A while back, a large and pretty well known financial institution (name changed to protect the innocent) hired us to measure whether or not their call center was properly safeguarding the sensitive information in its customer accounts.
Here were the ground rules:
Rule #1: We only called on test accounts, or fake customers placed in the system by the company for penetration testing purposes only. This precaution was for everyone’s security.
Rule #2: We were only provided with the most basic fake-customer information: name and address. These pieces of information pretty well represent what a social engineer can get publicly on the Internet.
Starting Like a Social Engineer
Like I said before, we were flying blind. Since we never knew the first level of questions, we always tanked them—and our calls were always escalated to the next level.
So on we went, call after call, until I reached one particular young lady. I fed her a heartbreaking story (as usual): my daughter had been checked into the hospital and I desperately needed to check my balance.
Of course, we rolled around to the inevitable SSN and birthday questions. I tanked them both.
So she kept trying, asking personal question after question, until I miraculously managed to guess enough close-enough answers to be validated by the company’s authentication procedures.
Suspicious, But Not Supported
Now, let me give this young lady some credit. She was clearly suspicious. I mean, who doesn’t know their birthday?
And she didn’t make it easy on me. After I missed the first two questions, she put me on hold—forever. Then she came back on the line again, asked me some more questions, and then put me on hold again—again, for forever. She was trying to do the right thing.
But when she came back the third time, she not only gave me the information I was asking for but she apologized for the system error and updated the record with the fake birthday and fake social security number.
Was she new? Clueless? Untrained? Nope. She was just following orders.
After reviewing the call, we discovered that both times she put us on hold, she was reviewing the information with her supervisors—first her manager and then the security group.
And in both cases, even after indicating her suspicions, they just asked her just one question:
“Did they pass authentication procedures? Yes? OK…then give him what he wants.”
Pretexting: The Takeaway
You can’t give lip service to policies that let employees escalate situations when they feel suspicious or uncomfortable. Sure, everyone has to give good customer service and respectful communication—but if an employee feels suspicious enough to escalate to two different people, then there is justification for handling the call and account with great care. At the least, it is the kind of thing that requires a review of the account and certainly does not justify the changing of a social security number.
Bottom line: Your authentication procedures are not foolproof. Sometimes you need to go the extra mile.
Read More About Pretexting