Posts Tagged ‘PII’

Authenticating caller party numbers shouldn’t be a masquerade ball

Posted on: May 15th, 2013 by art 2 Comments

The challenge of spotting criminals over the telephone channel often plays out like a game of cat and mouse. Crooks use false information to mask their true identities. After spoofing their caller ID to make it look like someone else is calling, they try to convince call center agents they are genuine banking customers.

Armed with enough personally identifiable information (PII) to apply for credit, activate bank cards, transfer funds and defeat PII-based authentication solutions, many criminals continue to successfully socially engineer bank representatives by correctly answering the security questions required by more traditional knowledge-based authentication (KBA) tools.

From an authentication standpoint, the call center environment has somewhat turned into a masquerade ball of disguises, where it’s anybody’s guess as to who is who. The financial services industry can no longer operate within a guessing game environment anymore. Fielding more than 50 billion calls a year, call centers need to have the appropriate tools in place to quickly and accurately authenticate all inbound calls.

As criminals do everything they can to slip past PII-based authentication solutions, it’s more important than ever for financial institutions to deployed effective security measures to identify customers in real time.

Using a patent-pending telephone firewall that includes telephony databases, real-time network forensics and specialized analytics, the TRUSTID® Physical Caller Authentication tool authenticates the calling party number before the call center agent picks up. This allows banking institutions to prevent spoofed calls from being routed to bank representatives, and in doing so, call center agents don’t waste their time interrogating known high-risk calls. Instead, they spend more time servicing good customers and improving the overall customer experience.

With the volume of customer calls increasing every year, operational efficiency is becoming a key component in the authentication process. By invisibly identifying risky calls and not interrupting the customer service process with unnecessary telephone interrogations, TRUSTID helps banks unmask criminals before they’re allowed into the party.

 

Are you relying on outdated authentication tools?

Posted on: April 3rd, 2013 by art No Comments

Those of us in the telephone authentication industry can see the shortcomings of the different types of customer identification methods. While this has been evident for some time now, what continues to be an uphill battle is educating financial institutions about the risks of using outdated and ineffective authentication tools to identify customers over the telephone channel.

At last month’s BAI Payments Connect Conference, business leaders from around the globe met to discuss how various forms of fraud impact banks – from account-opening fraud to social engineering and call center fraud. No matter what channel criminals choose, the conclusion among fraud experts is bank fraud is on the rise.

Ori Bach, a call center monitoring expert with NICE Systems, echoed what we’ve been saying all along — knowledge-based authentication (KBA) and Caller ID are broken, call center fraud is up, and untrained personnel are falling for preventable tricks. Collectively, all of these pieces are contributing to increasing fraud losses.

I don’t mean to beat a dead horse, but I can’t stressed enough how important it is to continue informing financial institutions about the risks they face using beatable authentication methods, particularly those that depend on personally identifiable information (PII).

At TRUSTID, we agree with all of Bach’s conclusions, including:

 

  • KBA is not predictive: With personal information available via social websites such as Facebook, PII-based methods for authentication is diminishing. As a result, KBA can no longer be the single solution for identifying customers over the phone.
  • Caller ID is broken: With a wide availability of spoofing tools, calling party number spoofing has become a low cost and power penetration tool used to impersonate identity and actual location over the telephone channel.
  • Untrained call center agents are easily fooled: If bank representatives aren’t up to speed with the latest fraud techniques, they will continue to fall for Caller ID spoofing and social engineering scams.

As stewards of customer authentication for the banking industry, part of our job is to continue educating financial institutions about the many risks of fraud, and the real dangers if using outdated authentication tools. Each week, I have eye-opening conversations with fraud managers that still rely on old-school methods to identify customers. Over time, this essentially puts both their bank and customers at greater and greater risk.

The unfortunate part is many of these fraud risks are preventable. By implementing a multi-factor authentication strategy that doesn’t rely on PII to identify customers, banks can reduce their risk against many of today’s fraud techniques that result in millions of dollars in fraud losses each year.

All banking channels need to be prepared for customer impersonators

Posted on: March 19th, 2013 by art 1 Comment

I’ve often spoke about the many dangers of depending on personally identifiable information (PII) for customer authentication. As we recently learned from the high-profiled credit report celebrity hacking, relying on accessible personal information such as date of birth, mother’s maiden name and Social Security number can put a company’s customers and corporate data at serious risk.

