Posts Tagged ‘multi-factor authentication’

Do your customer calls all look the same? They shouldn’t.

Posted on: January 30th, 2013 by art

Without the ability to verify the Caller ID or ANI, all customer calls can look the same to call center agents. This a risky proposition for any financial institution that handles thousands of customer calls each day. In other words, if all calls appear the same there’s no way to answer some of the key questions all banks should know about customer calls, such as:

Crowd of people

  • Which calls are trustworthy?
  • Which calls require further review?
  • Which calls require a contact center agent?
  • How can I better serve my customers?
  • How can I lower my authentication costs?

To improve the overall security and efficiency of the telephone channel, banking institutions need to be able to confidently identify which customer calls are trustworthy and which ones pose a risk. To be frank, any bank operating without a two-factor authentication strategy to verify callers is putting its entire enterprise, private business information and customers at risk.

With criminals potentially at every customer touch, combining multiple authentication methods is not only a federal requirement for fighting fraud, it’s a must in today’s banking environment.

Over the past few years, financial institutions have put a lot of resources into securing the online channel. According to some studies, these efforts have worked as the number of successful fraud attempts against banks have dropped. But this hasn’t stopped criminals from migrating to other, less protected banking channels like the telephone. This is where TRUSTID can help.

Our TRUSTID® Physical Caller Authentication tool is a proven network-based authentication solution that helps financial institutions proactively validate the Caller ID and ANI to secure the telephone channel, as well as reduce costs by spending less time interrogating customers and more time providing quality service over the phone. As a result of including a complementary, real-time authentication tool like TRUSTID to a bank’s anti-fraud arsenal, we help improve the overall customer experience and achieve true multi-factor authentication to protect one of the most highly used and targeted customer channels in the banking industry.

The advantages of quick, proactive customer authentication

Posted on: September 19th, 2012 by art

The faster a bank can determine the risk of an incoming call can impact various aspects of their business processes, and ultimately, the cost of serving customers.

For starters, consider the time it takes to validate the authenticity of a caller. The moment a contact center agent picks up the telephone, the clock is ticking. At that point, a bank needs to employ an authentication method to identify the caller.

For financial institutions leveraging knowledge-based authentication (KBA) solutions as the primary method for identifying customers over the telephone, this means subjecting each caller to a series of challenge questions. This is time consuming, increases agent work-time and is taxing to each customer’s time and goodwill. Each minute a bank representative interrogates a customer over the phone can significantly drive up authentication costs.

For example, an extra five or 10 seconds on the phone can increase the average call handle (ACH) time of servicing customers. When you multiply that by the tens or hundreds of thousands of calls the come into a bank’s call center each year, you immediately realize the impact the overall cost of identifying and servicing customers over the telephone channel can be.

Second, as a primary driver for customer authentication, KBA is not an effective risk mitigation method. By now, we all know that KBA’s efficacy for stopping identity fraud is nowhere near what it used to be for a myriad of reasons, including:

  • Answers to KBA can be studied in advance of authentication from multiple sources
  • Correct or incorrect feedback to a criminal’s answers can tip off thieves to correct answers
  • Once KBA is discovered, account authentication is compromised until a separate authentication solutions stops it

While I’m not saying speed is the main component for identifying banking customers over the telephone channel, the ability to proactively authenticate customers in real-time can have significant security and financial advantages. Using proprietary and patented real-time telephone network forensics to validate the Caller ID and ANI’s authenticity before the call is answered, the TRUSTID® Physical Caller Authentication tool gives financial institutions the ability to undetectably authenticate customers before the call is picked up. Leveraging a real-time “something you have” physical authentication solution can help banks:

  • Shorten average call handle times
  • Reduce overall call center costs by 20%
  • Provide a more positive customer experience
  • Proactively identify and stop social engineering threats

Including TRUSTID as part of a multi-factor authentication security approach can improve a bank’s call routing efficiency and increase their telephone commerce over “something you know” authentication solutions that are working alone to identify customers.

