 Good afternoon for the second presentation today this afternoon Kelly Robinson is who works at in the account security team at Twilio will be presenting So a warm welcome for Kelly Does that work excellent? I Could just try shouting, but this room's a little loud even for me awesome So I'm gonna be talking about contact center authentication and I don't know if any of you are SNL fans circa eight years ago But this talk has everything it's got my social security number my mother's maiden name everybody get their pens out The email that I used in college like 11 years ago and some accidental fishing and I will tell you what that means because trust me It is a good story some people try to fish companies. I don't do it on purpose It just happens because it turns out contact center authentication is not very good And so I set out to do some of this research and I didn't really know what to expect But it's been really interesting to Basically call all of these companies and figure out what people are doing to try to authenticate you over the phone And different companies have tried different things and they've built different systems to do this But it hasn't seen the same rigor that we've built into some of our web authentication systems And so the goal of this talk is to talk about what people are doing currently and give you some recommendations For all you can do in your companies to make your phone and contact centers more secure My name is Kelly Robinson I work at a company called Twilio if you haven't heard of Twilio were a communications company And so we build APIs for things like SMS voice email and also authentication I work on our authentication products So if you've ever heard of offy Twilio acquired offy about five years ago And so that's both the consumer two-factor authentication application But we also have APIs for adding things like 2fa into your applications Most of my time, I just spend thinking about how we authenticate users online and Since Twilio does a lot of stuff with phone systems I started thinking about how people can authenticate over the phone to and it turns out that's not really a thing that most people are doing right now I'm also on Twitter where I make a lot of bad password jokes. I'm particularly proud of this one If you want to tweet at me during this come this presentation My boss sent me here very nicely so if you say nice things about me on the internet I can keep coming back to conferences like this All right, let's talk about the research that I did So first of all, I had to call a bunch of these contact centers right to figure out what people were doing And I'd figure out who to call and so I had to have an existing account at the places I was only trying to get information about myself. I wasn't trying to fish anyone else There had to be personal info tied to my account that was behind some kind of authenticated system And so that was something like orders personal data information about the account itself The company had to have a customer support hotline, which is not something that's like necessarily a given these days And I did focus this on mostly USA based companies and USA based phone numbers because that's where I live I live in New York Finally I focused on inbound calls And that's inbound into the contact center There is also the situation where contact centers will call you and that's just a whole different scope of Authentication problems that I could talk about an entirely separate talk But I wanted to focus just on how when you called into a contact center, what happened then With a few exceptions. I always Bypassed automated systems So I wanted to talk to a real person at the end of the day and I always called with my own phone number I wasn't trying to do any spoofing or anything like that And that also led to some interesting Authentication ideas behind so how some people recognize the phone number that you're calling with I Would occasionally ask for additional information about the security on my account But I avoided letting people know that I was doing this for research purposes So for all they knew I was just calling in to get information about my account Everything that I did was mostly information gathering There was a few places that I did try to change things on my account and that did sometimes trigger additional security Which I found interesting and I think that makes sense right like sometimes we you know when we're designing software products We have laxer restrictions on read restrictions and we do on write Write permissions and abilities and I could see that having the same type of impact in and over the phone system Here are just some of the places that I called overall I've called about 45 to 60 if depending on how you counted companies at this point and that might not sound like that many but you know Like when you get put on hold with CVS for 40 minutes and then they hang up on you as soon as you get through You know this stuff adds up the research took time I will talk about some of these companies later in my talk So if any of you work at these companies that might be interesting for you, but for all intents and purposes here I'm probably gonna name the people that are doing things well But I probably won't name the people that are doing things especially poorly If you do are curious about some of those questions our companies you can come find me at the bar later All right getting in touch So there was a few different ways that I could get a hold of these companies And there was a couple of commonalities around how people do that most retail insurance banking lives Consumer driven companies have a customer support number that they make readily available These are places like Home Depot and Comcast State Farm for insurance There is this feature that's becoming more common with more sophisticated tech companies where they will basically put a call me functionality on their website and that's where you can input your phone number and when an agent is free They will call you this lessons hold times lessons call center costs And so this is something that they can take advantage of to hopefully save them some time and money And then finally there's a lot of companies that don't have a public-facing customer support number And so companies like Facebook lift in the US doesn't have a customer support number for dry or for riders at least So that's an interesting thing when you call I found a number for Facebook And they do have this kind of automated system for saying like if you want to talk to any one of our subsidiaries, you know What's that? Oculus Facebook press the appropriate number and when