Financial institutions spend billions protecting their assets: The people, the technologies, and the data. Yet, the attacks keep coming and the losses keep rising.
Indeed, many banks and credit unions are experiencing increases in incidents of fraud, and there is one particularly sore spot: Call Centers. The problem in particular is that many fraudsters are shifting their focus from credit card fraud—running full-on counterfeit scams—to identity theft. Even now, creating fake cards that work is relatively difficult; impersonating a customer and getting a real card (for example, as a replacement) that can be used at will is considerably easier. Moreover, while the bad guys move from the card to the consumer, the defense strategies haven’t moved nearly enough.
To understand what’s changed, and what hasn’t, it’s helpful to get a better handle on how existing authentication controls and procedures work.
First, consider the problem of Caller ID spoofing. Caller ID is the phone number included in the header data of each call, and banks use it to identify customers calling in from the number they have on file. Sounds great, but unfortunately, Caller ID is childishly simple to spoof: There are apps publicly available that can fake a call to the bank. As a layer of defense for the financial services industry, it is essentially meaningless.
Next, look at the security questions banks use to authenticate their customers. While some questions vary, typically based on situation and need, there are commonly accepted protocols. For example, a balance inquiry might involve asking the customer to confirm the billing zip code, while a request for a replacement card may spark more stringent questions—last four digital of the social security number, etc. Again, it all sounds effective, because this is definitely delving into highly confidential data. But here, too, such thinking is behind the times: Sophisticated cyber-criminals have accumulated massive amounts of personally identifiable information (PII) on hundreds of millions of U.S. consumers, mostly stolen through data breaches at health care organizations. Of course, this information is freely available—well, for a price, anyway—on the dark web.
What about One-Time-Codes?
Some banks also prefer to send a text message, such as a one-time passcode (OTP) to the mobile number on file. This is definitely an improvement, but it runs up against an obstacle: Most banks do not have accurate mobile phone records for many of their customers, which makes out-of-band- authentication strategies such as OTP largely impractical. For the record, e-mails are even less workable in this regard—consumers change those often anyway, and messages sent through this channel can be hacked or even sniffed without the customer knowing.
Is Voice Recognition an Effective Solution?
Of course, we have all been hearing exciting advances in biometrics, specifically human characteristics such as the voice. Again, there’s great promise here, but the technology available is more effective in the negative space—such as identifying known fraudsters—rather than positive, which would be confirming the identity of the caller. More to the point, the voice models available need some sort of training with each implementation to identify callers accurately. Sadly, we have learned that some institutions that have had voice-related security controls in place for at least two years are still seeing high levels of fraud in their call centers. These tools might work on 5%-10% of fraud cases, leaving most of it unchecked.
The PersoKey Solution for Call Center Fraud
Let’s set an ambitious goal: Any solution implemented to fight call center fraud should be effective on at least 90% of high-risk calls. For that, every solution needs a multi-layered approach, including strong phone number verification protocols and perhaps biometrics.
At Persokey, we use a full complement of technologies to enable next-generation of multi-factor authentication:
- (1)What you have: the best device ID available, which is the SIM card on the phone; high-quality intelligence, which involves ascertaining who owns the phone and for how long, and whether the device is pre-paid or post-paid; mobile geo-location; and
- (2) What you are: through facial recognition and facial intelligence, proving that the right person is using the device.
Blending all these advances in a single solution offers the best way to verify a caller’s identity, even when the mobile phone is not on file with the bank. PersoKey’s Call Center Solution can work on both smartphones and non-smartphones and our Assisted Verification Portal (AVP) – specially designed for call centers of financial institutions – does not require integration with the bank or credit union systems. Banks and credit unions can be up and running with our call center solution in just one day. Compare that to how costly and time-consuming implementation of other less effective solutions require from the banks or credit unions.
PersoKey’s solution replaces traditional what-you-know ineffective fraud controls (i.e. frustrating security questions and passwords) with effective next-gen multi-factor authentication providing the highest coverage of fraud possible, reducing the handling time of calls while improving customer engagement and satisfaction.
To request a demo please visit our website www.persokey.com or send us an email at firstname.lastname@example.org