Complying with FFIEC means understanding true multi-factor authentication

Posted on: September 12th, 2012 by art

As we inch closer to Q4 of 2012, by now every financial institution should be adhering to the supplemental FFIEC authentication guidelines released in June 2011. At this point, banks have had plenty of time to create internal initiatives to meet the updated best practice suggestions. Some reports even show that banks have invested and implemented solutions that allow them to meet the updated security standards.

While the focus is certainly there, when it comes to audits financial institutions need to make sure they clearly understand the FFIEC’s definition of layered authentication. According to the FFIEC’s updated multi-factor authentication paradigm for identifying customers, a bank needs to have at least two of the following categories for customer authentication, including:

1. “Something you know” (password, PIN number, personally identifiable information [PII])

2. “Something you are” (fingerprint, DNA, retinal pattern)

3. “Something you have” (ID or ATM card, security token, telephone)

The challenge with fulfilling two of the three categories is the term “two-factor authentication” can be misinterpreted. This is one of the areas that I am continually educating banks about — the FFIEC’s true definition of multi-factor authentication.

For example, using a password or PIN number with a knowledge-based authentication (KBA) solution can appear to meet two factors of authentication, right? According to the recommendations outlined in the FFIEC’s Supplement of the Authentication, both fall under the same category of “Something you know.”

For an myriad of reasons I’ve written about time and time again, I believe this is the most vulnerable category because passwords and PII are no longer predictive of identity. Still, while the FFIEC recognizes “Something you have” as an important component to identifying customers, banks also need to employ another method for authenticating customers outside of knowledge-based information.

The ability to authenticate customers without disrupting the customer experience or falling victim to social engineering can be a powerful way for financial institutions to secure their network while also meeting FFIECE demands. The TRUSTID® Physical Caller Authentication tool is a highly complementary method for identifying customers over the telephone channel. By validating the physical location of the Caller ID and ANI, TRUSTID is making the telephone number a trusted “Something you have” credential for identifying customers while helping banks meet the true definition for multi-factor authentication.

Identifying high risk calls in today’s fast-changing fraud landscape

Posted on: August 8th, 2012 by art

The telephone remains one of the most widely used and intimate forms of communication we know. Not only do we use our home and mobile phones to interact with friends and colleagues, but banks still use the telephone as one of its main channels to serve customers. For this reason alone, telephone security should be a top priority for any financial institution that allows consumers to open accounts and request money transfers over the phone.

While deploying security solutions to stop telephone bank fraud is important, it’s equally important to understand the evolving fraud landscape. Fraud moves fast, and criminals are constantly coming up with new ways to deceive bank call center agents to get passed their technical and verbal lines of defense, particularly more traditional knowledge-based authentication (KBA) solutions.

Understanding the criminal’s next move is something banks absolutely need to have a pulse on. This doesn’t mean reacting to criminals’ each move, or relying on KBA that has zero efficacy at stopping identity fraud over the telephone. Here’s why:

 

  • Answers to KBA challenge questions are collected and studied in advance of authentication from multiple sources.
  • Feedback to criminals when the answered is correct or incorrect — once a correct answer is discovered, criminals can gain repeat access.
  • Once KBA is learned, account authentication is compromised until a different authentication solution stops it.
  • Criminals can repeat attempts with multiple banks until personally identifiable information (PII) is obtained.
  • Social engineering manipulates agents into disclosing PII.
  • Account takeover allows criminals to change KBA answers.

With PII readily accessible to criminals today, knowledge-based authentication is not the answer. There are just too many ways crooks can get their hands vital pieces of information like Social Security numbers, date of birth, zip code, and bank card and account numbers.

An anti-fraud solution that validates customers and identifies the risk of transactions no matter what criminal tactic is around the corner can play a key role in a bank’s fraud defense. By validating the physical location of the Caller ID and ANI before the call is answered, the TRUSTID® Physical Caller Authentication solution delivers a credentialed identity factor, proactively identifies high risk calls, optimizes call routing and speeds up transactions.

Banking institutions that deploy a customer authentication tool like TRUSTID, which undetectably validates the incoming Caller ID and ANI in real time without the criminal knowing it, benefits banks on a number of levels, including:

 

  • Reduces other authentication costs and time spent interrogating customers.
  • Increases the effectiveness and life span of existing infrastructure and security processes.
  • Reduces the impact of telephone-based social engineering and the increasing cost of fraud.