you get through and talk to Facebook They just straight up tell you we don't provide over-the-phone support Please file a ticket online and I think that makes sense right like Facebook is a company that is built online They always existed online anybody that is calling about something to do with Facebook is going to have an online account And so they've made the decision not to support Customers and customer service requests over the phone For consistency, I focused on option one. I was always calling into companies And then once you're on the phone There are a lot of similarities between how companies build out their customer support lines So you might hear me use this term IVR. That's an interactive voice response Most companies do that and that is the same type of thing It's like press one to talk to sales press two to talk to marketing press three to reset your password And so there's a lot of automation that people will do in this type of thing Usually you can bypass that by pressing zero to talk to a human But it also is interesting because rarely what you input in there If there's any kind of information gathering before you do get on the phone with a human Rarely do companies actually take that into account by the time you're connected with a human And that's just some like flaws with how a lot of phone systems are designed And a lot of the ways that these customer support centers and all the different sources and communications channels that they have Have been kind of cobbled together over the years But when you do end up talking or getting on the phone with someone There's a few different ways that they try to initially identify you and this is not the authentication process This is just the initial identification so they can look up your account Often it's automated with a phone number. I kind of talked about that already So they'll look up the phone number that you're calling in with and basically trust the caller ID and look up your account that way you might input some kind of account number into the Into the phone and so that might be if you're calling a bank a credit card number when you're calling Apple They have you do this with your device ID number if you're calling about a device if you call an insurance company sometimes they will do that with Your like insurance subscriber ID and so there's things like that that they can automatically look at that up after you input something And then finally a lot of places just you have to get on the phone with an agent And they'll ask you for some identifying information so they can look up your account But that's just the identity right identity is not the same as authentication identity is information about you And that's things like your date of birth things like your email things like your phone number and that stuff probably isn't gonna change Even if you get a new email address the one that you previously had is still kind of an identifying information about you You know and if I give you my phone number there There's a lot of people that have my phone number like how can you prove that that's actually me An authentication on the other hand is that kind of secret factor? It's the proof of identity And that's usually with some kind of like one-time password Some kind of secret that you know if you're talking about the actual factors of authentication Something you know something you have or something you are and that's hard to do over the phone And that's one of the reasons that we're having such an issue with this Because identity and authentication are not the same thing But we're constantly using identity to prove our identity and that's not authentication Most over-the-phone systems are basically asking for to sometimes three pieces of identifying information And that's like proof of who you are, right? I can't even tell you the number of times that somebody asked me to verify your identity Please provide your date of birth and I'm like that's not actually verification, right? Like that's a piece of information about me that I happen to know but again There's a lot of people that know that information and so it's not an actual authenticating thing But I'd really like to see that change. I'd love it if I never had to give out identifying information about me ever again I'd love if I never had to give out my social security number ever again, but this is a hard problem We can't reasonably expect people to type in passwords over the phone And we can't expect them to do that even if they have access to a computer or mobile phone There's just a different platform that we're dealing with here And I think that's one of the reasons that we've struggled with this And one of the other problems that phone systems often predate the computer systems, especially for some of these older companies They had phone systems and customer support hotlines for many years before they had an e-commerce website or something like that And so the authentication systems might not be unified correctly There might be all these different sources of data that they're dealing with and it is a hard problem I do want to acknowledge that All right, let's take a look at what I found Starting with the types of identifiers and occasional authenticators that I saw in my research So this is a little hard to read but on the left You could basically get the most common types of identifying information that's things like phone numbers emails Your physical address your name your account number And then it starts to trail off with things like social security number date of birth I basically just tallied up the number of times that people were asking me for this type of stuff Unsurprisingly phone numbers were the most common type of thing. Everybody's calling in with a phone number It would be make sense that people would be asking for that as a piece of identifying information Account numbers that was the types of things that I grouped together that had to deal with some kind of Identifier that was specific to your account order numbers or not order numbers But like account numbers insurance subscribers device IDs that kind of things so those got grouped together there Sadly only a few places Actually used any kind of secret to authenticate me and so the examples that I saw of this were one-time pin numbers SMS based 2fa and so that was either like reply to this method message if you're trying to like contact Amazon comm Service codes, I'll show you what that meant one company actually just straight up asked me for my online password That wasn't like a phone password. They just asked me for my website password and then I hung up I Then Verizon when