Archive for the ‘Call Center’ Category

Real-time telephone authentication needed to identify risky in-bound calls

Posted on: December 12th, 2012 by art

Card-not-present (CNP) fraud and account takeover typically refer to online crimes, but an increasing number of criminals are targeting call centers to perpetrate crimes that are normally associated with the Internet.

With financial institutions pouring so much effort and investment in online security strategies, banks really need to consider the same when protecting their call centers. Without effective authentication tools that can verify telephone locations, bank contact centers remain vulnerable to various types of fraud over the phone channel.

The way criminals scam bank phone representatives typically comes in the form of social engineering. For example, after placing a call to a bank’s contact center, the criminal impersonates a real customer in the attempt to trick a bank agent into revealing various pieces of financial information. Once they’ve acquired the person’s financial details, they call right back and talk to another representative to change the username and password on the account. When the information has been changed, they’ve hijacked the account. At this point, the legitimate account holder is unable to access their own account.

When this happens, quite often the victim does not have the immediate knowledge that their account has been taken over. As a result, the criminal has enough time to conduct a myriad of crimes including fraudulent purchases and transfers that can clean out an entire account before any wrongdoing is discovered.

In an age of highly sophisticated criminal tactics, sometimes it can be the simplest methods that catch banks off guard. This is why it is so important for financial institutions to make sure all customer channels have effective authentication solutions in place to mitigate their risk of fraudulent transactions.

Today’s banks need to arm their call centers with authentication solutions that provide true multi-factor protection against risky inbound calls. While many banking institutions still depend on knowledge-based authentication (KBA) security questions to identify customers over the telephone, these methods can be defeated by sophisticated criminal tactics.

 A complementary fraud prevention tool like the TrustID® network-based Physical Caller Authentication can provide an extra layer of protection to proactively identify risky calls before they are answered. By automatically validating the actual physical location of the landline or mobile phone calling into a contact center, financial institutions can automatically identify in real-time when a Caller ID or ANI has been spoofed to better protect their phone channel and make sure their customer information and confidential data does not get in the wrong hands.

Protecting your customer data over the holiday season

Posted on: November 28th, 2012 by art

Protecting the integrity and confidentiality of your customer data is one of the most important services any bank can provide, no matter what time of year. This can ring especially true during the busy holiday shopping season. With bank call center agents likely fielding more risky telephone calls over the holidays, it is more important than ever for financial institutions to have a robust authentication process in place to validate incoming calls without impacting the overall customer experience.

The recent article, “8 Ways to Safeguard Customer Data,” provides several steps for helping businesses protect their private information, including familiarizing employees with their data policy and educating customers about their security efforts. But when it comes to protecting the telephone channel this time of year, banking institutions need real-time authentication tools that allow them to proactively and non-intrusively identify good callers from risky ones.

For combating bank phone fraud, the article also highlights the importance of establishing robust authentication processes to help prevent contact center agents from unknowingly divulging financial details to criminals hiding behind spoofed Callers IDs and social engineering schemes. Armed with a couple of key credentials, it isn’t difficult for crooks to trick bank representatives into thinking they are legitimate customers, says Kim Martin of IVR platforms developer, Voxeo.

“If you have two pieces of information about a person, it’s easy to fool someone into believing you’re that person.”

The fact is it only takes a few pieces of personal identification information (PII) to defeat more traditional methods for customer identification such as knowledge-based authentication (KBA). This means that financial institutions cannot rely on single factors of authentication to identify banking customers, whether online or over the telephone. Once a criminal possesses the correct PII to answer security questions, a second layer of authentication is required to confirm whether the caller is authentic or not.

A complementary security solution does this, and also meets one of the FFIEC’s components for “multi-factor” authentication, is the TrustID® network-based Physical Caller Authentication tool. Using real-time telephone network forensics, TRUSTID determines the authenticity of the incoming telephone phone to validate whether it’s a legitimate call or identifies it as a spoofed call. This is automatically done in seconds before the call is picked up. So, the customer experience is not interrupted, and criminals are pushed out before they can get in. Once the bank determines the risk of the call, it can then route it to the appropriate pool or IVR option for processing.

