The Customer service week which holds every 1st week of the month of October has come to be recognized as the week we celebrate the importance of customer service and importance of the people who serve and support customers on a daily basis.
However in all of these celebrations lest we get carried away, do you know that the customer service desk is one of the most vulnerable channels through which a hacker could strike an organization, company or firm as the case maybe harvesting a large amount of data and informations about workers, customers and business partners in association with the attacked entity?.
Microsoft sometime in June 2021 suffered a cyber attack in which a device used by one of its customer service agents was breached and account details of customers were stolen and used to launch “highly targeted” attacks on customers.
When hackers strike companies like this, data such as Social Security Number, National Identification number, Bank Verification Number, Date of birth, Email addresses, Financial information, phone numbers and passwords which is generally known as Personally Identifiable Information (PII) gets stolen and sold to Identity thieves who possess the ability to do and undo with the details he/she has just acquired.
As an example, a cybercriminal manages to get hold of a user’s email credentials. Unfortunately for the victim, this email also contains banking informations with which unauthorized transactions can be done. This email also contains the user’s Facebook account, which also uses the same password as his email. In a single attack, the cybercriminal already gains access to a wide array of information—enough to perform multiple types of identity fraud.
Do not feel you run a small company so you have no reason to worry about data theft, you are wrong! Are you a law firm, logistics firm, gift card trading company, online dating business website, e-commerce store, hotel owner, school owner, hospital owner, church owner etc and you one way or the other receive even the littlest of details from the general public such as name, email addresses, phone numbers etc then the protection of your customers data is your utmost responsibility and this is predicated on the CIA Triad.
MEDIUMS THROUGH WHICH CUSTOMER SERVICE STAFFS MAYBE VULNERABLE
The Phone: Attackers usually obtain phone numbers from an organization’s website, in addition to any specific routing emails used for customer support. Attackers may call from a spoofed, blocked, or private phone number. An attacker posing as a customer can usually cull enough information from social media platforms and other sites to answer simple security questions. The attacker could also ask for a password reset. They may also try to change something on a customer’s account in order to have access to it themselves. They could also pose as fellow staffs and try to gain unauthorized privilege in the name of distress.
In a Pentest I was hired to do on a company in Lagos, all it took to get the Wifi Password was a spoof call to the IT guy and i was in their network ready to scan and exploit their system. As simple as it may sound, hacking an organization may most times not require complex techniques.
Email: Opening an email attachment from an unknown recipient as innocent as it may look may not be a good idea even where it seems to be from a known recipient, it just may be a spoofed email. For the helpdesk/customer service representative, however, it may be a necessary part of their job in the process of providing customer support. The attachment may be just an innocent screenshot documenting an order or transaction details which failed. However, there is every possibility that a malware is lurking in the attachment, and a social engineering attack is in progress.
In another job I had done in Ghana, access to one of the top level staff’s company email address simply required a spoof email from a supposed Project Manager handling a project for the company.
Bring Your Own Device (BYOD): Do you really want a ‘personal device on a private network linked to customers data’s? As a company, you may think of BYOD as a cost saving method but this is also dangerous as it leaves your organization vulnerable more especially where a malicious application has been written by threat actors to get into the network of an organization and spread over a local network with the customer service staff who brought his/her device to work as the main point of distribution. A classical medium through which ransomware could also spread if you ask me.
HOW TO PROTECT YOUR CUSTOMER SERVICE DESK FROM SUCH TYPE OF EXPLOITATION
These are not foolproof methods but an extra bit of carefulness would go a long way in securing data.
- Adequate sensitization should be done on a regular basis. Letting help desk staffs know about the latest happenings in the world of Cybersecurity and how APT are being perpetrated by threat actors would go a long way.
- Advising staffs against clicking unnecessary links and downloading of just about any attachments from customers and even fellow colleagues.
- Sensitizing staffs about how they go about giving out just about any sort of information over a phone call from a supposed customer as this could be done by a person pretending to be an owner of an account they intend to attack.
- As a Company Executive, the responsibility still falls on you as well to hire Cybersecurity firms, Pentesters and Ethical Hackers to conduct a regular Penetration Test on your organization in order to uncover vulnerabilities.
- Make sure to make use of up to date versions of Softwares, Antivirus and a host of other applications which would see to the protection of your network and systems. Fake antivirus abound in the market created by Hackers as seen in the fake Amnesty International Antivirus so go for known and established brands.
- When a staff is relieved of his/her job, endeavor to change passwords of any company related email that was controlled by the relieved staff as well as totally closing down of the email address. Employment of the doctrine of least privilege in your organization would go a long way.
Cybersecurity is important in the emergence of cyber attacks anybody can get hacked as long as there is a system, there is a vulnerability waiting to be exploited. All hands must be on deck to see to the protection of data of staffs and customers with the customer service desk being one of the channels requiring protection, attention and dedication towards a safer company.
With this I say, Happy Customer Service week!!!
This article was written by Sylvester Uduosa Esq. a Certified Ethical Hacker and founder of SLYTECH Entp. a Cybersecurity firm based in Nigeria which assists companies with Pentesting their networks and security with the sole aim of discovering vulnerabilities before criminals do and saving companies from losses that maybe incurred as a result of such vulnerability.
Pingback: Robinhood Trading App Suffers Data Breach of over 7 Million Users Account - SLYTECH