In the article, “FBI Investigating Hackers Who Posted ‘Secret Files’ Of Celebrities, Politicians,” the consumer credit reporting agency, Equifax, released a statement last week confirming that the sensitive financial data that hackers posted on celebrities and political figures was the result of a security breach to the credit reporting agency’s annualcreditreport.com channel, not a break-in to their computer system.

Using PII that could have been accessed through any number of online social networks or public information websites, the perpetrators had enough personal identifying details to correctly answer the challenge questions required to access their intended victims’ private financial files, said Equifax spokesperson, Timothy Klein.

“Our initial investigation shows the perpetrators had the PII of the individuals whose files were accessed and were therefore able to pass the required authentication measures in place. We have launched a full investigation into this matter and we are also working closely with law enforcement authorities on this matter.”

In recent years, cybercriminals impersonating genuine customers or conducting similar social engineering schemes across other sales channels have been responsible for the illegal exposure of tens of thousands of credit reports. These compromises can all lead to identity fraud, account hijacking and other identity-related crimes.

Because customer-impersonating scams are conducted remotely, they can easily be performed over the telephone channel, as well. Social engineering against call center agents is a threat that all financial institutions should not only be concerned with, but adequately prepared for. If we are to learn from incidents like what occurred last week, it’s that relying on knowledge-based authentication (KBA) is not an effective defense against such criminal tactics.

Bank contact centers, which handle billions of calls each year, need an authentication method that goes beyond telephone interrogations such as defeatable security questions. What they need is a security tool that allows them to proactively identify callers before the phone is picked up.

A security tool like the TRUSTID® Physical Caller Authentication solution identifies high-risk calls before the phone conversation begins. Through TRUSTID’s real-time telephone network forensics, banks are able to invisibly identify the physical location of the landline or mobile phone while it is still ringing.

This automated process uses the Caller ID and ANI as trusted sources for validating customers over the telephone. By restoring the usability of calling party numbers to authenticate customers over the phone channel, financial institutions can identify high-risk calls faster, as well as instantly confirm legitimate calls so bank representatives can begin serving customers at the start of each call, without relying on non-predictive and risky PII methods.

Using automated caller authentication to transform the customer experience

Posted on: March 13th, 2013 by art 67 Comments

There’s always been this notion that once a process or system is automated, the people who once performed that task will soon be out of a job. While some tools have certainly earned that reputation, when it comes to automating customer authentication over the telephone, it’s not about replacing people. Rather, it’s about proactively detecting spoofing risks, reducing call center expenses, and transforming authentication into a positive customer experience.

When caller authentication is not automated, this means contact center agents must perform a number of steps to verify that the caller is who they say they are. As we know, security questions are a drawn out identity-interrogation process that requires banking customers to answer a bunch of personal questions that can be beaten by clever social engineers.

Ultimately, this process drives up average call handling (ACH) times, increases operating costs, and can damage the important bank-customer relationship. And because personally identifiable information (PII) is not predictive of identity, knowledge-based authentication (KBA) methods, when used alone, can actually create a false sense of trust that puts company data and customers at risk.

A security tool like the TRUSTID® Physical Caller Authentication solution, however, automatically authenticates the caller using a combination of three core components, including:

 

  • Telephony databases (e.g., local number portability, numbering plans, carrier / line attributes, billing data, routing tables, HLR data, LERG tables, geospatial data, carrier and switch data)
  • Real-time telephone network forensics (e.g., call progress, call messages, network tones, SS7 and SIP signaling, DSP audio energy and voice analysis tools)
  • Specialized analytics (real-time delivery of proprietary credential scores that enable enterprise risk decisioning, customer-specific reason codes, caller data and reports for custom risk model and scoring)

Automatically validating the caller before the phone is answered doesn’t eliminate jobs, it provides stronger customer authentication while streamlining customer service.

What I mean by this is instead of using up valuable time and resources questioning customers over the telephone, call center agents are now free to immediately begin servicing and selling good customers at the initial “golden minute” of the telephone call.

By undetectably authenticating customers through their calling party numbers, TRUSTID helps financial institutions lower customer authentication expenses, reduce the cost of fraud as a result of telephone-based social engineering, and gets call center agents selling and serving customers, not identity-interrogating, which in the end can transform the overall customer experience.

