Ever wonder how easy it is to socially engineer somebody over the telephone? At this year’s computer hacker conference, DefCon, attendees got a glimpse of the ease at which criminals are using the “low-tech” telephone channel to gain access to highly confidential company and customer data.
This past week a well-respected industry peer of mine sent me the link to a recording of a DefCon contest that illustrates just how easy it is for criminals to socially engineer their way into a major retailer and obtain highly sensitive company or customer information. The recording discusses nonchalantly about spoofing your identity and how doing so aids a criminal’s ability to socially engineer an unsuspecting phone representative.
One of the reasons telephone fraud and social engineering have picked up in recent years is the fact that criminals now have the ability to access or change an address or account data that is necessary to perpetrate larger and more profitable online crimes. Once a criminal controls a customer’s information – primarily through the telephone channel – criminals use the newly acquired personally identifiable information (PII) to commit crimes through the online channel.
Financial institutions that ignore the telephone channel as a primary source for fraud, and fail to address the same security and authentication requirements as the online channel, will remain vulnerable to such crimes. As a result, they will continue to put themselves at risk of damaging their brand reputation, losing customers’ confidence in protecting their personal information, and could even find themselves in the position for financial liability
The truth is, one way or another most financial fraud links back to identity theft. This is something every financial services provider needs to know. Until banks grasp the fact that the telephone channel is a weak link today, they will continue to fight an uphill battle to stop fraud over the phone.
Deploying a non-intrusive identity authentication solution like the TrustID® network-based Physical Caller Authentication tool enables banking institutions to convert ANI and Caller ID into a powerful physical security and authentication resource that can be used to close the security gap that too many bank call centers still operate with today. By validating the caller’s identity before the phone is answered, call center agents are no longer put in a situation that makes them vulnerable to Caller ID spoofing or social engineering.
I have written extensively about the risk of trusting ANI and Caller ID as a means of authenticating customers over the telephone. In the same vein, I’ve also cautioned those in call center or security positions to be cognizant that defaulting to the use of knowledge-based authentication (KBA) to identify customers is equally as risky and expensive because it drives up handle time on every call.
Ultimately, when it comes to building a safer, more effective banking environment across all customer channels, financial institutions need to eliminate risky situations and provide inexpensive ways to improve customer service. Fortunately, a solution like TrustID does both.