If financial institutions are going to continue to use the telephone as a primary means of doing business and serving banking customers, they need solutions that provide multi-factor authentication that allows them to save on operating costs and better protect and serve their customers.

Why costly fraudulent bank transfers are driving FFIEC conformance

Posted on: July 4th, 2012 by art

There are a number reasons why today’s financial institutions need to enhance their authentication capabilities and comply with the FFIEC Authentication Guidance. One of the first that comes to mind is small businesses. With many banks’ customer base made up of small businesses — yes, the same small businesses that are increasingly being targeted by criminals — having a multi-factor authentication defense in place plays a critical role in protecting both their customers and confidential business information.

The United Bank & Trust has ten thousand reasons why it has invested in more layered security controls to meet the new authentication requirements. In the recent article, “Bank’s Road to Stronger Authentication,” a single incident could have cost United Bank & Trust upwards of $10,000 in monetary loss, not to mention irreversible damage to its brand, had it not stopped a fraudulent transaction from getting through, said Marsha Whitehouse, VP of treasury management for the Ann Arbor-based bank.

“It just takes one transaction. That incident that we caught could have cost us over $10,000. And it’s not just the monetary loss; it’s the reputational risk you have to deal with.”

To comply with the FFIEC’s security recommendations, the bank employs a two-factor authentication process that combines a knowledge-based “something you know” authentication tool with a “something you have” telephone solution. While multi-factor defenses like these can protect customer channels from harmful activity such as fraudulent wire transfers and account takeovers, relying on automated customer callbacks to confirm clients over the telephone can leave banks susceptible to social engineering scams that take over phone lines and transfer bank calls to a different number within the criminal’s control.

With financial institutions using outbound return calling to authenticate large financial transactions and ACH transfers, line takeover can pose a threat to a bank’s use of customer callbacks. To eliminate the risk of line takeovers, deploying a proactive telephone authentication solution like the TrustID® network-based Physical Caller Authentication tool can reduce the need for customer callbacks because it automatically verifies customers before the call is answered.

By using the Caller ID and ANI as a trusted source to authenticate bank customers over the phone, TrustID allows banking institutions to non-intrusively validate customers and invisibly recognize and stop criminals from perpetrating criminal activity over the telephone channel. As a result, banks have a complementary “something you have” authentication tool that helps them comply with FFIEC regulations while reducing fraud losses and providing a better overall customer experience.

How effective are challenge questions in identifying banking customers?

Posted on: April 25th, 2012 by art

Over the past year, I’ve written extensively on the issues with using simple challenge questions or more elaborate “out of wallet” or knowledge-based authentication (KBA) questions to identify banking customers.

In the recent interview with Tracey Kitten of BankInfoSecurity, “FFIEC: How Well Do Banks Conform?” Gartner analyst and fraud expert, Avivah Litan, expounds on some of these same industry challenges as they relate to the new FFIEC Guidance. She mentions that many banks are:

“Moving from simple challenge questions to follow the explicit guidance in the FFIEC update about using the more elaborate KBA or out of wallet type questions provided from public data aggregators.” 

Avivah added that out of wallet questions can be expensive, and that it “remains to be seen how effective they work.”

Having had oversight of such processes during my career, I truly can appreciate the dilemma that banks and other institutions face. They are under extreme regulatory pressure to ensure they are adequately protecting their customers from identity theft, and as a result, they are authenticating every customer they interact with. But there needs to be a balance between managing fraud exposure, negative customer experience, and operational costs.

As I talk to many senior fraud and operations executives, the real struggle is not just what type of authentication products to utilize, it’s knowing when to deploy them and what customers to use them against. Every call that comes into banks today is not a credentialed call. They cannot be trusted, period. As such, the challenge is answering these critical questions:

 

  • Which calls should be trusted?
  • Which calls should required challenge questions?
  • At what stage of the interaction should authentication tools be used?
  • What are the costs and customer impact to using these tools?

