Posts Tagged ‘risk management’

Despite heavy security investments, identity theft and fraud continue to proliferate

Posted on: March 27th, 2012 by art

The Federal Trade Commission recently published its annual 2011 report on consumer complaints. The report, “Consumer Sentinel Network Data Book,” lays out in extensive detail the types and frequencies of reported complaints to the FTC from consumers. Here are a few pertinent points from the report:

 

  • The CSN received over 1.8 million complaints during calendar year 2011
  • Identity theft was the number one complaint category in the CSN for calendar year
  • A total of 990,242 in 2011 complaints were fraud-related
  • For military consumers, identity theft was the number one complaint category
  • Government documents/benefits fraud (27%) was the most common form of reported identity theft, followed by credit card fraud (14%), phone or utilities fraud (13%), and bank fraud (9%). Other significant categories of identity theft reported by victims were employment fraud (8%) and loan fraud (3%).

Personally, I think it is very telling that the top two complaints are identity theft and fraud. These two categories are inherently related, connected at the hip, if you will, because criminals essentially steal identities to commit fraud.

The second important takeaway for me was that despite all of the heavy investment banks and other institutions are making to safeguard customer information, particularly in the online channels, identity theft and fraud continue to proliferate. This is quite alarming.

Over the past several months, I’ve written a number of blogs that talk about the need to bake cyber security and risk management into all customer channels, including ATMs, Internet and the telephone.

One of the reasons telephone fraud and social engineering have picked up in recent years is the fact that criminals now have the ability to access or change an address or account data that is necessary to perpetrate larger and more profitable online crimes. Once a criminal controls a customer’s information – primarily through the telephone channel – criminals use the newly acquired personally identifiable information (PII) to commit crimes through the online channel.

Financial Institutions that ignore the telephone channel as a primary source for fraud and don’t address the same security and authentication requirements as the online channel, will continue to put themselves at risk as the CSN report painfully articulates.

The fact is, if you want to automate business processes, enhance customer communications, and take advantage of new technologies, you have to “bake” cyber security and risk management across all customer channels.

Deploying an effective, non-intrusive identity authentication tool like the TrustID® network-based Physical Caller Authentication enables financial institutions to convert ANI and Caller ID into a powerful physical security and customer authentication tool that can be used to close the security gap that too many bank call centers still operate with today.

An identity authentication solution that helps banking institutions protect the telephone channel by making the phone number a valid “Something you have” authentication credential, is an essential piece of the FFIEC’s multi-factor authentication paradigm for identifying customers. By automatically validating the physical location of the caller before the phone is answered, financial institutions proactively identify fraudulent calls and address good customer inquiries faster, all without putting them through burdensome telephone interrogations that are required by other knowledge-based authentication (KBA) solutions.

Ignoring telephone fraud puts banks and customers at risk

Posted on: September 27th, 2011 by art

Over the past several months, I’ve written a number of blogs that specifically talk about the need to bake cyber security and risk management into all customer channels, including ATMs, the Internet and the telephone.

I’ve highlighted the fact that cybercrime (including ACH payment fraud) is fueled by social engineering over the telephone. This is why it is critical that financial institutions become aware of evolving tactics that criminals use to trick call center agents into divulging legitimate bank account information. Otherwise, as crooks get better at creating the false trust needed to change and steal personal and financial data in the data center, banks and their good customers are both at risk.

In the recent BankInfoSecurity.com article, “Online Weaknesses Aren’t Only Links That Lead to Fraud,” Phil Blank, head of Javelin’s Strategy & Research Security, Risk and Fraud practice, asks:

“In the larger picture of account takeovers, which includes both retail and commercial accounts, is the focus on online fraud giving banking institutions an accurate picture of fraud?”

He goes on to say that many incidents of account takeover are actually perpetuated via relatively low-tech means, not phishing. What banks also need to be aware of is how much fraud is occurring on the consumer and business-customer side, and not all of them will invest in technology that catches these types of attacks.

Not only do I agree with Phil’s views, I would add that as IT departments try to pinpoint what areas to focus on to ensure their systems are protected from evolving threats, many are overlooking the primary attack vector – the call center.