I called them which is a telecom provider in the US they they said in order to authenticate you We're gonna call you back at the number that we have on file for you And that is a form of authentication right because then I have to have access to that incoming call But this is like very few of the things that I saw right there's not a lot of people that are actually doing the authentication here And so this is where I want to see that change I want to shift the authentication to be the things that we see often and we're still going to have identifying information They have to have something to look up your account with or something like that But you deem both an identifier and an authenticator in order to do this well All right, let's take a look at some of the more qualitative data and break it down into some what some companies are doing Well all the way down to some of the things that kind of scared me So the good this is not that hard. It's anybody that was actually authenticating users I set the bar pretty low here once I kind of collected all this research So any kind of one-time code Refusing to disclose personal information. This one is key There was a utility company that I called and I was like I called in and they looked up my phone number And the automated system was like hello Kelly Are you calling about your account at 123 Main Street in San Francisco, California? And I was like oh god good thing. I'm moving and this is a call to cancel my service But like your service should not do that many of you may know how easy it is to spoof phone numbers If anybody had my phone number and spoof to call my utility company in San Francisco They would then be able to get access to my home address and that is not something you want to be giving out And then just like a random bonus delight I was put on hold a lot But Apple lets you like choose your hold music and so they're like do you want to listen to jazz or pop? And I'm like cool. I don't really care But like this is kind of a nice thing if I'm gonna be put on hold you're giving me some autonomy to choose how I'm gonna spend the next 10 minutes So an example of somebody that's doing an actual authenticated process when you call into Netflix They're automated interest says welcome to Netflix for faster service Please log into Netflix comm and find the six-digit service code at the bottom of this web page This was not something I had seen before so I go to Netflix Scroll down to the bottom and there's this button for a service code When you click on it it Reveals a six-digit number and this shows up in an authenticated session. This is some kind of time-based code It's not a session base. So I tried logging out and logging back in again I still haven't gotten the answer from anybody at Netflix how they actually implemented this But I think this is pretty cool So this is kind of some kind of time-based authenticator when I looked the next day the code had changed And so it does rotate it some way which makes it more secure than just having like another passcode on your Attached to your account but this is a really easy way to kind of speed up the authentication process when you get on the phone with someone and Provide an actual one-time secret and a code that will change in order to tie that back to your account and because this is in an Authenticated session you can take advantage of things like the username and password that the person is using on their online account Again, Netflix is a service that requires you to have like a computer and a website And so it's a reasonable expectation that people might have access to this is a way to speed up the authentication process Another example of good authentication when I called AmEx This was actually an interesting one because initially I called and I was just trying to get some information about my account And when they looked at my account, they did only do it with some identifying information But then I actually needed to have them send me a new credit card And when they when I was asking for them to take action on that they won They connected me with a security specialist And so they have a subset of agents that were specifically trained to do this kind of more risky behavior Which is doing things like sending to someone a credit card is a riskier Move that you would have somebody asked for over the phone And then that person sent me this SMS message and then I had to read the code back to them This is a pretty good way to handle Authentication when you're on the phone with someone I did have access to my phone number And so this is something that I was able to share back with them and actually authenticate me Most of the places like I called fell into this category and this was stuff that was like fine maybe they'd done kind of the analysis on the security of the stuff that they had and realized that Implementing more strict security wasn't worth it But I still think there's room for improvement here And so there is a lot of the stuff here falls into kind of the user experience Aspect of this and so doing things like recognizing the phone number you're calling in from I understand that there are security risks with that Trust me, but it is it does provide the end user a lot of benefit for not having to type in an additional account number If you're only going to be using identifying information At least verify more than one type of personal identifying information and then prompting with relevant account actions Is something else that I think is it makes For the user experience better and then if you can try to drive people to automated processes the less chance you have that somebody can Fish you by getting in touch with an agent So United Airlines is someone that I called that all the time that does this and so they can say things like you know I see that you're flying from Montreal to Newark. Are you calling about that flight? And so I can say yes, I can I can go through that path This does reveal a little bit of personal information about me It does reveal that I am currently in Montreal, but I think that's fine because that's kind of ephemeral data It's not something like my personal address that they're giving away All right, here's where it starts to get a little dicey And this is I saw you know from a lot of places as well And this is you know, they're only asking for one form of identifying information Maybe they're only asking for your phone number and then you can get additional information back about other things that you Are attached to your account If they're only asking for identifying information, maybe they are asking for two pieces But it's like your