Answering these important questions of what tool to use, and when to use it, is critical to a bank’s overall operation. It’s what will determine the operational costs, customer experience and fraud protection. Deploying technology without fully understanding the impact and effectiveness of new tools has driven up customer dissatisfaction and, in part, what has driven the FFIEC Guidance specifically related to Authentication.

While there is certainly a place for KBA and voice biometric, this is where the TrustID® network-based Physical Caller Authentication tool takes a unique approach to authenticating customers dialing into a bank’s call center. Rather than base the level of customer authentication on what the caller is requesting such as adding an authorized user, TrustID allows banks to route the incoming call based on the authenticity of the actual call. By making the Caller ID and ANI a trusted resource for identifying customers over the telephone, TrustID provides a strong certainty that the incoming call is truly the customer. Doing so also eliminates the conversation criminals rely on to socially engineer bank representatives.

By automatically validating the physical location of the caller before the phone is answered, financial institutions can proactively identify fraudulent calls and address good customer inquiries faster, all without putting them through burdensome and costly telephone interrogations that are required by KBA solutions. In turn, if the TrustID solution deemed the incoming call as either spoofed, altered, or determined the source of the call was not trustworthy, then regardless of the customer request the bank may want to put the call to a representative for a second level of questioning.

Now that the bank has a much smaller population of customers they need to deploy expensive KBA towards, they can reduce costs, dramatically improve the customer experience through reduced interrogation for the majority of good customers, and fulfill the FFIEC’s multi-factor authentication best practices for identifying customers.

Today it is paramount for banks to develop a mutual ongoing trust with their customers. By allowing financial institutions to invisibly identify and stop telephone fraud before it happens, TrustID improves the level of customer service that’s critical to protecting customers, reducing fraud rates, and maintaining the sacred trust between banks and their valued customers.

Fraud survey shows banks concerned about FFIEC compliance, best security investments

Posted on: April 17th, 2012 by art

The new FFIEC security guidelines may be raising fraud awareness and motivating banks to invest in anti-fraud technologies, but results from the 2012 Faces of Fraud survey highlight ongoing confusion around compliance and concerns around the right investments and resources to reduce fraud risks.

In the article, “Fraud Survey: Banks Get Bigger Budgets,” 58% of the banks and credit unions surveyed said they will see increased investments in fraud resources of 10-20% in 2012. However, only 11% said they have conformed to the updated guidance, with half saying they don’t confirm now and 29% unknown of their current state of conformance with the FFIEC recommendations.

Other key survey findings included:

  • 61% of respondents plan to enhance fraud detection and monitoring systems within the next 12 months. Improving staff training (49%) and enhancing customer and member education efforts (43%) rounded out the top three planned investments.
  • 84% of financial institutions said credit and debit fraud was their top threat, with only 41% saying their organization was not prepared to prevent and detect fraud.
  • Half of the respondents ranked Phishing and Vishing (Socially Engineered Schemes) as the third highest threat, with only 28% believing they could detect and prevent such attacks.

While the updated FFIEC guidance has played a central role in driving financial institutions to consider security investments, Gartner analyst, Avivah Litan, said the survey results tell just how much banks are struggling to figure out the best investments and security technologies that will allow them to comply with authentication guidelines and enhance their ability to detect cross-channel fraud.

“The survey results reflect the confusion among most banks as to what’s expected of them when it comes to practical technical solutions. Many banks are wondering if they need to switch their modus operandi for challenge questions, to follow the explicit guidance in the FFIEC update about using the more elaborate and expensive challenge questions from public data aggregators.”

The problem with challenge questions used in more traditional knowledge-based authentication (KBA) solutions is today’s more tech-savvy criminals that are prepared with the right personal identifiable information (PII) can defeat such methods. This is why the FFIEC’s updated recommendations include a multi-factor authentication strategy for detecting fraud threats over all banking channels, including the telephone channel.

