Recommandé
Contenu connexe
Similaire à BSides SF - Contact Center Authentication
Similaire à BSides SF - Contact Center Authentication (20)
Plus de Kelley Robinson
Plus de Kelley Robinson (20)
Dernier
Dernier (20)
BSides SF - Contact Center Authentication
- 1. Contact Center Authentication Kelley Robinson | BSidesSF 2019 @kelleyrobinson
- 2. This talk has everything • My social security number • My mother's maiden name • The email I briefly used 11 years ago • Accidental phishing
- 5. 1. I have an existing account 2. There is personal info tied to my account (i.e. orders, data) 3. Company has a customer support phone number 4. USA phone number 5. Inbound calls @kelleyrobinson 🔍 Research Parameters
- 7. @kelleyrobinson ☎ Getting in touch
- 8. ☎ Getting in touch over the phone @kelleyrobinson 1. Customer support number 2. "Call me" 3. No phone number i.e. Home Depot, Comcast, State Farm i.e. Walmart, Amazon, Verizon i.e. Facebook, Lyft
- 9. @kelleyrobinson 📲 On the phone
- 10. 1. Automated with the phone number you're calling from 2. Automated with provided info like account number 3. Manual with an agent @kelleyrobinson (identification)📲 On the phone
- 11. @kelleyrobinson Identity Authentication Personal information (i.e. date of birth) Google-able, probably doesn't change Proof of identity, usually with a secret (i.e. one time password)
- 15. @kelleyrobinson 🙌 The Good 👍 The OK 👎 The Bad 😰 The. . . oh. . . oh no
- 16. @kelleyrobinson 🙌 The Good Actually authenticating users • One time codes for authentication • Refusing to disclose personal information Random Bonus Delight: • Apple lets you choose your hold music 🎵
- 17. @kelleyrobinson 🙌 Automated intro: “Welcome to Netflix. For faster service, log in to netflix.com and find the 6 digit service code located at the bottom of any web page. ”
- 21. @kelleyrobinson 👍 The OK Room for improvement but still positive • Recognizing the phone number you're calling from • Verifying multiple forms of personal information • Prompting with relevant account actions
- 22. @kelleyrobinson 👍 Automated intro: “Welcome back, Kelley. I see you're flying from San Francisco to Newark Liberty today, are you calling about that trip? ”
- 23. @kelleyrobinson 👎 The Bad Phishing risk with minimal effort • Only asking for one form of identity • Identity is easily accessible public information • Requiring a Social Security Number
- 24. @kelleyrobinson 😰 The. . . oh. . . oh no Wait. What just happened? This is problematic. • Giving out identity information • Allowing account changes without authentication
- 25. @kelleyrobinson 😬 How I accidentally phished a major hotel chain
- 28. @kelleyrobinson 🤖 Match the Rigor of Web Authentication
- 29. @kelleyrobinson • Remember the user experience • Take advantage of the voice platform • Honor user settings for things like 2FA 🤖 Match the Rigor of Web Authentication
- 32. @kelleyrobinson ☎ Strong Authentication Options • One-time passcodes • Voice recognition and verbal passcodes • Hybrid platform security
- 34. @kelleyrobinson 💁 Build guardrails for agents
- 35. @kelleyrobinson • Limit caller information available to agents • Only expose information after a caller is authenticated • Have a small subset of agents that have access to do the most sensitive actions • Perform silent authentication 💁 Build guardrails for agents
- 36. @kelleyrobinson 💁 Build guardrails for agents Verify caller email address before continuing: grace.hopper@gmail.com Verify caller email address before continuing: VerifyEnter email here vs. ✅ Agent Dashboard 1 Agent Dashboard 2
- 37. @kelleyrobinson 🔐 Consider your Threat Model
- 38. @kelleyrobinson • What are you allowing people to do over the phone? • Limit sensitive actions if you can't implement true authentication 🔐 Consider your Threat Model
- 39. What next?
- 41. @kelleyrobinson ✅ Actually authenticate users 📵 Don't share personal information 🤖 Match the rigor of your web authentication 💁 Build guardrails for your agents 🔐 Consider your threat model Takeaways