By non-intrusively validating good customers and invisibly identifying bad ones, banks can service good customers faster and stop criminals dead in their tracks. This not only helps them better protect customer data but makes the telephone channel a highly efficient and safe way to bank over the holidays, and year around.

Are recent DDoS attacks really a decoy for bank call center fraud?

Posted on: October 31st, 2012 by art

Last month, cyber attacks launched against several U.S. banks showed us how customer traffic is redirected to other banking channels, increasing volume and creating security vulnerabilities in other channels including the call center. More recently, distributed denial of service attacks (DDoS) were launched against more U.S. banking institutions, once again illustrating how cyber fraud in one customer channel can directly impact another.

In the BankInfoSecurity article, “DDoS Attacks: First Signs of Fraud?” Akamai’s Mike Smith points out the often overlooked association between cyber attacks like DDoS and call centers. While this link is absolutely true, there doesn’t seem to be enough attention on this important connection.

More often than not, when financial institutions are implementing authentication strategies the online channel and the telephone channel are seen as separate components, requiring completely different authentication tools and solutions to secure these respective channels. While identification processes may be different, considering one without the other can create security gaps that can leave customer accounts vulnerable to social engineering attacks.

Smith also reminds us how DDoS campaigns have been used for fraud in the past to distract banks while they conducted fraudulent transactions in the background. Much like a decoy that has security teams all running to put out one fire, criminals have launched cyber attacks with the intention to perpetrate fraud or take over accounts through another channel that is less protected or less likely to detect or prevent fraud such as the telephone channel.

While DDoS attacks can be used as a distraction for fraud, Smith believes these attacks are used as more of a delay tactic where they occupy the resources so they don’t have time to deal with the real threat. When these attacks cause a bank’s website to go down, a bank’s got an instant customer satisfaction issue. As a result, backup banking channels like call centers experience a higher volume of traffic, which can leave them unprepared and vulnerable to fraud.

When financial institutions rely on knowledge-based authentication (KBA) methods to identify customers over the telephone, lengthy security questions can impact both customer satisfaction and the bank’s ability to detect fraud and other social engineering schemes.

Without relying on personally identifiable information (PII) or telephone interrogations to identify customers, the TRUSTID® Physical Caller Authentication tool makes sure banks are prepared to authenticate a higher volume of calls by automatically validating the physical location of the Caller ID and ANI before the phone is picked up. By instantly authenticating good and bad customers over the phone, TRUSTID ensures financial institutions are always prepared to identify legitimate customers in real-time, as well as detect and stop criminals who conducted the original DDoS attacks only to perpetrate account takeovers over the telephone channel.

Exceptional customer service no longer an option, it’s a banking necessity

Posted on: October 24th, 2012 by art

In today’s age where customer retention and loyalty is as good as your last phone call, providing a fast and satisfying banking experience is more important than ever. With new regulations like the FFIEC Guidelines holding financial institutions more accountable than ever before, fulfilling federal requirements without sacrificing customer care is one of the top challenges many banks face today.

The recent American Banker article, “The Golden Rules of Retail Banking Customer Service,” highlights the important role that quality service has on customer satisfaction and retention. As ever-shifting banking trends such as the growing mix of sales channels and banking fees confuse and frustrate customers, banks have to work smarter and be more diligent to maintain customer trust and provide top flight customer care. If they don’t, customers will certainly find someone who will.

With customer loyalty being tested at every touchpoint — whether you’re servicing a customer over the counter, online or over the telephone — providing efficient, highly personalized customer service across all customer channels is no longer an option in today’s banking industry, it’s a necessity. Not including customer service initiatives in your overall business strategy or investing in the operational and security tools and technologies to get you there will eventually impact your customer satisfaction rating.

