Why call centres aren't really risking your credit card details
According to a new survey by a company that has plenty to gain from the results, businesses are potentially exposing their customers to data theft by failing to erase recorded calls containing personal data and credit card information.
The survey by Veritape, which sells business software for recording phone calls in call centres - no interest at all in the results of their own survey, then - claims just three per cent of UK call centres comply with industry guidelines; the other 97 per cent store unedited customer calls. Less than four in ten businesses were aware of the Payment Card Industry rules which state card details must not be stored once transactions have been completed.
Viritape say it is "relatively straightforward" for a hacker to data mine these call recordings, and that "successful hacking incidents are rising steadily.” Everyone else who has blindly reproduced their findings seems to agree with the assessment, even though it appears journalists have simply cut and paste the details. The Times, for example:
"A national poll of UK call centre managers by Veritape, the audio recording specialists..."
Audio recording specialists? According to who, exactly?
Oh. Right. The thing is, we're struggling to find any notable examples of fraud committed in this way. Despite the claimed ease, we can't find a single incident of recorded phone conversations been stolen remotely and the data within used to commit credit card fraud. The Telegraph publishes some figures, but these are generic figures that refer to "phone, internet and mail order fraud" rather than capturing data through the very specific method that the entire story rests on. We're not saying it hasn't happened, we're just unsure why an increasingly popular and "relatively straightforward" method of stealing credit card information hasn't led to several high profile news stories, besides those that appeared today repeating the claims of a survey conducted by a company with a vested interest in the outcome.
Of course it's not acceptable for call centres to store personal data on the sly, but it's somewhat difficult to ascertain whether this scaremongering PR exercise highlights any genuine threat to consumers. In the same way that writing your online banking passwords on a slip of paper in Urdu and hiding it under the floorboards potentially puts your finances at risk from burglars, there is a possibility your recorded phonecalls could be hacked - but the problem appears far less significant than anyone, either the company looking to line their pockets or the newspapers desperate to fill their pages, would have you believe.
UPDATED 17/10: The Times has amended their description of Veritape for the print version of the story:
Thereby proving they didn't simply shamelessly cut and paste from the original press release. The new version of the story also now attempts to justify Veritape's claims:
"Veritape says that “data mining” of audio recordings — when criminals hack into the recordings — is relatively straightforward and has occurred in at least one UK bank in the past 12 months."
So despite the inference by Veritape that this is an increasingly common problem, they have one example of it occurring at one company in the whole country, in a year. That's one incident, despite thousands of companies using call centres to deal with millions of customer transactions every day - and there's still no detail of which company it was, when it occurred, how many customers were affected or indeed any other facts concerning the matter.
If your aim is to panic the public (to quote Veritape in the press, "this practice ought to send a shiver up the spine of card providers") it's pretty important to have a case study to prove your point, whether you're the company pushing the research of the media reproducing it as news.