phone number and your date of birth like think about how many people in your life know those two pieces of Information or how many people in your life or not in your life could Google those things about you like it's surprisingly easy to find that Type of information through like some basic open-source intelligence work and Then requiring a social security number. I am just not a fan of that And I this is more specific to the United States But I think this is something that we really don't want to do because especially in the United States like this is something That was built for tax purposes it wasn't built to be an identifier and this is something that you don't want to have attached to you because of Reasons like Mrs. Hilda Schrader-Witcher. So does anybody know who this is? So I got one person nodding down here So this is interesting because she was a secretary for the CEO of a wallet manufacturer in New York State And this wallet manufacturer when social security cards came out They wanted to advertise that their wallets could hold a social security card well And so they asked Mrs. Hilda to help design this social security card and in doing that She put her own social security number on this sample card and distributed it into tens of thousands of wallets that they sold throughout the US And so she had to change her social security number, but as recent as 1977 there were still 22 people using her social security number as their own and So maybe the social security numbers don't apply in Canada But like it's still a thing that you can think about how these identifiers are not actually Authenticators and then like what are your identifiers and how are they actually generated because with social security numbers? They were generated serially until eight years ago So if you want to like everybody raise their hand that was born in 1986 You guys all probably have like pretty similar social security numbers that you'd group up. It'll be fun exercise. I promise So that's bad, but that's not like the worst of what I saw. This was a fun one I called into somebody and they were like all right. Can I confirm that I'm speaking with Kelly Robinson? cool to verify your identity Please provide your full name and I literally gawked at the guy. I was like, are you serious right now? And he was like, well, it's like, you know policy I was like, were you supposed to give me my name? And he was like, I know it's weird, but like we have to ask I'm like, no you don't like you literally just told me who I am So some of this I know like I never blame the contact center agent for this type of stuff, right? Like they are trying to be helpful and we have built like we as the Engineers and security analysts and researchers that are designing these systems We are the ones that are responsible for making it easier for them not to screw up, right? But it gets worse So a lot of places, you know, they're giving out identity information I called one financial institution to reset my two-factor authentication because that's the thing that you had to do over the phone and In that call they both let me reset my password and gave me my username Without me asking for it and I was like, oh, that's not good, but All right, at least I reset all these identifiers and I'm me, but whoo not not great and then There's a lot of places that did that type of thing that were allowing account changes without any authentication and So this is a story of how I accidentally fished a major hotel chain So I had called a hotel that I had stayed at the previous week to get a copy of my receipt essentially and When I called into their their customer support number They said we couldn't find the account associated with the number that you're calling from and that was part of the automated intro So I was like, okay must not have my phone number attached to this account or something like that I'm not totally sure what happened, but then they provided an opportunity for me to input my phone number To look up my account that way. And so I did that I input my phone number that would be attached to the account And then I you know navigate some things in their IVR and eventually I got on hold with a with a customer support person I tell her that I'm looking for my receipt for my most recent stay Give her my email the dates of my stay the specific hotel that I was at She looks up the stay sends me the email and says, you know, it might take a couple minutes for this to arrive I'm like, okay. I get that like email API's. I know how this might work I didn't get the email right away But again didn't think too much of it in the meantime. I asked her I was like, oh when I input my phone number Did that actually bring up my account? Was that how you were able to find my account and she said no I looked up your account with your email address and I was like, oh, okay Like is there not a phone number associated with this account? And she said no there is and I was like at this point I was just kind of confused and so I asked her what the phone number was and she gave it to me And it was not mine. I wrote it down and At this point, I'm like, thank you. You've been very helpful I still haven't gotten the email with my receipt But you know maybe that'll come through eventually and so I hang up the phone And I look up the phone number that she had given me and it wasn't my phone number It was belonged to a Kathy Robinson And so oh I forgot to tell you the best part about this story though And so once I was like, oh, that's not my phone number She was like, oh, well, that's cool. Would you like to change it to be your phone number? And so I was like, yes, please and so I gave her my actual phone number And so I hang up and I find out that I had Kathy's phone number looked up my actual account There was no phone number attached to it. So I was like, oh oops That was bad And I'm guessing what had happened is that she had looked up she'd misheard or I had misgiven my email address She had looked up Kathy's account Given me Kathy's phone number changed Kathy's phone number to be my phone number If any of you are named Kathy Robinson, I apologize I can talk to you about that later and tell you which account you might need to change But what's that? I could do that, but I'm trying not to be too creepy Don't think I have that phone number stored anywhere anymore But yeah, it's it's a it's a situation that like again I don't blame the agent for this like there's an explanation for what happened There weren't the guardrails in place to prevent that from happening But like you shouldn't be able to accidentally change someone else's account information