Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

BSides SF - Contact Center Authentication

131 vues

Publié le

You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product?
Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone.

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

BSides SF - Contact Center Authentication

  1. 1. Contact Center Authentication Kelley Robinson | BSidesSF 2019 @kelleyrobinson
  2. 2. This talk has everything • My social security number • My mother's maiden name • The email I briefly used 11 years ago • Accidental phishing
  3. 3. @kelleyrobinson ☎ 🔐👋 $
  4. 4. @kelleyrobinson 🔍 Research Parameters
  5. 5. 1. I have an existing account 2. There is personal info tied to my account (i.e. orders, data) 3. Company has a customer support phone number 4. USA phone number 5. Inbound calls @kelleyrobinson 🔍 Research Parameters
  6. 6. @kelleyrobinson
  7. 7. @kelleyrobinson ☎ Getting in touch
  8. 8. ☎ Getting in touch over the phone @kelleyrobinson 1. Customer support number 2. "Call me" 3. No phone number i.e. Home Depot, Comcast, State Farm i.e. Walmart, Amazon, Verizon i.e. Facebook, Lyft
  9. 9. @kelleyrobinson 📲 On the phone
  10. 10. 1. Automated with the phone number you're calling from 2. Automated with provided info like account number 3. Manual with an agent @kelleyrobinson (identification)📲 On the phone
  11. 11. @kelleyrobinson Identity Authentication Personal information (i.e. date of birth) Google-able, probably doesn't change Proof of identity, usually with a secret (i.e. one time password)
  12. 12. @kelleyrobinson Identity != Authentication
  13. 13. @kelleyrobinson 📊 The Results
  14. 14. @kelleyrobinson Authentication Call center identification
  15. 15. @kelleyrobinson 🙌 The Good 👍 The OK 👎 The Bad 😰 The. . . oh. . . oh no
  16. 16. @kelleyrobinson 🙌 The Good Actually authenticating users • One time codes for authentication • Refusing to disclose personal information Random Bonus Delight: • Apple lets you choose your hold music 🎵
  17. 17. @kelleyrobinson 🙌 Automated intro: “Welcome to Netflix. For faster service, log in to netflix.com and find the 6 digit service code located at the bottom of any web page. ”
  18. 18. @kelleyrobinson 🙌
  19. 19. @kelleyrobinson 👍 The OK Room for improvement but still positive • Recognizing the phone number you're calling from • Verifying multiple forms of personal information • Prompting with relevant account actions
  20. 20. @kelleyrobinson 👍 Automated intro: “Welcome back, Kelley. I see you're flying from San Francisco to Newark Liberty today, are you calling about that trip? ”
  21. 21. @kelleyrobinson 👎 The Bad Phishing risk with minimal effort • Only asking for one form of identity • Identity is easily accessible public information • Requiring a Social Security Number
  22. 22. @kelleyrobinson 😰 The. . . oh. . . oh no Wait. What just happened? This is problematic. • Giving out identity information • Allowing account changes without authentication
  23. 23. @kelleyrobinson 😬 How I accidentally phished a major hotel chain
  24. 24. @kelleyrobinson Sorry Kathy.
  25. 25. ✅ Recommendations
  26. 26. @kelleyrobinson 🤖 Match the Rigor of Web Authentication
  27. 27. @kelleyrobinson • Remember the user experience • Take advantage of the voice platform • Honor user settings for things like 2FA 🤖 Match the Rigor of Web Authentication
  28. 28. @kelleyrobinson Context (during call)
  29. 29. @kelleyrobinson What about my TOTP?
  30. 30. @kelleyrobinson ☎ Strong Authentication Options • One-time passcodes • Voice recognition and verbal passcodes • Hybrid platform security
  31. 31. @kelleyrobinson Hybrid platform security
  32. 32. @kelleyrobinson 💁 Build guardrails for agents
  33. 33. @kelleyrobinson • Limit caller information available to agents • Only expose information after a caller is authenticated • Have a small subset of agents that have access to do the most sensitive actions • Perform silent authentication 💁 Build guardrails for agents
  34. 34. @kelleyrobinson 💁 Build guardrails for agents Verify caller email address before continuing: grace.hopper@gmail.com Verify caller email address before continuing: VerifyEnter email here vs. ✅ Agent Dashboard 1 Agent Dashboard 2
  35. 35. @kelleyrobinson 🔐 Consider your Threat Model
  36. 36. @kelleyrobinson • What are you allowing people to do over the phone? • Limit sensitive actions if you can't implement true authentication 🔐 Consider your Threat Model
  37. 37. What next?
  38. 38. @kelleyrobinson ✅ Actually authenticate users 📵 Don't share personal information 🤖 Match the rigor of your web authentication 💁 Build guardrails for your agents 🔐 Consider your threat model Takeaways
  39. 39. @kelleyrobinson THANK YOU! @kelleyrobinson

×