One of the reasons telephone fraud and social engineering have picked up in recent years is the fact that criminals now have the ability to access or change an address or account data that is necessary to perpetrate larger and more profitable online crimes. Once a criminal controls a customer’s information – primarily through the telephone channel – criminals use the newly acquired personally identifiable information (PII) to commit crimes through the online channel.

Financial Institutions that ignore the telephone channel as a primary source for fraud and don’t address the same security and authentication requirements as the online channel, will continue to put themselves at risk for damaging their brands, losing customers’ confidence in their ability to protect their personal data, and could even find themselves in the position for financial liability.

In a related blog, Tracy Kitten highlighted customers’ frustrations with banking institutions. One victim whose company experienced significant losses from an account takeover and eventually shut down its online banking offerings, said:

“Everyone knows it is happening, but no one is capable of stopping the proliferation of these cyber attacks.”

Another fraud victim had similar concerns, adding:

“The laws for ACH crimes should mirror what’s required on the credit card front: Banking Institutions need to bear more responsibility.”

Simply put, it’s a war out there; a war against cyber criminals who have one goal in mind – making money. Too many well-intended security professionals seem fixed solely on Internet authentication and security. The fact is, if you want to automate business processes, enhance customer communications, and take advantage of new technologies, you have to “bake” cyber security and risk management across all customer channels, including ATMs, the Internet and the telephone.

Deploying an effective, non-intrusive identity authentication solution like the TrustID® Telephone FirewallTM validation solution enables financial institutions to convert ANI and Caller ID into a powerful physical security and authentication tool that can be used to close the security gap that too many bank call centers still operate with today.

A new approach to customer care

Posted on: August 18th, 2011 by art

In a previous post, I concluded that financial institutions who can significantly improve the consumer experience while simultaneously ensuring the safety of their customers’ money and personal information will win the hearts, minds, trust and, ultimately, business of their competitors’ customers.

While I believe this to be true, still, financial institutions are no longer the sole determinant of their brand. Today, customers are a prime driver of brand. If they are dissatisfied, they will walk, and follow up by posting their opinions on Google, Facebook, and everywhere else your prospective customers will see it. Because of social media, the consumer’s voice is louder than ever… and it’s about to get louder.

We are on the cusp of a major transformation in the financial services industry, where the success of the entire enterprise is dependent on the customer experience and its ability to service its customers’ needs. Over the next several years, we will see a market shift where financial institutions are no longer able to define their own brands. Instead, the consumer will define them. Banks that understand this shift, and alter their business processes to invisibly and non-intrusively improve the customer experience and ensure consumer safety, will gain a competitive advantage that will significantly improve top and bottom-line performance for their shareholders.

For example, take a look at some of the top reasons for customer dissatisfaction. If you eliminate product factors such as line assignment, fees or interest rates, one of the main reasons for customer dissatisfaction is poor customer service due to a lack of trust and respect for the customer’s time. This is often caused by highly disruptive “customer interrogation,” or knowledge-based authentication (KBA). Yet, banks and financial institutions continue to rely on this outdated, costly and time-consuming method to identify customers over the telephone. In an industry where seconds count for average handle time (AHT), it is a huge frustration for the customer. This is why it’s no surprise that KBA is having a negative impact on financial institutions and their brands.

How a customer feels during and after phone interactions is a significant differentiator, yet too many banks have lost sight of what consumers really want. Current fraud prevention strategies – many of which are still focused on KBA – are at odds with both customer care and the bottom line. KBA is no longer a viable and sustainable method for validating caller identity and is creating an even bigger disconnect between fraud prevention strategies and customer care goals. Instead of endless customer questioning, imagine your IVR picking up every call by saying:

“Thank you for calling (Company Name). For your security, we have validated your phone number. How may we assist you today?”

This streamlined telephone interaction can be a reality with the telephone firewall. The TrustID® Telephone FirewallTM solution provides financial institutions with a competitive differentiator that enhances the customer relationship while simultaneously improving fraud prevention.

By eliminating interrogation at the start of each inbound call and giving the customer more perceived control over the bank/customer relationship, TrustID is paving the way for financial institutions to transform the customer experience. Customers want to be trusted and respected, and demand both safety and convenience. The TrustID telephone firewall is paramount to a mutually trusting relationship between customers and their banks, and proves that the bottom line and customer service do not have to be at odds with each other.

