Marketing company leaks 17,000 recorded phone calls, many with credit card numbers More than 400,000 phone call recordings that include names, addresses, phone numbers and credit card information have been leaked online by Florida marketing company VICI Marketing following suspected security blunders. The 28GB database was publicly-accessible and included recordings of inbound and outbound phone calls. …
Remember that when it is personal data you are dealing with on your systems it's as if that/those person(s) were standing in front of you with a loaded Glock, in case you screw up!! Or, in a less confrontational manner, if you are found to be irresponsible with folks personal data, YOUR OWN personal dataset will be plastered all over the internet!! (Grrrrr, just Grrrrrr)
Its not just databases that need to be researched.
I discovered a flaw in a web analytics platform recently (a small firm based in the UK).
Their snooping script was putting stuff in the database without validation or escaping.
It accepted HTML and Javascript code.
Oh how I laughed when I managed to inject some interesting stuff into the CEOs dashboard.
Luckily he saw the funny side and paid handsomely for me to fix it.
is a local non-franchised business. Just one office.
They tell me that my voice is being recorded for training purposes, before I recite my card details down the phone I am asked to wait whilst they switch off the recording feature.
Not hard is it?
Perhaps it would be prudent to refuse to give card information until one is assured that the recording has been stopped. Of course, lies could be told but if the recordings are ever leaked or stolen they would be self evident.
There is no need for a company to record or store credit card information, I would rather have the hassle of the extra 15-20 seconds it would take to complete future purchases.
There is no need for a company to record or store credit card information, I would rather have the hassle of the extra 15-20 seconds it would take to complete future purchases.
Most don't think they store that in digital from, because they've got to jump through hoops for PCI DSS (for what that is worth....).
But this is about call recording. In many sectors where there is regulatory pressure, call recording is the norm to prove that the sales or customer service is compliant with regulations. And if you outsource customer contact, you'd likely want call recording to ensure that you comply with your regulatory obligation, that you can check that your outsource provider is doing what they are paid to do, and so that you've got some evidence trail if THEY do things wrong with YOUR customers.
I suspect that PCI DSS was drafted without much thought for voice recordings, but when you give this thirty seconds thought, securing your call recording is every bit as important as securing the database - in fact probably more so if the customer has been taken through the security checks, because the call then combines customer ID and contact data, security check data, some product purchase, and full payment details. A competent crim would need nothing more. No IT pro would ever dream of putting that lot into a single database, yet its all there in call recordings. That might be your own recordings of your own staff, but quite often sales is outsourced (as in the article) in which case you're asking a third party provider to do this for you, despite awarding them the contract largely on price.
Most companies will demand that outsource sales partners are PCI DSS compliant. But they should (and probably don't) demand weapons grade encryption and protection of call recordings. UK readers are probably thinking "who's going to be rubbish at this?" and naturally the name Talk Talk will spring to front of mind.
PCI compliance has made call recording of full card information verboten for a long time. There are plenty of guidelines and policies available to work around it and still have call recording but to suggest it wasn't thought about is completely wrong.
The standard case is that if you take card details over the phone then you must not call record without protection measures. These measures are usually based around stopping or masking the card information whenever the details are being input by the operator.
Some will ask a caller to enter their card details on a phone keypad and then intercept the DTMF signal, mask it but send the real card number directly to the application, others will pause call recording whenever the operator is on the payment screen or in the credit cards fields box, others will direct all card calls to another extension which is not recorded.
However PCI DSS does not allow call (even with encryption) call recording of full card details (number and CSV) at all. It is likely to be extended to back office functions in the next release as well.
"others will pause call recording whenever the operator is on the payment screen or in the credit cards fields box" - Stopping the recording, isn't enough ... and it's not even down to PCI DSS.
As the call is not not being fully recorded... agents could be up to all sorts whilst the "pause" (errr, read "stop"!) is going on.
It's a real success story for customers (victims!) of mis-selling (looking at you Wells Fargo!), who, when taking the insurance broker to court, whose last line of defence is a recording with nice big holes in it!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