The article points out a number of things banking institutions can do to improve customer satisfaction across all channels. But achieving this is not easy. It’s a process that requires continuous measuring, analyzing and improving your overall business approach and strategy; then, once you’ve achieved that, repeating the process all over again.

When it comes to the telephone channel, addressing and satisfying your customers’ needs is about being proactive and resolving issues before they impact your ability to deliver exceptional customer service. One of the ways is to deploy security tools that allow you to work more efficiently within a more secure environment.

The TRUSTID® Physical Caller Authentication tool helps banks do both by taking a proactive, non-intrusive approach to authenticating customers over the telephone. By validating the Caller ID and ANI before the call is answered, TRUSTID allows financial institutions to take action against high-risk calls in real time. This process invisibly shuts the door on spoofed calls, essentially stopping fraud before a criminal has the opportunity to socially engineer a call center representative.

It also allows banks to quickly accept good customers with confidence without having to interrogate them with a bunch of non-predictive knowledge-based authentication (KBA) questions. This way, banks don’t waste valuable time or money on bad calls and can address good customers’ needs at the onset of each call, all of which provides for a better overall customer experience.

Access to mobile phone numbers could lead to social engineering

Posted on: October 17th, 2012 by art

Let’s face it, our mobile phones have become an extension of ourselves, with their whereabouts always within arms reach. The personal information that our smartphones contain goes beyond our own memory, which is exactly why criminals are so keen on targeting our phones, the data they contain and what they can unlock.

Knowing this, it continues to blow my mind when I come across articles like last week’s “Facebook lists user phone numbers for all to see.” In the article, the world’s leading social network still makes available users’ mobile phone numbers for anyone to access. With a little bit of ingenuity, security researcher, Suriya Prakash, said anyone can gain access to the one device that connects our personal and online information.

“I would consider my most ‘personal’ data saved on Facebook to be my mobile number as it is somewhat of a bridge interlinking both my personal and online life. I would not like people I don’t want getting a hold of it.”

With one billion Facebook users out there, this is a treasure trove of personal information for crooks. By collecting something as simple as a mobile phone number, a motivated criminal can begin creating a profile for purpose of social engineering an individual, as well as committing bank fraud if they can match that individual to a bank.

Yet, this is only the tip of the iceberg when it comes to gathering personal information from social websites.

Not quite easily understood are the apps that ask you questions like, “How well do you know John Doe?” Or, run you through a series of personal questions such as, “What is your favorite color?” “We’re was John Doe born?” or “What was John’s first car?” that are answers to many knowledge-based authentication (KBA) solutions.

With a website like Facebook sharing personal identifiable information (PII) with the rest of the world, financial institutions need to have a customer authentication strategy in place that identifies customers over multiple channels, including the telephone channel. Using powerful, real-time telephone network forensics, the TRUSTID® Physical Caller Authentication solution validates the Caller ID and ANI before the telephone is answered. Within seconds, banking institutions can determine if the call is authentic or identify that it is a spoofed call. At that point, the bank can route the call based on risk to the appropriate contact center agent or IVR for processing.

Either way, leveraging TRUSTID’s effective telephone authentication tool can play an important role in preventing social engineering attempts against today’s banking institutions and achieving optimal efficiency.

Does your bank provide a quick, safe, hassle-free customer experience?

Posted on: October 10th, 2012 by art

Quick, effortless, hassle-free query resolutions are what all banking customers want. Unfortunately, in today’s complex, multi-channel banking world, that’s not always what customers get.

Today’s on-the-go customers no longer have the time to talk face-to-face with bank representatives to conduct their financial transactions. For many, the banking experience has gone 100 percent remote. As a result, the process of identifying customers online or over the telephone requires customers to provide various types of personal information to confirm they are who they say they are. These time-consuming knowledge-based authentication (KBA) methods not only test the goodwill of customers, they are not predictive of positively identifying customers.

According to the article, “5 top tips for effortless customer service,” the best banking experience for both customers and banks is one that resolves issues in a timely fashion without requiring anything from the customer. One of the ways organizations are trying to achieve this is by using contact centers to handle priority queries at the first point of engagement with the customer. While serving customers with no effort on the part of the customer is certainly the objective of most financial institutions, reaching this goal isn’t easy.