Telephone Spoofing: Have we only hit the tip of the iceberg?

Posted on: August 10th, 2011 by art

Last week, AT&T announced plans to make voicemail passwords opt-out in order to guard against telephone spoofing. In a recent blog, Bob Quinn, AT&T’s chief privacy officer, wrote:

“However, given the advent and, unfortunately, the wide availability of sophisticated telephone number spoofing technology that allows people to “fake” the telephone number they are calling from, we are moving in a new direction.”

My strong suspicion is AT&T is reacting to the recent, UK phone hacking scandal, which has completely blown the lid off of how easy it is to spoof telephones. While this is something we’ve been educating our readers about for awhile now, oftentimes it takes a high-profiled event like this to enlighten the rest of the world about the dangers and impact phone spoofing can have on its victims. More so, AT&T must react in order to safeguard the integrity of its systems, and also safeguard customers’ personal data, which is core in developing the trust of its customers and to bottom line profitability.

Unfortunately, AT&T’s decision to require passwords won’t stop telephone voicemail spoofing. AT&T will be subject to social engineering and spoofing of its own call centers. They will need to become aware of evolving tactics that criminals use to trick call center agents into updating or generating new passwords. AT&T will deploy some form of knowledge-based questions (KBA), which will add significant expense, frustrate good customers, and can still be beat by crooks. In my previous post, The death of knowledge-based authentication, it’s a vicious cycle; one in which erodes the confidence of customers.

The News of the World phone hacking scandal and AT&T’s response is a prime example of a problem many businesses face today. Whether they know it or not, the truth is we’ve really only hit the tip of the iceberg. Criminals are using the telephone channel to commit different types of spoofing, pretexting and social engineering schemes to gain access to customer information and other confidential and proprietary business assets. In fact, this type of illicit behavior occurs tens of thousands of times each day against banks and financial institutions, and if they aren’t careful, they too could fall victim to similar security breaches.

Today, the TrustID® Telephone FirewallTM solution is the only solution available that instantly authenticates inbound phone calls before the call is answered. By validating ANI and Caller ID through non-intrusive, undetectable caller authentication, businesses can proactively identify and stop criminals before they attempt to perpetrate fraud over the telephone channel. In doing so, business institutions can ensure customers are who they say they are without damaging their trust and goodwill through time-consuming, unpleasant KBA and telephone identity interrogation

While they don’t specifically mention the NoTW debacle that brought telephone spoofing into focus, AT&T’s change in direction is being driven by the risk to its brand if they do nothing. Today, every financial institution is in jeopardy of losing customers who are generally dissatisfied with their customer service experience and distrustful of their bank’s ability to protect their money and personal information. Protecting customers’ money and data is core to developing trust. As IT departments try to pinpoint what areas to focus on to ensure their systems are protected, many are overlooking one of the primary vectors for identity theft — the call center.

The recent phone hacking event should put every organization on notice to question whether they have the right strategy around spoofing. I’m sure AT&T has known for years that voicemail spoofing over its network is occurring. It may just be prudent to get ahead of any potential backlash. But like financial institutions and other industries, they cannot quantify it and probably felt the customer convenience or the cost to deploy passwords far outweighed the risk. Like many other businesses, AT&T is reacting to the potential brand risks of doing nothing, and they also need to maintain both the integrity of its system and the trust of its customers.

Why trust and customer care is critical to every bank’s bottom line

Posted on: August 2nd, 2011 by art

Over the past few years, the business landscape for financial institutions has changed dramatically, making the road to profitability much more challenging. As a result, financial institutions are competing harder than ever for customers. They are working diligently to find the balance between managing costs while complying with a multitude of new regulations.

Perhaps the defining factor for acquiring new customers and retaining existing ones, and one that plays heavily in the road to profitability, is trust. In the simplest terms, trust is defined as the reliance on the integrity, strength, capability and surety of someone, or the confident expectation of something.

Today, every financial institution is in jeopardy of losing customers who are generally dissatisfied with their customer service experience and distrustful of their banker’s ability to protect their money and personal information. Protecting and safeguarding their customers’ money and data is core in developing trust. As IT departments try to pinpoint what areas to focus on to ensure their systems are protected, many are overlooking one of the primary vectors for identity theft — the call center.

