A bank’s interactive voice response (IVR) system and contact center representatives both play an essential role in servicing customers over the telephone channel. While banking customer’s need only a few key pieces of personal information to access their bank accounts, if that data lands in the wrong hands, banks and their customer accounts can become vulnerable to phone fraud and other social engineering schemes.
A recent data breach with online shoe and apparel retailer, Zappos, illustrates the impact data compromises can have on businesses and their customers. In the article, “Zappos Sued Over Data Breach,” Zappos and its parent company, Amazon.com, face a class-action lawsuit after hackers gained unauthorized access to personal information on more than 24 million customer accounts. The suit alleges that the retailer, who was entrusted in safeguarding the plaintiff’s and class members’ personal customer account information, failed to adopt and maintain adequate procedures to protect information and limit its dissemination only for the permissible purposes set forth in the Fair Credit Reporting Act.
While protecting customers over the Internet is beyond the scope of what we do at TrustID, what I found most interesting about this particular story is the information the criminals reportedly compromised. When crooks get their hands on a customer’s name, address, email, the last four digits of their account number and telephone number, that’s when it becomes our business. You see, this is most of the data needed to access many of the top bank’s IVR systems and socially engineer call center agents. With this information in hand, criminals now have the data they need to illegally gain access to legitimate customer accounts or deceive call center reps into divulging more personal information.
While the bank plans to tag the compromised accounts, the truth is much of the damage has already been done. Even if the accounts are tagged, without authenticating every call coming into the call center, those accounts — not to mention all other calls — will remain high risk.
The fact is, until each incoming phone call can be validated, businesses and financial institutions are susceptible to advanced Caller ID spoofing threats because they make unvalidated Caller ID and ANI merely claims, not trusted credentials for identifying customers. This is the primary tool that allows criminals to perpetrate financial theft and identity fraud over the telephone. To stop this growing threat, banking institutions need an authentication solution that actually restores trust to telephone commerce by validating Caller ID and ANI.
The TrustID® network-based Physical Caller Authentication tool does this by validating the physical location of the caller before the phone is answered. That’s something that customer identity solutions like knowledge-based authentication (KBA) cannot provide. By knowing the exact location of the landline or mobile phone used to place the call, TrustID enables businesses to answer each call with the confidence of knowing it’s a trustworthy credentialized customer. Having advanced insight to each call also allows organizations to proactively investigate potentially fraudulent calls with fewer resources, deliver faster, more cost-efficient calls, and improve the customer experience, all of which builds stronger brands and drives revenue.
As we continue to see fraud-related class-action lawsuits like Zappos and the News Group Newspapers (NGN), which recently settled to pay $1 million to dozens of individuals as a result of the News of the World phone-hacking scandal, having an effective authentication solution that provides a valid credential for callers as part of a multi-factor authentication strategy is becoming essential for mitigating risks and reducing financial losses caused by data breaches and social engineering schemes.
