present themselves as workforce’s shift to remote working. One that is not likely top of the pile, but is an easy avenue for abuse is authentication.

When I talk about authentication, I don’t mean how users logon or access their emails for example. What I mean is how you provide assurances to your customers that the person taking their call is actually one of your staff.

Consider call centres. Right now they are swamped. Call centre businesses have their own unique challenges when operating with remote staff. Some are socially distancing their staff. Increased floor spacing between staff means that fewer people can now occupy the same space. Others are rolling out remote capabilities. Some are able to run remote call centres.

Whatever the solution, there are fewer people available to process the volumes of calls they previously could handle. So how are they adapting?

Most are working as ‘call takers’, fielding calls and organising for the appropriate contact to phone the customer back. The problem here is how does the customer know that the return call is actually from an authenticated member of staff? Bear in mind that most staff will be using their own personal mobile phone or landline to make the call.

IT support concerns

The same situation occurs with internal calls. Your IT helpdesk is a call centre of sorts, and they have the same challenges. Most staff will raise a ticket via email, but what if the helpdesk needs to call them back? How can you ensure your staff know they are talking to your IT staff and not a scammer?

I recently dealt with a call centre and they fixed the issue with one simple step. When the call taker took my call they asked me for a very basic password that the person phoning back could relay to me to authenticate they were from the company I called. Essentially, a ‘pre-shared key’.

It struck me that this is a model that could easily fix the age old problem of a call centre calling you claiming to be from a provider then asking YOU to confirm DPA questions so they can discuss something with your account. However, in addition to fixing that, this could help with authenticating IT support desk calls to staff.

If IT publish the password on the corporate intranet, staff could easily look this up and validate the support person is authenticated before divulging any sensitive information. You could easily change this too in case of IT staff leaving by simply updating the intranet.

A simple fix to a common, frustrating and potentially risky problem.