The telephone remains the most intimate form of communication. No other industry knows this better than the financial services industry. In 2011 alone, banks will take over nine billion inbound phone calls from customers. Unfortunately, financial institutions continue to place the onerous task of authentication clearly on the shoulders of their customers. The knowledge-based security questions designed to validate the identity of the person calling a bank’s call center are doing great harm to the goodwill of their customers and the critical bank/customer relationship by making the telephone channel an unpleasant experience. Financial institutions that grill callers with personal questions at the onset of a call — before a customer can clarify their needs — are setting the wrong example with current customers and prospects.

The stark reality of customer care is financial institutions are wasting significant time and money, as well as losing their customers’ trust and goodwill.

By validating the Caller ID and ANI (and removing the customer from this arduous process) before the call is answered, the TrustID® Telephone FirewallTM solution eliminates the need to bombard customers with a bunch of questions at the start of each call. By addressing a customer’s needs right out of the gate, financial institutions can enhance the trust and the larger, more profitable bank/customer relationship. Banks and financial institutions that can simultaneously improve the overall customer experience and ensure the safety of their customers’ money and personal information will win the trust of the customers, and in doing so, earn the right to service them.

Phone hacking scandal exemplifies stark reality of Caller ID spoofing

Posted on: July 26th, 2011 by Pat

The recent UK phone hacking scandal has completely blown the lid off of how easy it is to spoof telephones. While this is something we’ve been educating our readers about for awhile now, oftentimes it takes a single, high-profiled event like this to enlighten the rest of the world about the true dangers and significant impact phone spoofing can have on its intended Phone Hackervictims.

While the loss of privacy has been one of the biggest prices paid by the individual victims in the Murdoch case, businesses that leave their telecommunications networks open to hackers can feel the impact in other ways. With today’s more sophisticated criminals targeting customers’ personal information and company secrets, business losses can range anywhere from financial to brand integrity, which can lead to a whole subset of intangible costs.

What’s unfortunate about incidents like the News Corp./News of the World scandal is they could have been averted had the phone carriers been using the TrustID® Telephone FirewallTM solution. That’s right. By validating the physical location of a caller whether they are using the phone or a cellular device, the TrustID solution secures telephone systems against the threat of the Caller ID spoofing that led to the hacking of more than 4,000 phone numbers.

The NoTW phone hacking scandal is a prime example of a problem many businesses face today. Whether they know it or not, the truth is we’ve really only hit the tip of the iceberg. Criminals are using the telephone channel to commit different types of spoofing, pretexting and social engineering schemes to gain access to customer information and other confidential and proprietary business assets. In fact, this type of illicit behavior occurs tens of thousands of times each day against banks and financial institutions, and if they aren’t careful, they too could fall victim to similar security breaches.

Today, the TrustID Telephone Firewall is the only solution available that instantly authenticates inbound phone calls before the call is answered. By validating ANI and Caller ID through non-intrusive, undetectable caller authentication, businesses can proactively identify and stop criminals before they attempt to perpetrate fraud over the telephone channel. In doing so, business institutions can ensure customers are who they say they are without damaging their trust and goodwill through time-consuming, unpleasant knowledge-based authentication (KBA) and telephone identity interrogation.

The death of knowledge-based authentication

Posted on: July 22nd, 2011 by art

Financial institutions are losing money and customers due to the practice of knowledge-based authentication (KBA). Customers do not like to be interrogated, and interrogation is not in line with your bank’s mission and values statement (go ahead – re-read it). Regulatory bodies are calling for more advanced authentication to prevent fraud.  Governmental agencies are now calling for the death of KBA.

In last month’s regulatory developments, the National Institute of Standards and Technology (NIST) and the Federal Financial Institutions Examination Council (FFIEC) have started to crack down:

In view of the amount of information about people that is readily available on the internet and the information that individuals themselves make available on social networking websites, institutions should no longer consider such basic challenge questions (like mother’s maiden name) as a primary control, to be an effective risk mitigation technique.” [Source: Federal Financial Institutions Examination Council, June 22, 2011]

From NIST – SP800-63 Revision 3, June, 2011:

Instant KBA seems particularly problematic, because the combination of the establishment of identity and consummation of a transaction are compressed into a single session, because of the vulnerability of such systems to off-line research and because users get no chance to opt out of these risks…..Instant KBA is not acceptable when transactions result in the release of sensitive or private information related to an individual. Many remote Internet transactions the government provides or would like to provide to its citizens fall into the latter category of transactions.”