The article provides a few things businesses need to do to achieve this, which include:

 

  • Enable customer self-service: Different customers prefer different engagement methods. Therefore, providing a self-service approach for customers to navigate their way through a system and resolve a problem would resonate well with customers.
  • Reduce customer effort: The ability to authenticate customers without having them answer a bunch of security questions or provide personal details before they get to the business at hand would make for a better overall customer experience.
  • Minimize obstacles that get in the way: This starts with knowing your customer profile, their typical customer service journey and the problems they are likely to have. Once banks know this, they can create an effortless pathway to make it quick and easy for customers to resolve their problems.
  • Focus on problem solving, not speed: While rapid resolution is the goal, it can come at the expense of quality service. To resolve this, organizations need to have a system in place that quickly and discreetly identifies customers without requiring any effort or personally identifiable information (PII) on their part.

One way to immediately identify banking customers over the telephone without requiring PII or interrupting the customer experience is by validating the Caller ID before the call is answered. This way the customer is not put through any type of phone interrogation and the call center agent can get right to safely servicing the customer the moment they pick up the phone.

The TRUSTID® Physical Caller Authentication tool does this by automatically validating the Caller ID and ANI before the phone is answered to ensure the security of the telephone channel. By remaining invisible to criminals and non-intrusive to customers, TRUSTID identifies the physical location of the landline or mobile phone in real time so financial institutions can see when an incoming call is coming from a legitimate customer or from an entirely different location. This level of validation speeds up the customer authentication process to combat social engineering schemes conducted over the phone and allows banks to better service their customers to improve the overall customer experience.

Is your call center one of the weakest links in your security chain?

Posted on: August 22nd, 2012 by art

There has been a growing sentiment with the fraud-fighting community about the efficacy of ‘what you know’ anti-fraud methods. The recent disclosure of a two-year account takeover scheme against Bank of America seems to illustrate where we are as an industry, where we need to be, and that even the most reputable and highly secured financial institutions like BofA face the daily challenges of balancing fraud and the customer experience.

In the BankInfoSecurity.com article, “Takeover Scheme Targets Bank of America,” seven people were accused of stealing more than $350,000 in fraudulent funds transfers. The scam, which authorities say was largely orchestrated through the bank’s online and telephone channels, underscores the need for financial institutions to improve their cross-channel fraud detection capabilities, said Jason Malo, who covers financial fraud for CEB TowerGroup.

“‘What you know’ is, by itself, not good enough for the online channel. It shouldn’t be good enough for the other channels.”

He goes on to say that criminals are increasingly exploiting vulnerabilities in security systems that rely on knowledge-based authentication (KBA) to identify banking customers.

“There seem to be more incidents involving customer-support channels. The breakdown here seems to be at the account-opening level, where the runners had information on the accountholder and were able to answer security questions about the account.”

This echoes something I’ve been saying all along — how KBA solutions alone are no longer effective against today’s social engineering schemes. Even Gartner fraud analyst, Avivah Litan, agrees. She concluded that the fraudsters in this particular case probably found it easy to trick BofA call center agents into divulging the personal information they needed to add sub-accounts to existing accounts to transfer stolen funds from. It’s a growing fraud practice, she says, that stems from security weaknesses in the telephone channel.

“Banks need to pay more attention to call-center identity-proofing practices. This has been notoriously weak at banks, and is one of the weakest links in their security chain.”

Coming from one of the fraud industry’s leading authorities, I’d say banks need to sit up and take note. In my opinion, this says it all. To protect banking customers and their accounts, financial institutions need to add the ‘something you have’ authentication component to their existing security arsenal to effectively fight and prevent bank fraud over the telephone channel.