Stronger customer authentication only way to mitigate risk of bank fraud

Posted on: December 19th, 2012 by art

Sitting at the core of every financial transaction is trust. Without it, or worse, relying on  unvalidated resources like personal identifiable information (PII) to identify customers, puts every banking transaction at risk.

brick wallThe recent article, “$850 Million Scheme Exploited Facebook: Authentication, Secure Browsing Would Have Reduced Losses,” illustrates just how important customer authentication is. Even after the FBI arrested 10 individuals residing around the world in connection with a banking Trojan that stole credit card and bank account details from Facebook users who were duped into opening phishing emails they thought were from their trusted online friends, security experts don’t believe it will stop attacks on the popular social networking website.

Much like any other banking channel, financial institutions need to strengthen their customer authentication if they expect to stop fraud in the financial services industry, said Neil Schwartzman of secure messaging infrastructure provider, Message Bus.

“Real two-factor authentication would have made a difference here, on the bank side and prevented some of the financial losses that resulted after PCs were infected. Within the next two to five years, we will see stronger authentication everywhere, because the banks are going to get sick of the losses.”

Many banking institutions today still take phone calls without adequately validating the incoming call. As a result, they are putting themselves, their customers and accounts at risk of fraud. In short, operating without at least two-factors of authentication is a losing proposition in today’s volatile remote banking environment.

Whether a bank is communicating with customers in person, online or over the telephone, two-factor authentication is absolutely paramount for preventing fraudulent transactions and the monetary losses relating to illegal bank transfers, identity theft and credit card fraud.

To mitigate fraud over the telephone channel, the TrustID® network-based Physical Caller Authentication uniquely validates inbound contact center calls before they are answered. By validating the actual location of the telephone, financial institutions that were once susceptible to Caller ID spoofing and social engineering schemes can once again use the Caller ID and ANI as trusted sources for authenticating customers over the phone. This allows banks to proactively identify which calls can be trusted and which calls are high-risk, while adding an extra layer of authentication to better protect their customers’ bank accounts and confidential business information from telephone fraud, no matter if the criminal is attempting to commit fraud domestically or internationally.

Why customer authentication needs to go straight to the source

Posted on: September 5th, 2012 by art

As financial institutions diligently perform ongoing risk assessments, there has been a lot of push for banks to implement out-of-band authentication solutions to protect their corporate assets and private information.

While I agree it’s important for banking institutions to invest in a layered security strategy to fight everything from card fraud to corporate account takeover, it is my opinion that placing too much emphasis on a verification method that is expensive and frustrating to customers is misleading financial institutions into investing in a solution that, over time, can ultimately be defeated by criminals.

The BankInfoSecurity article, “Banks’ Top Anti-Fraud Investments,” makes some valid points in the types of anti-fraud strategies that banks and credit unions need to deploy to better identify fraud and other malicious activities. However, instead of spotlighting out-of-band authentication, banks would be better off focusing on their core security requirements first rather than investing millions of dollars in out-of-band authentication, or so says Gartner fraud and security analyst, Avivah Litan.

What financial institutions should really be considering are solutions that validate and identify the criminal’s actual device, such as the telephone, that is used to commit bank fraud over the phone channel. As contact center agents field billions of calls each year, banking institutions need to secure the call center, which remains prone to fraud and other advanced social engineering scams.

By focusing on the “something you have” component, fraud managers are going right after the weapon being used to commit the crime without having to employ out-of-wallet security questions or conduct long telephone interrogations that are vulnerable to clever scams that can fool these and other knowledge-based authentication (KBA) techniques.

The thing that distinguishes the TRUSTID® Physical Caller Authentication tool from other anti-fraud solutions is it goes straight to the source of the crime — the telephone’s physical location — to invisibly validate the Caller ID and ANI before the call is even answered. Having this level of real-time intelligence to determine if a caller is genuine or a risk can play a key role in a bank’s ability to identify and reduce fraud rates.

Why we need to secure the less-protected bank call center

Posted on: July 25th, 2012 by art

Each customer service channel, no matter if you’re serving your customers in person, online or over the telephone, is a bank’s voice to the world. That said, I think it’s safe to say the reputation of today’s financial institutions pretty much rests on how effective your customer-facing agents are serving customers over the various sales channels.

This goes without saying that the anti-fraud security you have in place adequately detects fraud without impacting the overall customer experience and profitable bank-customer relationship.

While banks are more or less fully invested in protecting their online channels, EMC’s new “Knowledge-based Authentication Use Case eBook” raises some valid concerns around what little has been done to secure the less-protected call center.