With customer satisfaction, profitability and brand at risk, the industry needs to move in a new direction. This major shift in thinking and practice can, however, be turned into competitive differentiator and profit driver.

In the past, KBA interrogation has caused a wide disconnect between fraud prevention strategies and customer care goals. Today’s financial institutions mostly fall into two categories. One, they’re doing too little authentication – e.g. asking only for the last four digits of the credit card and zip code, both of which can easily be found on a discarded credit card statement – and therefore exposing themselves to fraud loss and compliance issues.  Alternatively, they are over-interrogating, which frustrates customers and ticks away precious seconds of potential relationship building, selling and servicing time.

Since KBA is no longer a viable method for validating caller identity, and customers do not like to be interrogated, the ability to undetectably validate customers is a powerful new way to better service customers, minimize the risky handling of PII, and keep fraudsters in check. By non-intrusively identifying customers before a call is answered, the TrustID® Telephone FirewallTM solution simplifies the authentication process without relying on KBA and is paving the way for banks to transform the customer experience while meeting new regulatory scrutiny.

Oh, and by the way, please don’t shoot the messenger, we didn’t kill KBA. If you want to find the real culprits, try social networking, data breaches, contact data sharing, voicemail hacking, geo-tagged photos, internet search engines, smart phones, criminal data exchanges, public records, hackers, university research papers, social engineering, and criminals. They are the ones who killed KBA.

How reducing average call times can make banks millions

Posted on: July 13th, 2011 by art

This week’s blog helps put some numbers behind this fact.

One of the most expensive areas within any large operation is employee costs. As such, the labor dollars spent within customer care centers is a very large, yet very necessary and important expense. With that backdrop, let me ask the question: “What does a 20- or 30-second reduction in agent handling time mean to your bottom line?”

    “Of the 43 billion calls that U.S. contact centers will receive in 2007, 41 percent will involve a contact agent asking identity verification questions. Although this process takes only 20 to 30 seconds, the industry will spend $11.7 billion, and more than 11,000 years of contact center agent time this year, just checking caller identities.”

    - U.S. Contact Center Operational Review 2007, Contact Babel

Because of agent efficiency killing factors such as training, after call wrap-up, hold time, vacation, sick leave, idle time between calls, supervisory costs, recruitment, and lost revenues from inexperience due to staff turnover — every second saved in actual work time is worth 2.5 cents in savings — according to the same Contact Babel report. Simply put, Contact Babel says not spending time using knowledge-based authentication (KBA) to identify customers saves $0.60 on each of these calls.

But I think it gets better than that. By relying on “TrustID ANI” for authentication and not using up a caller’s patience with KBA interrogation, your bank can materially reduce IVR to agent transfers, thereby saving $3.50 on these calls using Contact Babel’s math.

So what is removing KBA interrogation and using TrustID ANI for caller authentication worth to your bank in just savings? My assumption:

Calls per year                Annual savings

10 million                        $2.8 million

25 million                           $7 million

50 million                          $14 million

100 million                        $28 million

500 million                      $141 million

But, even more importantly, in our highly competitive environment, what is it worth to your bank’s shareholders to make your customers happy?

Deploying the TrustID® Telephone FirewallTM solution does the lion’s share of inbound caller authentication by verifying the physical location of the ANI and Caller ID before the call is answered. This is done completely transparent to your customers and undetectable to criminals. By identifying the risk of the call prior to your IVR or agents having to speak with your customers, you can take seconds out of a large percentage of calls that significantly reduces operational expenses and allows your representatives to spend their valuable time servicing and selling, not interrogating your valued customers.

If you’d like to learn more about how our innovative tool can help your call center significantly reduce the time you spend authenticating inbound calls, or would like to see a demo, feel free to contact us today.

Still think ANI cannot be spoofed? Use our ANI spoofing tool yourself…

Posted on: July 5th, 2011 by art

Recently, I’ve talked the talk about how easy it is to spoof ANI. Now, it’s time to walk the walk.

