What's interesting is in the original "i got hacked" post[0]. The email from the hacker says that he called paypal and posed as an employee.
That may not be tough to do, i.e. if you call a call center, select the wrong department and request an internal transfer, it is quite possible that the person receiving the call would not be able to distinguish between an internal call or a customer call.
So if the hacker told them he was Jack from xyz department, who would know the difference, better still, would they log the call at all?
The alleged breach could in this situation be quite easy.
When I worked at a large bank many years ago, internal calls were verified to be bank employees. It was low tech, but when a bank employee called and asked about a customer we had them verify they were a bank employee by telling them to look up, and tell us what was on a certain page and line of an internal bank book. If their answer matched what we were looking at as well then the conversation continued. The books were changed/printed often.
Military codebooks are used in this way for authenticating over unsecured links. Letters or numbers laid out in a grid-like format, and you make the far side read off a certain cell.
The Pragmatic Programmer website uses this system to allow you to prove that you bought a hard-copy of a book, so they can offer you a discounted ebook.
In my case we had a security code on an internal system that was updated in real-time. So the protocol was:
"Hi I'm an employee calling from [X]"
"OK, can I get the security code?"
(caller gives security code)
Any employee in the company could also request a no-questions-asked reset at any time. I actually had cause hit the big red button once when the call went:
"Hi, this is [employee] calling from [branch]"
"All right, can I get the security code?"
"Oh, (mutters "security code"), it's $foo"
See, that counted as a compromise because someone in the lobby may have overheard her.
A couple other fun stories:
- Once I called a branch and got transferred to someone else. The conversation at the other end:
Him: "Did you give the code already?"
Me: "...are you seriously going to believe me if I say 'Yes'?"
- Apparently there was a phishing attempt where people would call our center opening with:
"Hi this is [person] from the fraud department, before we begin can I get the security code?"
I don't know if it ever worked, but we got several memos warning us not to fall for it.
- When I worked in a bank's call center, it would be impossible for such an attacker to gain any information without the (receiving) agent screwing up unless the attacker had already successfully phished a different employee.
- The situation you describe in particular, where one employee might cold transfer to another employee without the receiver verifying whether the customer had identified already...if that is even possible, it's gross negligence.
- Call centers typically record all calls regardless of origin; it's not like a human being manually hits a record button on a case-by-case basis.
When I worked at a call center, I eventually was promoted to call monitor, where I was actually the person listening to the recordings and grading reps on how they did. Our system did not record every call. It was a random sampling, and I had to hope a given MSR got recorded enough times in a month for me to hit my minimums.
Different use-case but we've implemented recording on all call-center calls; this isn't for employee monitoring, it's so we have a recording for legal purposes because some of those calls involve instructions for financial trades.
If I was in PayPal's situation I'd want to record every call, because dealing with money is a lot more critical than dealing with call quality.
I suppose I could have hedged a bit with the usual "may depend on the institution" disclaimer, heh. Anyway, I was responding to the apparent belief that someone might look at the inbound number and think "no need to record this one," which I'm pretty confident saying does not happen.
I've implemented this is a call center. We recorded every call. It's actually harder to do "random sampling" than just have the button auto-click every call. It sounded like Paypal reviewed the call transcript before making a statement.
They reserve the right not to record the call, in case the stuff hits the fan and a customer insists on getting a recording of the call where everything went wrong.
The wording is specifically because they want to pretend that only a small share of calls are recorded for quality review and that it is very unlikely that your particular call will be recorded.
Why commit yourself to a stronger statement than necessary? As you probably already know, it's just to satisfy laws against recording a phone call without the consent of both parties. It's just a nicer way to say "we will proceed assuming we have your consent to record this call," without promising or revealing anything further.
When I was in a call centre (10 years ago) they would log all calls regardless of origin and us telemonkies had no control over it. I don't know how long they were stored though, I imagine they were purged on a regular basis.
That may not be tough to do, i.e. if you call a call center, select the wrong department and request an internal transfer, it is quite possible that the person receiving the call would not be able to distinguish between an internal call or a customer call.
So if the hacker told them he was Jack from xyz department, who would know the difference, better still, would they log the call at all?
The alleged breach could in this situation be quite easy.
[0] https://medium.com/p/24eb09e026dd