Yes, but I do think an organization like Coinbase or a cell phone carrier - which are extreme targets of fraud - have an obligation to recognize that their employees are targets and implement greater security measures than most organizations. Maybe Coinbase should even pay higher wages and use onshore customer service agents.
You can take the Google approach of basically not empowering the agents at all. It's not worth trying to social engineer Google CS, because they can't do anything anyway.
You are writing this as if you know what countries Coinbase's call centers are located in and the role of organized crime in their economies, but you don't actually know either of those things.
Lol, that's because while Coinbase emphasizes its commitment to security and compliance specific details about the geographic distribution of its offshore personnel are not disclosed in its public filings.
> ...bribed AT&T employees at a call center in Bothell, Washington, to "use their network credentials and exceed their authorized access to AT&T's computers to submit large numbers of fraudulent and unauthorized unlock requests on behalf of the conspiracy and to install malware and unauthorized hardware on AT&T's systems," according to the indictment.
How are you going to vet people to find out if they're vulnerable to bribery? Offer them a bribe during their probationary period, during which they only have access to fake customer data?
You can do a background check, but the reality of the matter is that you pay citizens a living wage to do the work instead of offshore it into a country that pays pennies.
Bank tellers can take thousands out of the vault at any time and yet it seems it’s not a very big issue.
Let me add to your statement. It is hard to keep call center workers bribe-proof WHEN they are paid peanuts AND they are working for a company that is in an extremely high risk business of managing crypto.
correct, but what's the alternative? they're paid peanuts because it's not exactly the kind of job you ever pay out the wazoo for. the only thing that comes to mind if I'm Brian Armstrong is going all in on AI bots that can get to 90% of the way there (maybe 95%) and then have domestic based humans that are paid more with (presumably) a less probability of being bribed. but realistically, the only way to stop something like this is going 100% AI bots but then that comes at the expense of customer satisfaction, and also bots that are exploitable through prompt manipulation.
alternatively limit the roles and what the offshore people are able to do, but then any escalation means domestic people, which brings us back to "well at that point just use AI to automate easy tasks"
Normally payment should follow the amount of power/responsibility. If you pay someone peanuts but they have root access to prod, then you should pay more or restrict their credentials. Same applies to being able to access PII.
Small set of privileged employees who work from the home office and are compensated to match. If an issue requires their attention, it takes time to resolve. But it's resolved securely. In essence, what Google does.
Alternative is the banking model. Low-cost customer service massively empowered and just eat the costs of breaches as they come.
Yes, but I do think an organization like Coinbase or a cell phone carrier - which are extreme targets of fraud - have an obligation to recognize that their employees are targets and implement greater security measures than most organizations. Maybe Coinbase should even pay higher wages and use onshore customer service agents.
Well, it sounds like they do implement greater security measures than most organizations.
Doesn't matter when Coinbase still got exploited
1 reply →
You can take the Google approach of basically not empowering the agents at all. It's not worth trying to social engineer Google CS, because they can't do anything anyway.
Coinbase has the same approach. It's a miracle that ransomware operators got in touch with Coinbase support at all.
It would be pretty simple actually
>Go on LinkedIn
>Look up profiles of people who work at Coinbase
>Contact and bribe them with a burner account
One step would be not to locate all of the call centers in countries where “stealing money from elderly Americans” is a noticeable part of their GDP.
You are writing this as if you know what countries Coinbase's call centers are located in and the role of organized crime in their economies, but you don't actually know either of those things.
Lol, that's because while Coinbase emphasizes its commitment to security and compliance specific details about the geographic distribution of its offshore personnel are not disclosed in its public filings.
2 replies →
You mean like in the USA?
> ...bribed AT&T employees at a call center in Bothell, Washington, to "use their network credentials and exceed their authorized access to AT&T's computers to submit large numbers of fraudulent and unauthorized unlock requests on behalf of the conspiracy and to install malware and unauthorized hardware on AT&T's systems," according to the indictment.
https://abcnews.go.com/Politics/att-employees-bribed-1m-unlo...
Not sure how bribing employees to unlock phones early is comparable to defrauding elderly people.
1 reply →
Call center workers who have access PII and financial abilities should probably be vetted a little bit better.
How are you going to vet people to find out if they're vulnerable to bribery? Offer them a bribe during their probationary period, during which they only have access to fake customer data?
You can do a background check, but the reality of the matter is that you pay citizens a living wage to do the work instead of offshore it into a country that pays pennies.
Bank tellers can take thousands out of the vault at any time and yet it seems it’s not a very big issue.
6 replies →
Let me add to your statement. It is hard to keep call center workers bribe-proof WHEN they are paid peanuts AND they are working for a company that is in an extremely high risk business of managing crypto.
correct, but what's the alternative? they're paid peanuts because it's not exactly the kind of job you ever pay out the wazoo for. the only thing that comes to mind if I'm Brian Armstrong is going all in on AI bots that can get to 90% of the way there (maybe 95%) and then have domestic based humans that are paid more with (presumably) a less probability of being bribed. but realistically, the only way to stop something like this is going 100% AI bots but then that comes at the expense of customer satisfaction, and also bots that are exploitable through prompt manipulation.
alternatively limit the roles and what the offshore people are able to do, but then any escalation means domestic people, which brings us back to "well at that point just use AI to automate easy tasks"
Normally payment should follow the amount of power/responsibility. If you pay someone peanuts but they have root access to prod, then you should pay more or restrict their credentials. Same applies to being able to access PII.
> what's the alternative?
Small set of privileged employees who work from the home office and are compensated to match. If an issue requires their attention, it takes time to resolve. But it's resolved securely. In essence, what Google does.
Alternative is the banking model. Low-cost customer service massively empowered and just eat the costs of breaches as they come.
2 replies →
It's hard to keep most people bribe proof.
It’s not hard, it’s expensive.
Yes but you can not give them a SQL prompt. Rate limiting account queries per CSR is a common mitigation measure.
Pretty sure all the Big Banks use call centers and manage to avoid this.
They haven't:
https://www.americanbanker.com/news/call-centers-and-bank-br... "Call centers and bank branches are major fraud liabilities"
https://www.bai.org/banking-strategies/beating-crooks-at-cal... "Aite Group’s findings that 61 percent of fraud can be traced back to the [call] center are equally concerning, as is its prediction that contact center fraud loss will double by 2020."