And so I do have some recommendations for how to fix this Just a side note everybody in stock photos of contact center agents always looks so happy So like if you ever call into somebody and they're grumpy like just picture this and it's like They've got copious amounts of natural light. They're sitting in a like a room like this. It's great So first recommendation is to to match the rigor of your web authentication Like you would never let somebody log into your website by just giving you their name and their date of birth Like you ask for some kind of passcode you ask for some kind of secret identifier You're doing something like you maybe you're sending them a one-time code or a magic link through their email There is some kind of secret involved in this process And so you need to understand that somebody needs to be able to provide that and work within the The confines of the user experience and so you can do things like take advantage of the voice platform And honor user settings for things like 2fa There's other factors here that you can use to authenticate that aren't just pass codes You can do things like verbal pass codes. This is something that vanguard a financial institution does And so you can basically set up a verbal pass code And i'm not saying that like the voice platform is the most secure way to do this But it is an option that you can use and it's better than not doing anything So amazon overall did a really good job Like they are definitely in like the two thumbs up category is a company that does Authentication over the phone really well, but i think that they are also someone that i can pick on because They do this well, but there's still some things that you can keep in mind here So before the call they actually make it pretty hard to find out where to call them They do this like call me feature But i found it How that you can find their general help number it's kind of hidden at the bottom there And then they basically expose this toll free number that you can call into Once you call into amazon you do get this automated text message before you're ever talking to an agent and this is great It provides some context there. It says are you calling amazon? I really like that the the amex example that i gave earlier didn't do that Which is something that i prefer about the the amex or the amazon examples because they do provide that context of saying like Reply yes, if you are calling amazon and this is also something that's like There's a way that you can give feedback to this experience. You're not going to probably accidentally type yes If somebody is trying to fish you and so this is like a pretty good sms 2fa type of situation But this is the way that they were verifying my identity when i called them And i was kind of wondering in this process like what happened to my my totp i have trend Time-based one-time passwords set up on my aughty account I don't allow sms 2fa on my amazon account This is slightly more secure and so they never asked me for this passcode when i called them And so this is like one of the ways that they're not quite matching the same rigor of the user preferences that i had set in that account And that's because these systems are fragmented, right? You know and i do hate to pick on amazon because overall they did a really good job But this is something that you might want to keep in mind Is thinking about how people have set up their authentication preferences and the more security that you need around your system The more that you want to pay attention to stuff like this One of the other funniest things is after i got off the phone with amazon I had asked about the security on my account because i had asked about the totp thing when i was talking to the agent And so i don't know if she like flagged the fact that i was concerned about security on my account So i got this message from customer service saying if you have concerns regarding your account security The best action you can take is to choose a strong password And i was like what what? That isn't nobody ever asked me for my password here and like again I don't blame the agent like probably just flagged This is an email that needed to be sent to me because i was concerned and they wanted to make me feel better But this doesn't make me feel better, right? Changing my password on my amazon account would have done nothing for the situation that i was in Authenticating over the phone and so you want to keep that in mind as you're trying to Take into account all the different ways that people are securing their accounts So there's some strong authentication options here things like one-time pass codes I mentioned voice recognition and verbal pass codes Which is strong for the medium that you're dealing with and then there's this thing that i'm calling hybrid platform security Which is something like we saw with the netflix example But you might have also seen this if you've ever tried to log into like youtube if people seen this when you log into a smart tv So i think this is something that uh you see a lot when you're logging into a television It's you know similar. There's limitations to the platform there, right? Like if you only have a remote you're not going to be wanting to type in a 16 digit random character password into your tv Instead what they do is they display the passcode on the tv and then they tell you to go log in on The computer and then that sends basically a web hook back to the tv to say this person is authenticated You can proceed and i think that's a really good way to handle some of this type of stuff Because there are the limitations for how you can do the authentication on the platform But you could take advantage of something like this and use it over the phone as well Asking somebody to go to something like your website like netflix did asking for a eight digit code is something It's easier to do than asking them for the entire passcode that they were using on their account My next recommendation and this is a big one i've talked about this a little bit is basically we want to build those guard rails for the agents It's really easy for them to be helpful. They're trained to be helpful But we want to make it harder for them to Give up information that they shouldn't and make it harder for them to get fished And so this is things like limiting the amount of information that's available to them You know, why does does an agent need to know my home address in most circumstances? They don't and so if they are able to if they don't even have that information in front of them Then that limits the exposure that you're giving your agents in your company In