Despite many banks using both passwords and KBA techniques to identify customers, these two methods only satisfy one authentication criteria (“Something you know” [e.g., password PIN number, PII]), as defined by the new FFIEC authentication guidelines. A security solution such as the TrustID® network-based Physical Caller Authentication tool, which doesn’t rely on non-predictive PII to identify banking customers over the telephone, fulfills a separate authentication criteria (“Something you have” [e.g., ID or ATM card, security token, telephone]).

Using both methods to identify customers helps financial institutions conform to updated authentication recommendations and provides a necessary multi-layered defense against more dangerous forms of fraud that many fraud experts recommend for protecting all banking channels.

A single layer of authentication is an “open door” for bank fraud

Posted on: April 10th, 2012 by art

In today’s fraud landscape, a single layer of authentication can be an open door invitation to fraud. These may sound like harsh words, but the fact of the matter is, they’re true. Any financial institution that relies on one security technology is going to run into trouble. If not today, then some time down the road. It’s really just a matter of time.

The recent Investors.com article, “Zappos Breach Shows Hacker Hits Just Keep Coming,” hits the nail on the head in regard to layered security. Despite technology improvements, even the most secured companies with layered security can be penetrated to a certain degree, said Amir Orad, CEO of the financial services security firm, Nice Actimize.

“It shows the value of layered security. One has to assume that some of the layers will be breached — if not today, then tomorrow.”

Having a multi-layered defense that includes two-factor identification technology can make a big difference in how far a perpetrator gets and how much confidential customer or company data they get away with. This is why the new Federal Financial Institutions Examination Council (FFIEC) security guidelines call for banks to use layered authentication to minimize the risk of fraud. More specific, having at least two of the following three categories is essential to meeting this authentication criteria:

     1. “Something you know” (e.g., password, PIN number, personally identifiable information [PII])

     2. “Something you are” (e.g., fingerprint, retinal pattern, DNA)

     3. “Something you have” (e.g., ID or ATM card, security token, telephone)

Most banks use both passwords and knowledge-based authentication (KBA) techniques (security questions) to identify customers. The problem is both of these methods fall within the same (“Something you know”) category. This not only leaves financial institutions susceptible to criminals who know all the information, they are not in compliance with the FFIEC’s new multi-factor authentication recommendations.

When it comes to one of the most widely used banking channels today — the telephone — the TrustID® network-based Physical Caller Authentication tool takes a unique approach to authenticating customers dialing into a bank’s call center. Instead of relying on what the caller knows, TrustID makes the telephone number a valid “Something you have” credential by automatically validating the claim of Caller ID and ANI before the call is answered. This, combined with authentication methods that use KBA, PII or PIN numbers to identify customers, gives banks a critical layer of defense needed for protecting customer and company data, and at the same time, helps them meet the FFIEC’s guidelines for true multi-factor authentication.

 

Financial fraud experts recommending a layered security approach

Posted on: April 3rd, 2012 by art

Ever since criminals discovered how to use stolen personal information to apply for credit or socially engineer their way into another person’s bank account, security experts have warned against relying on knowledge-based authentication (KBA) to identify customers.

In the blog, “New credit card data breach revealed,” Gartner fraud analyst, Avivah Litan, said in light of the recently disclosed VISA and MasterCard data breach, businesses need to expand their security defenses beyond traditional KBA methods that are constantly being bypassed by determined crooks.

“A layered approach is always best, since you have to assume the bad guys will get through one or two or even three layers.”

Litan recommends against using knowledge-based authentication and other types of personally identifiable information (PII) methods on administrative accounts, and I couldn’t agree more.

Taking a layered approach to prevent fraud is essential to fighting today’s savvy criminals, who actually take advantage of the reliance and trust that companies put into KBA and PII solutions to defend their customers’ data and confidential company information. The problem is, once a thief has successfully beaten KBA, they’re in without further questions. This is why a multi-layered security defense is so important.

It’s cases like the VISA and MasterCard data breach and the Paul Allen debit card breach, where the Microsoft founder’s bank account details were stolen via a call center dupe, that have security experts like Litan pushing for a layered security approach that spans across all customer channels.