The TRUSTID® Physical Caller Authentication solution does just that. By validating the physical location of the telephone used to call a bank’s contact center before the phone is answered, TRUSTID provides a complementary solution to other anti-fraud methods, including KBA, to give banking institutions true multi-factor authentication that’s often missing in many of today’s cross-channel fraud defenses.

Password reset hack puts spotlight on telephone channel vulnerabilities

Posted on: August 15th, 2012 by art

Last week, Apple announced it was temporarily suspending the ability for its customers to reset their AppleID passwords over the telephone. The swift action came in response to several mobile accounts that were infiltrated and wiped out after a Wired writer reset his password over the phone.

According to the article, “Apple Confirms Suspension of Over-the-Phone Password Resets,” after Mat Honan reset his AppleID password over the telephone a hacker broke in and deleted data from his iPhone, iPad and MacBook Air accounts. This incident is yet another example of the potential vulnerabilities of the telephone channel.

What I found most interesting is while Apple took steps to secure the procedure, one of the ways the company asked customers to reset their passwords was to answer security questions that they’ve previously set up. Is it me, or could this process exacerbate the problem?

Time and time again, I’ve discussed the shortfalls of relying on knowledge-based authentication (KBA) solutions, which require customers to answer challenge questions over the telephone. The problem with this method is today’s social engineering schemes are often based on knowing the answers to these questions.

Once criminals obtain personal information through any number of means including online social networks, they’ve essentially got the goods to correctly answer security questions. This makes the “what you know” anti-fraud defense susceptible to criminal activity.

While financial institutions that have been using KBA to detect fraud won’t likely scrap the method altogether, deploying a complementary authentication tool that proactively detects Caller ID spoofing and other phone-based scams without relying on personally identifiable information (PII) to do so is important to fighting fraud in today’s fast-changing business environment.

The TRUSTID® Physical Caller Authentication solution provides a much-needed additional layer of authentication that helps banking institutions validate the physical location of the telephone (landline or mobile) “pre-answer” that is used to communicate with a bank’s call center. Knowing the actual location of the telephone to verify whether the caller on the other end of the line is who they say they are is a powerful way to identify legitimate banking customers and spot criminals attempting to impersonate customers over the phone to commit bank fraud.

Identifying high risk calls in today’s fast-changing fraud landscape

Posted on: August 8th, 2012 by art

The telephone remains one of the most widely used and intimate forms of communication we know. Not only do we use our home and mobile phones to interact with friends and colleagues, but banks still use the telephone as one of its main channels to serve customers. For this reason alone, telephone security should be a top priority for any financial institution that allows consumers to open accounts and request money transfers over the phone.

While deploying security solutions to stop telephone bank fraud is important, it’s equally important to understand the evolving fraud landscape. Fraud moves fast, and criminals are constantly coming up with new ways to deceive bank call center agents to get passed their technical and verbal lines of defense, particularly more traditional knowledge-based authentication (KBA) solutions.

Understanding the criminal’s next move is something banks absolutely need to have a pulse on. This doesn’t mean reacting to criminals’ each move, or relying on KBA that has zero efficacy at stopping identity fraud over the telephone. Here’s why:

 

  • Answers to KBA challenge questions are collected and studied in advance of authentication from multiple sources.
  • Feedback to criminals when the answered is correct or incorrect — once a correct answer is discovered, criminals can gain repeat access.
  • Once KBA is learned, account authentication is compromised until a different authentication solution stops it.
  • Criminals can repeat attempts with multiple banks until personally identifiable information (PII) is obtained.
  • Social engineering manipulates agents into disclosing PII.
  • Account takeover allows criminals to change KBA answers.

With PII readily accessible to criminals today, knowledge-based authentication is not the answer. There are just too many ways crooks can get their hands vital pieces of information like Social Security numbers, date of birth, zip code, and bank card and account numbers.

An anti-fraud solution that validates customers and identifies the risk of transactions no matter what criminal tactic is around the corner can play a key role in a bank’s fraud defense. By validating the physical location of the Caller ID and ANI before the call is answered, the TRUSTID® Physical Caller Authentication solution delivers a credentialed identity factor, proactively identifies high risk calls, optimizes call routing and speeds up transactions.