With more available and affordable caller ID spoofing services threatening the effectiveness of ANI technology, combined with the availability of personal information through social networking sites, financial institutions need to consider what security tools they want to deploy to combat telephone bank fraud.

While I agree with the points the white paper has to say about the need to protect call centers from the increasing risk of fraud and identity theft, with the abundant mishandling of personally identifiable information (PII), today’s banking operations should not rely on knowledge-based authentication (KBA) as the primary method for identifying customers over the telephone.

Why? When it comes to authenticating customers, KBA alone does not provide the level of defense needed to detect today’s sophisticated social engineering schemes. Plus, the necessary challenge questions are cumbersome and hurt the goodwill of customers. In a nutshell, KBA is too expensive, it adds significant time to each call (increasing operating costs), frustrates customers, and ultimately can be defeated by criminals.

The TRUSTID® Physical Caller Authentication solution provides another layer of security that steps in before KBA or any other authentication method begins to do its work. In fact, once TRUSTID invisibly validates the Caller ID and ANI before the call is answered, banks are one step ahead of criminals, who aren’t given the opportunity to socially engineer call center agents. Plus, banks don’t have to spend the time and money interrogating known criminals.

By eliminating all of this on 85% to 90% of incoming bank calls, TRUSTID is a viable authentication solution that helps financial institutions reduce the time and cost of authenticating customers, improves the overall customer experience, and reduces the number of fraudulent calls that can potentially beat KBA solutions.

Bringing the power of information back to banks

Posted on: July 17th, 2012 by art

When it comes to bank fraud, the old adage that information is power is true. This is certainly the case when it applies to criminals who steal private information to commit bank fraud. Once a criminal has access to somebody’s personal information, they can use it to socially engineer call center agents, open new accounts, unlock passwords and correctly answer bank security questions over the telephone.

In the article, “U.S. Credit reports and Knowledge Based Authentication Compromised,” Gartner’s security analyst Avivah Litan discussed the various ways criminals use consumer information to their advantage. Her conclusion? Banks that use knowledge-based authentication (KBA) solutions as the primary method to identify customers and protect their business environment should rethink their defense strategy.

Why? The answer to that is simple; crooks have the information to defeat most of today’s KBA and personally identifiable information (PII) defenses. To take it a step further, even data held by credit bureaus and public data aggregators to protect businesses aren’t immune to such attacks. As the MSNBC article, “Hackers turn credit report websites against consumers,” suggests, these databases should not be used as trusted sources for verifying customers because they, too, can also be compromised.

With hackers now able to undermine consumer credit scores, obtain private passwords, answer out-of-wallet security questions, and use call-forwarding to reroute and intercept bank callbacks to customers, Litan said that KBA has lost its ability to adequately protect bank information and customer accounts.

Of course, at TRUSTID® we’ve known about the weaknesses in KBA and the risky handling of PII all along. That’s why we focus on identifying customers by the actual device which, in this case, is a landline or mobile phone they use to contact banks rather than the falsified information criminals can use to create the false trust needed to socially engineer banks over the telephone channel.

To hide their true identities, criminals spoof their Caller IDs to trick banks into thinking they are somebody else. The TRUSTID® Physical Caller Authentication tool doesn’t get fooled by manipulated CallerID and ANI, or any other social engineering scheme that originates from stolen information. How do we do it? We validate incoming calls before any of the trickery takes place — before the call is answered.

By proactively identifying the physical location of the landline or mobile phone the customer is calling from, banks use this data to determine in real-time whether an incoming call can be trusted or is high risk. In today’s age of information manipulation, that’s intelligence that can help transfer power from criminals back to banks.

How invisible customer authentication blindsides criminals attempting phone fraud

Posted on: July 11th, 2012 by art

Much like any new or popular remote device, criminals see the telephone as a potential vehicle for fraud. Although low-tech by today’s standards, crooks still see value in using the phone as a way to commit crimes against financial institutions.

If trends like Juniper Research’s prediction that mobile device usage will become a $630 billion industry by 2014 hold true, social engineering over the telephone will not be going away anytime soon. If anything, crimes originating from telephones — whether a landline or mobile phone — will likely escalate along with overall consumer usage.

Despite these increasing threats, this doesn’t mean banks should stop servicing customers over the telephone channel. Personally, I don’t believe this will ever happen. Here’s why. First, the telephone remains one of the financial industry’s most widely used means of communicating with and serving customers. Second, with mobile technology growing like never before, there are too many opportunities for banks to grow new business to ever shut the door on the phone channel.