An authentication solution that doesn’t rely on the customer’s personal information can be a valuable tool for identifying customers over the telephone channel. With the TrustID® network-based Physical Caller Authentication solution, financial institutions can automatically validate customers calling into their contact center before the phone is answered. By re-establishing the Caller ID and ANI as a trusted resource for identifying customers over the phone, TrustID eliminates the conversation criminals depend on to socially engineer bank telephone agents, and provides an additional layer of authentication that banks need in today’s dangerous fraud landscape.

Despite heavy security investments, identity theft and fraud continue to proliferate

Posted on: March 27th, 2012 by art

The Federal Trade Commission recently published its annual 2011 report on consumer complaints. The report, “Consumer Sentinel Network Data Book,” lays out in extensive detail the types and frequencies of reported complaints to the FTC from consumers. Here are a few pertinent points from the report:

 

  • The CSN received over 1.8 million complaints during calendar year 2011
  • Identity theft was the number one complaint category in the CSN for calendar year
  • A total of 990,242 in 2011 complaints were fraud-related
  • For military consumers, identity theft was the number one complaint category
  • Government documents/benefits fraud (27%) was the most common form of reported identity theft, followed by credit card fraud (14%), phone or utilities fraud (13%), and bank fraud (9%). Other significant categories of identity theft reported by victims were employment fraud (8%) and loan fraud (3%).

Personally, I think it is very telling that the top two complaints are identity theft and fraud. These two categories are inherently related, connected at the hip, if you will, because criminals essentially steal identities to commit fraud.

The second important takeaway for me was that despite all of the heavy investment banks and other institutions are making to safeguard customer information, particularly in the online channels, identity theft and fraud continue to proliferate. This is quite alarming.

Over the past several months, I’ve written a number of blogs that talk about the need to bake cyber security and risk management into all customer channels, including ATMs, Internet and the telephone.

One of the reasons telephone fraud and social engineering have picked up in recent years is the fact that criminals now have the ability to access or change an address or account data that is necessary to perpetrate larger and more profitable online crimes. Once a criminal controls a customer’s information – primarily through the telephone channel – criminals use the newly acquired personally identifiable information (PII) to commit crimes through the online channel.

Financial Institutions that ignore the telephone channel as a primary source for fraud and don’t address the same security and authentication requirements as the online channel, will continue to put themselves at risk as the CSN report painfully articulates.

The fact is, if you want to automate business processes, enhance customer communications, and take advantage of new technologies, you have to “bake” cyber security and risk management across all customer channels.

Deploying an effective, non-intrusive identity authentication tool like the TrustID® network-based Physical Caller Authentication enables financial institutions to convert ANI and Caller ID into a powerful physical security and customer authentication tool that can be used to close the security gap that too many bank call centers still operate with today.

An identity authentication solution that helps banking institutions protect the telephone channel by making the phone number a valid “Something you have” authentication credential, is an essential piece of the FFIEC’s multi-factor authentication paradigm for identifying customers. By automatically validating the physical location of the caller before the phone is answered, financial institutions proactively identify fraudulent calls and address good customer inquiries faster, all without putting them through burdensome telephone interrogations that are required by other knowledge-based authentication (KBA) solutions.

  • REQUEST INDUSTRY BRIEFING PAPERS
  • VIEW DEMO
  • USE CASE
  • ANI SPOOFING TOOL

  • CISO Text

             

    Authentication without caller involvement materially improves the customer experience, especially for ‘premier accounts.’ TRUSTID will greatly assist with not only customer service, but also with board level compliance issues.

    – CISO, top 10 global bank

  • CISO 2 Text

             

    As less customer PII is made available to our contact  center advocates for identity validation, our enterprise risk of a costly data  breach is dramatically decreased.

              – CSO, global financial company

    Offshore agents are highly vulnerable to fraud schemes  and social engineering. TRUSTID’s solution enables informed routing decisions,  optimizing agent cost reduction programs.

             - CISO, top 10 global bank           

  • VP Quote text

         

    Since  it is now commonly sold by criminals, personal information for identity authentication is no longer the single solution to identity resolution. The  value of knowing reliably that a customer is calling from their phone is far better security than knowing the last four digits of someone’s SSN.

    - VP of Card Fraud, large international bank