Gajus - Fotolia


How click-to-call buttons threaten call center security

For contact centers, click-to-call capabilities add another layer of security concerns. Denial-of-service attacks and premium rate fraud can be especially harmful.

The goal for customer-facing businesses is to shorten the path and reduce any friction to potential customers. If someone can reach you easily, you have a better chance of closing the sale.  

Customarily, the way to shorten that path from the customer to the business went through the contact center. You had a phone number on your website, for example, and waited for people to call. However, a newer option has emerged. Many businesses have added click-to-call buttons to their websites.

People can click the button and connect directly to the contact center -- either by using WebRTC or providing their phone number and having a call connect to them. But do click-to-call buttons pose any security threats for contact centers?

Since I'm not an expert on this topic, I asked Nir Simionovich, a voice-over-IP security specialist, to get me up to speed on call fraud. The three biggest threats are denial-of-service (DoS) attacks, premium rate fraud and identity theft. Each of these attacks has a different purpose.

Web presence makes attacks easier

DoS attacks look to deny service from customers. This means flooding the contact center with fake calls, which eats up the capacity of available agents and concurrent calls, denying the service from real customers trying to reach the contact center. These attacks tend to occur amid fierce competition among businesses. And, yes, this is quite common, as competing businesses stoop to such tactics.

While DoS attacks are possible without click-to-call buttons, the additional web presence makes these attacks easier to initiate. The scale of the internet has introduced a proliferation of open source and commercial tools that automate and stress-test websites. These tools can be used to stress-test a contact center, bringing it to its knees.

Additionally, most click-to-call buttons on websites have no real authentication or identity handling. Once a hacker automates a single user interaction with the contact center through the click-to-call button, scaling it up to hundreds, thousands or even hundreds of thousands of users is not too hard.

These automated interactions can click the click-to-call buttons, inject fake audio and disconnect or stay on the line. Hackers can also provide an automated phone number or even fake phone numbers that the contact center will call to connect its agents.

These attacks could cost contact centers money by dialing useless phone calls or reducing agent productivity. The attacks also corrupt contact-center analytics data, penalizing agents for poor performance.

At the end of the day, contact centers have two limited resources: phone lines and human agents. And the DoS stems from these two points.

Securing click to call

Click to call requires more than just placing a third-party widget on a website. It requires securing the business and its customers. Beyond the normal best practices of software and cloud hosting security measures, a few additional aspects need to be considered:

  1. Handle maintenance and upgrades of your contact-center software regularly. This is doubly true if you are self-hosting your contact center.
  2. Take the time to configure your contact center properly. Especially look at the different calling routes, capabilities and restrictions in place.
  3. Understand and track the calling patterns. Behavior changes will indicate a change in your business or potential fraud.

How hackers make money

While DoS attacks aim to harm a business's reputation and cause it to lose money, traffic hijacking is about making money.

Click-to-call buttons can enable a hacker to select a phone number for the contact center to call. A hacker could type in premium rate phone numbers the hacker owns.

With a premium rate number, the caller pays more per minute for the call, and the person receiving the call gets paid through the carrier. The idea is the premium number offers a service, such as tarot card reading or dating services.

In the case of the hacker, who is offering a real or fake service, the sole purpose is to drive more traffic toward his premium number. And that can be achieved by automating call centers to contact him at that premium number. Once contacted, an automated message could greet the contact center to keep the call going as long as possible, while also trying to stay off the radar of contact-center managers.

The result is the attacked business pays for calling a premium number, and the hacker gets paid for the incoming calls he himself initiated.

Automation could aid theft  

Identity theft has two sides. The hacker might target a specific person or use a person's identity to cause harm to a business. Identity theft runs in two stages: the reconnaissance and the actual theft.

During reconnaissance, the hacker will learn as much as possible about a person. For that, he'll start by using social networks and public repositories, such as government records. With enough information, the hacker can call a business's interactive voice response to collect more information through the self-service menus, which are usually accessible with a small set of personal information, such as social security numbers and fragments of a credit card number.

Using that information gleaned from the contact center's self-service voice menus, the hacker can then engage in social hacking in front of real contact-center agents, allowing access to all the information and actions available to the person whose identity he just stole.

The harm to the business, besides the privacy of its customers, can happen if the hacker decides to take actions on behalf of the person. These actions would take time and money for the business to remedy in the future.

Usage-based payment models

Lastly, many cloud-based contact centers build their business models around usage. The more usage a contact center handles, the higher the fees to the vendor. The same is true for specialized third-party click-to-call widgets for websites.

While this works well in creating symmetry between the business's investment and the size of its operation, it comes with a challenge. The gatekeeper, or vendor, in charge of handling fraud is also reaping revenue. In most cases, call center fraud creates more traffic. This gives little incentive for cloud-based contact-center services to offer fraud prevention measures that are built into their service.

Next Steps

Click-to-call features streamline business processes.

API vendors show how to build click-to-call tools.

Embedded communications, like click to call, gain traction.

Dig Deeper on Communication Integration with Enterprise Applications