That said, the answer isn’t to eliminate one of the banking industry’s most relied upon customer service and sales channels. With more advanced Caller ID spoofing technology available for criminals to exploit banks’ security gaps and weaknesses, financial institutions need to proactively identify criminals before thieves have the opportunity to socially engineer their call centers. What I mean by this is banks need to find a way to validate who’s on the other end of the telephone line before the call is answered.

While many banks still use personally identifiable information (PII) in the form of telephone security questions to authenticate customers, these knowledge-based authentication solutions are basically “after the fact” solutions that essentially allow criminals in the door. When crooks reach this point, they have a significant advantage over unsuspecting call center agents. By correctly answering a series of security questions, the criminal’s trap is set. Gaining a false sense of trust with call center agents puts crooks in the position to obtain the personal or account information they need to access another person’s bank account.

To keep call center representatives from falling into this trap, banks need to authenticate callers before the phone conversation begins. That way nothing’s left for interpretation, and agents don’t fall prey to stolen information. In other words, identifying risky calls before the call is picked up is essential for reducing bank telephone fraud.

The TrustID® Physical Caller Authentication tool does this by automatically validating the Caller ID and ANI before the phone is answered. While remaining invisible to criminals and non-intrusive to customers, TrustID identifies the physical location of the landline or mobile phone in real time so financial institutions can see when an incoming call is coming from a legitimate customer or from an entirely different location. This level of validation blindsides criminals before they can attempt to defraud bank call centers, giving them an advantage over Caller ID spoofing and social engineering schemes conducted over the phone. Along with keeping fraudsters in check, TrustID’s non-intrusive, customer friendly approach also allows banks to improve the overall customer experience.

Proactive Caller ID validation can help banks determine level of risk

Posted on: June 27th, 2012 by art

When someone applies for a bank card, whether it’s a credit, debit or ATM card, they receive the physical card in the mail. At that point, according to a 2009 Portland State University survey, more than 80% of people activate their cards by calling a toll-free (800) number.

With a large percentage of people still relying on the telephone to activate bank cards, it’s not surprising that criminals, too, would use the telephone to perpetrate any number of fraud attacks against banks.

Today, social engineering scams conducted over the telephone such as “vishing” (voice phishing), pretexting and fraudulent card activation pose serious threats to financial institutions and banking customers. These highly sophisticated, yet rather low-tech fraud techniques, are primarily aimed at obtaining private information to fraudulently gain access to legitimate bank accounts with the end goal of wiping them out without the bank knowing it.

Unless financial institutions can validate the Caller ID or ANI, telephone-based schemes that combine Caller ID spoofing with clever social engineering will continue to bypass anti-fraud tools like knowledge-based authentication (KBA) that depend on personally identifiable information (PII) to detect and stop bank fraud.

A security tool that is re-establishing the Caller ID and ANI as trusted sources for identifying fraud is the TrustID® network-based Physical Caller Authentication solution. Using TrustID’s API to transmit the Caller ID credentials before the call is answered, real-time forensics determines within seconds if the call can be trusted without relying on any type of PII or having to put customers through a cumbersome phone-based interrogation process.

By instantly identifying the physical location of the landline or mobile phone before the call is picked up, TrustID allows financial institutions to determine the level of risk of incoming bank calls to proactively stop everything from tricky social engineering scams to fraudulent bank card activation.

  • REQUEST INDUSTRY BRIEFING PAPERS
  • VIEW DEMO
  • USE CASE
  • ANI SPOOFING TOOL

  • CISO Text

             

    Authentication without caller involvement materially improves the customer experience, especially for ‘premier accounts.’ TRUSTID will greatly assist with not only customer service, but also with board level compliance issues.

    – CISO, top 10 global bank

  • CISO 2 Text

             

    As less customer PII is made available to our contact  center advocates for identity validation, our enterprise risk of a costly data  breach is dramatically decreased.

              – CSO, global financial company

    Offshore agents are highly vulnerable to fraud schemes  and social engineering. TRUSTID’s solution enables informed routing decisions,  optimizing agent cost reduction programs.

             - CISO, top 10 global bank           

  • VP Quote text

         

    Since  it is now commonly sold by criminals, personal information for identity authentication is no longer the single solution to identity resolution. The  value of knowing reliably that a customer is calling from their phone is far better security than knowing the last four digits of someone’s SSN.

    - VP of Card Fraud, large international bank