Banking institutions that deploy a customer authentication tool like TRUSTID, which undetectably validates the incoming Caller ID and ANI in real time without the criminal knowing it, benefits banks on a number of levels, including:

 

  • Reduces other authentication costs and time spent interrogating customers.
  • Increases the effectiveness and life span of existing infrastructure and security processes.
  • Reduces the impact of telephone-based social engineering and the increasing cost of fraud.

If financial institutions are going to continue to use the telephone as a primary means of doing business and serving banking customers, they need solutions that provide multi-factor authentication that allows them to save on operating costs and better protect and serve their customers.

Security challenges facing offshore bank call centers

Posted on: August 1st, 2012 by art

Call centers are located everywhere today. Based on a company’s business strategy, they can choose to keep their call center on domestic soil or outsource their call center operations abroad to any organization that offers the most competitive labor rates. Whatever route they choose, however, sacrificing customer care and customer protection for cheap labor is a trade-off no business or banking institution can afford to make.

One of the major challenges of outsourcing a call center overseas is security. As I discussed the concerns around securing the less-protected bank call center last week, there are several issues that can arise when moving your call center offshore. EMC’s “Knowledge-based Authentication Use Case eBook” pointed out one of the chief concerns:

“The cultural and language barriers that exist in outsourced call centers can create unique vulnerabilities that increase the risk of fraud and identity theft.”

Unless call center agents operating outside of the U.S. can keep up with the advancements in telephone-based social engineering schemes and not let language barriers get in the way of recognizing when criminals are spoofing them, I guess organizations have nothing to worry about. But how many banks are willing to take that risk without deploying layered security?

A second risk of offshore call centers is providing adequate customer care.

Along with making sure foreign call center representatives are fully trained to understand when they are being socially engineered, they also need to make sure they don’t let noticeable accents or interrogating knowledge-based authentication (KBA) questions hamper their ability to effectively serve customers without jeopardizing the customer’s goodwill or the overall customer experience.

I’m not advocating one way or another whether banking institutions should or shouldn’t outsource their call centers overseas. What I’m saying is if they choose to, they need to make sure they have the security tools in place to mitigate the potential risks that inherently come with having foreign call center representatives serve customers.

With the success of the entire enterprise dependent on the customer experience and the ability to safely serve its customers’ needs, financial institutions need an authentication solution that can deliver both.

The TRUSTID® Physical Caller Authentication solution instantly authenticates a customer’s identity with physical validation of the phone location (landline or mobile) to empower financial institutions to identify calls coming into a call center before the phone is answered. This prevents social engineering security breaches no matter where the call center is located. By mitigating the threat of Caller ID and ANI spoofing  and reducing the reliance on KBA methods, TRUSTID provides an extra layer of security to the telephone channel that helps banks cut operating expenses and improve the overall experience through decreased average handle times on each incoming call.

  • REQUEST INDUSTRY BRIEFING PAPERS
  • VIEW DEMO
  • USE CASE
  • ANI SPOOFING TOOL

  • CISO Text

             

    Authentication without caller involvement materially improves the customer experience, especially for ‘premier accounts.’ TrustID will greatly assist with not only customer service, but also with board level compliance issues.

    – CISO, top 10 global bank

  • CISO 2 Text

             

    As less customer PII is made available to our contact  center advocates for identity validation, our enterprise risk of a costly data  breach is dramatically decreased.

              – CSO, global financial company

    Offshore agents are highly vulnerable to fraud schemes  and social engineering. TrustID’s solution enables informed routing decisions,  optimizing agent cost reduction programs.

             - CISO, top 10 global bank           

  • VP Quote text

         

    Since  it is now commonly sold by criminals, personal information for identity  authentication is no longer the single solution to identity resolution. The  value of knowing reliably that a customer is calling from their phone is far better security than knowing the last four digits of someone’s SSN.

    - VP of Card Fraud, large international bank