being fished and getting information and having callers get information that they otherwise shouldn't Uh, the other option is only exposing information after the user is actually authenticated This obviously takes a little bit more development work But this is an option to make sure that the user has properly authenticated before you expose any information about them The amix example here having only a small set of agents that you do train specially to handle the high risk situations And then there's this idea behind silent authentication contact centers are often optimizing for cost and to save time And so if you don't if you as much as you can do behind the scenes to authenticate users And their services like pin drop that do this you might know of others Um, this is not something I've done a ton of research into yet But they'll basically do a risk analysis. Uh, you can do vocal analysis There's ways that you can kind of get a risk score for how risky a call may be based on what the Things that somebody is asking for And so that can all be done behind the scenes Maybe you can do that before you somebody even gets on the phone with an agent so that you can flag things as higher risk And then if a user is too risky or they're displaying these types of uh, Risky behaviors, you can either terminate the call or send it to a specialized agent And so here are two options for a dashboard. You could show an agent Um, I think you know agent dashboard two is the one here that doesn't it makes you input the user's Email instead of having it available to you and the reason that this might make Make things better is uh when I called into an e-commerce website They asked me they they looked up my account with my phone number and they asked me for my email address to verify my identity Uh, and so I gave them my email address and they were like, no, that's not it And so I was like, well I don't know what address I email address I use for that account I gave them like my work email my old work email another email that I gave them like three or four emails And the guy was finally just like well, you know, it's like Here's like the tld like the domain of the email and it was like my old college email and I was like Oh, well now that I have half the email address I obviously know which one it is like I only had one email in college And so I was able to guess the rest of the email or give him the rest of the email after he provided that to me And again, this agent was just trying to be helpful But it was because he had that email address in front of him that like if I had been an attacker That would have been it really easy for me to get that email Address because if he gives me half the email like somebody else any attacker that was trying to get into that account Would also be able to know the rest once given the domain But obviously example number two or agent dashboard two here is going to take more time Like there's issues you might have typos here that you would type it in You might miss here the person on the other end of the phone And so this is going to take more time And so that kind of bleeds us nicely to the next point Which is you do need to consider your threat model, right? It it depends a lot on like what you're trying to protect if you're a bank or a financial institution where people can Do things like transfer money over the phone You want to have a lot of these more secure things in place If all you're doing over the phone if you're an e-commerce institution and somebody can just like get their order information Maybe that's not as depending on what they're ordering, right? That that's not as like necessary to secure that highly And so you have to do that consideration into your own business model And think about what you're allowing people to do over the phone There was one company that I called that I tried to change the address that I had on file And when I tried to do that they were just like no, you can't do that over the phone like log into our website and change it there And I think that's fine, right? Like if you have a website that makes it easy for people to do the things like that Online then maybe you just don't support that over the phone. That's a very legitimate option And it kind of depends on how much you want to support and what you the profile of your customers is And if you want to go through the extra effort to have that additional Channel for customer service Again, everybody is just so happy in this photo So there's more options here. So the the future of call center authentication and can include things like an app authentication This is an example that we're playing around with with aughty right now of how you can basically build aughty into your application So that you can verify it when somebody calls into a contact center And so this is an option that you might start to think about If the user already has the app installed they can verify their identity from their device That's turns into something that you have factor And we do have a lot of data about users. I think we'll see more of that like fingerprinting and Advancements and kind of that behind the scenes identifying and authenticating Since we can do more fraud detection than call centers with that type of stuff So some of the takeaways from this is identity is not authentication If it's all at all possible use real authentication in your contact centers Never provide additional personal information to the caller. They don't need it. That's not your place to give them Think about how you've built your authentication for your app or your website and apply the same rigor to your phone Authentication on our user settings for things like 2fa And you must consider the user experience of the phone platform here Telling people to just input their password over the phone isn't gonna end well Make it hard for your agents to mess up. Don't let them access more information than they need And finally figure out what makes sense for you and your business If this is interesting to you, I did write this up in a blog post. It's available at that link I will also tweet this out to you after this talk Like everything there's no perfect solution here But I hope I've given you some ideas for thinking about the security of your over the phone authentication systems If your company has a customer support line, call it See what happens. Try to get information about your own account I think that's a really good way to start by evaluating your own system Come find me after this if you have any questions. We do have plenty of time for questions now Once again, my name is Kelly Robinson and thank you for listening