How easy would it be for a potential cyber criminal to call into your IT help desk, convince your worker that they were an executive with one of your clients, and obtain their password? You say, “impossible!” Think again. One IT security manager discovered that such an event had actually happened, much to his chagrin. Here’s the problem with your current validation processes, what not to do to fix the issues, and what to do to fix the problem for good.
The Gaping Holes in Most Customer Validation Processes
Most help desks are trained to verify only a user’s name. If the user’s name matches what is listed in their CRM, the caller gets what they ask for. However, it’s too easy to get this information. A cursory Internet search of a given company renders the names and tons of professional and personal information on the executives of most companies.
Poor Ways to Address the Customer Validation Process
This is why validation using common identifiers like name, title, email address, phone numbers, physical address, etc. are useless. With every resource from Wikipedia to LinkedIn to Facebook to government resources like the SEC website, it’s fantastically easy for a cyber criminal with even the most basic search skills to obtain this information. Add in the availability of online people-finders, which will deliver even more professional and personal information for an affordable fee of less than $100, and it becomes clear that these types of identifiers are inadequate.
Banks often use more private, well-guarded information, such as the last four digits of a person’s social security number or their mother’s maiden name. However, it’s becoming increasingly easy for the wrong hands to get this information, as well.
Say, for example, that the vice president of sales at some generic Fortune 500 company has a mother who is also famous or notable for some reason — maybe she was the CEO of a Fortune 500 company herself, or perhaps was indicted for fraud. This means that there are multitudes of public records that mention mom’s full name, along with other personal identifying information. The last four digits of a social security number might also be their banking password or the PIN number for their Platinum Visa, and the aspiring cyber criminal might have already obtained this little ditty of info. Pass on using easily obtained qualifiers for your validation processes.
Better Ways to Address the Customer Validation Process
Harder to obtain information that makes for good validation measures includes:
- Have the help desk verify if the caller’s Caller ID number matches the phone number in the CRM.
- Require that callers present their Customer ID number when calling to obtain information.
- If the caller’s number doesn’t match what is in your system and/or the person is unable to provide the Customer ID number, you can have the help desk offer to return their call at the number listed on file, or send them an email at the email address listed on file.
Will your customers become angry that you’re making it harder for them to get service? They shouldn’t, as long as you make it clear why you’re asking for the additional information. When they understand that their own account security is in question, most reasonable customers will comply without hesitation.