TrustID is now giving you the chance to put these words to the test. To help educate people in our industry about how easy it is, we are making available to our clients, and prospective clients our in-house developed ANI spoofing and penetration testing tool to dispel the myth that ANI cannot be spoofed. Any bank can now see how easy it is by accessing the free spoofing and bank penetration testing tool today.

In our continued discussions with industry experts and leading financial institutions, I’ll admit that many do not fully grasp the gravity of the ease and damage spoofing is causing until we demonstrate (via a WebEx) how we can spoof their organizations. That’s when the light bulb goes off (and a little fear sets in), particularly for organizations whose existing authentication policies rely heavily on ANI, or are utilizing the easily compromised KBA questions for customer authentication.

Even more alarming is the fact that our new spoofing tool was built in less than an hour by one of our “non-telecommunication” experienced employees using information and software downloaded for free from the Internet. It was really that quick and easy.

With access to the very spoofing penetration tool we use in our demonstrations, you can spoof away (within reason) your own call centers, card activation lines or an inbound wire transfer line. If you are really feeling bold, spoof your boss or head of call center technology (at your own risk, of course). Or, conduct your own internal WebEx, and invite all internal interested departments to watch it on the big screen.

While this exercise can be fun and educational, it’s nothing to take lightly. Stopping ANI spoofing and restoring customer confidence is what we do, and we take it extremely seriously. This tool is meant to be used appropriately to show how easy it is to spoof ANI, penetration test your telecommunications services to help better understand the impact it’s causing in fraud losses, increasing operational expenses, and creating irreparable damage to brands across the banking and financial services industry.

How TrustID helps banks turn the tables on telephone fraud

Posted on: June 29th, 2011 by Pat

Scam artists are always trying to pull a fast one on us. Whether it’s through some clever social engineering scheme or, closer to home, spoofing their calling party number to trick call center agents into believing they are a legitimate customer trying to make a business transaction over the telephone while evading any type of detection.

Chess Pieces

These criminals are good at what they do because they have access to two important components: 1) their prospective victim’s personal and financial information, which is widely shared over the Internet through social networking sites, criminal exchanges and public records, and 2) they have powerful and cheap ANI spoofing mechanisms at their disposal. That’s pretty much all they need to get to work.

The trick to winning any cat-and-mouse game is to gain a strategic advantage over an adversary who previously has an advantage over you. For years now, banks and financial institutions have relied on knowledge-based authentication (KBA) to identify customers calling into their call centers. This, of course, falls right into the hands of con artists, who have the proper disguise (spoofed Caller ID and ANI) and correct information to pass any Q&A to carry out their diabolical plans.

To stop scams perpetrated over the telephone channel, banks first need to stop playing to the strengths of the criminals’ top weapon for defrauding them in the first place — customer information. Relying on KBA solutions to catch criminals only gives them the upper hand. Banks and financial institutions need to deploy identity authentication techniques that can catch criminals before they have the chance to socially engineer their call center.

The TrustID® Telephone FirewallTM solution turns the tables on scam artists by invisibly validating the Caller ID and ANI with the physical location of the caller before the call is answered. Without even knowing they’ve been identified, criminals are stopped in their tracks before they can start to carry out their scam. Furthermore, TrustID allows banks do this without relying solely on KBA and the risky handling of personally identifiable information (PII).

 

  • REQUEST INDUSTRY BRIEFING PAPERS
  • VIEW DEMO
  • USE CASE
  • ANI SPOOFING TOOL

  • CISO Text

             

    Authentication without caller involvement materially improves the customer experience, especially for ‘premier accounts.’ TrustID will greatly assist with not only customer service, but also with board level compliance issues.

    – CISO, top 10 global bank

  • CISO 2 Text

             

    As less customer PII is made available to our contact  center advocates for identity validation, our enterprise risk of a costly data  breach is dramatically decreased.

              – CSO, global financial company

    Offshore agents are highly vulnerable to fraud schemes  and social engineering. TrustID’s solution enables informed routing decisions,  optimizing agent cost reduction programs.

             - CISO, top 10 global bank           

  • VP Quote text

         

    Since  it is now commonly sold by criminals, personal information for identity  authentication is no longer the single solution to identity resolution. The  value of knowing reliably that a customer is calling from their phone is far better security than knowing the last four digits of someone’s SSN.

    - VP of Card Fraud, large international bank