Posts Tagged ‘risk management’

Banks must stop relying on the false trust created by criminals

Posted on: June 21st, 2011 by art

The “false trust” created by criminals to socially engineer banks has turned Caller ID and ANI into unvalidated claims that are no longer trustworthy for identity authentication. This is the simple, straightforward message that TrustID has been delivering for some time, despite industry naysayers who incorrectly claim ANI cannot be spoofed.

The reason why we’ve been so persistent in getting the word out is because far too many banks we talk to continue to use these unvalidated claims as trusted sources for identifying customers in the telephone channel. Trusting Caller ID and ANI without properly validating the authenticity of the calls gives criminals a leg-up on defeating existing telephone authentication processes, significantly increasing the security risks of banks’ proprietary data and customer accounts.

As long as fraud teams continue believing the “lies” that criminals depend on to defraud banks and their customers, they will remain vulnerable to illegally spoofed calls. This is why financial institutions need to make it a priority to implement new identity authentication tools like the TrustID® Telephone FirewallTM solution, which validates the Caller ID and ANI with the physical location of the caller before the actual call is answered, without impacting the customer experience or tipping off criminals that an authentication check has been performed.

The fact that Caller ID and ANI can quickly and easily be spoofed by anyone using readily available free technology, banks and financial institutions need to take steps to restore Caller ID and ANI as validated credentials for identifying customers. The answer to stopping the growing number of social engineering and telephone fraud schemes against banks is as simple as the message we’ve been conveying all along: If banks don’t take the necessary steps to restore trust in the phone channel, the security and integrity of their critical business data is only as good as the lies they believe.

 

Why banks need to get the customer experience right

Posted on: June 15th, 2011 by art

Today, financial institutions are competing heavily for customers. In addition, there’s a scramble towards the premier, high net worth customer, and an even stronger push for the “total relationship” (i.e… banking, credit card, insurance, commercial, retirement planning, etc.).

Five years ago, customers would give high marks to banks that were monitoring their daily credit card activity, often rating calls out to them to verify transactions as a good customer experience. Today, that’s not the case. Many heads of fraud operations, strategy or policy are much more scrutinized. It’s no longer good enough to just keep fraud losses in check, particularly if it may damage the larger, broader relationship between the bank and customer.

The new customer mantra is: “Just make my card work.” There’s nothing more intrusive or upsetting to a premier cardholder than to have their card rejected at the point-of-sale, especially if they’ve traveled halfway around the world and need it to check into a hotel, get cash from an ATM, or grab the dinner tab for a client.

Today, innovative banks are working diligently to pull disparate systems together because they recognize having a 360-view into a customer’s interactions is key to the relationship. The customer experience is a differentiator, and the credit/debit card is typically the vehicle that has the highest customer touch points. If you don’t get the customer experience right, you may very well be losing your best customers and not even know it.

Take a close look at the top reasons for customer dissatisfaction. If you eliminate the product factors such as line assignment, fees or interest rate, one of the top reasons for customer dissatisfaction is the ongoing KBA (knowledge-based authentication), or what I prefer to call “customer interrogation”.

Customers are rapidly growing tired of having to answer these personal questions. Unfortunately, banks that hit callers up with a bunch of personal questions at the onset of a call — before a customer can even clarify their needs — are setting the wrong tone with their customers and prospects. In fact, today’s telephone banking security questions, which are designed to validate the identity of the person calling a bank’s call center, are doing more harm to the goodwill of their customers and the important bank/customer relationship by making the telephone channel an unpleasant experience.

Instead, what banks should be doing at the onset of each call is serving their customers, not interrogating them. These questions break the mood of the customer and cost banks both time and money. For all the good work fraud teams are doing to create a good customer experience at the point-of-sale, all is being forgone when they reach out in the most personal channel, the telephone, and start interrogating them.

By validating the Caller ID and ANI before the call is answered, the TrustID® Telephone FirewallTM solution eliminates the need to bombard customers with a bunch of questions at the beginning of a call. By addressing a customer’s needs right out of the gate, financial institutions can enhance the customer experience and improve overall customer satisfaction and the larger, more profitable bank/customer relationship.

Why transparency is important in fighting telephone fraud

Posted on: June 8th, 2011 by art

In the complex and highly analytical realm of fraud detection and prevention, the best fraud strategies, rules, software and technologies are generally believed to have a considerable lifespan. Over time, however, many of these tools can be compromised or become less effective in fighting fraud as criminals figure out how they work and come up with new ways to evade detection. This is probably most evident on the Internet where, despite massive efforts to protect data, we frequently read about large-scale data breaches against even the most technologically advanced companies.

One of the biggest long-standing issues with fraud prevention has been the visibility of the programs to the public and, therefore, the criminals.

Most fraud strategies, including Card Activation and CVV/CVC2, are eventually compromised by criminals because of this visibility. Even in the highly sophisticated, data driven area of transactional processing, where models look at usage patterns or data elements like transaction amounts, SIC/MCC codes, transaction time and country code, these tools can be relatively easily tested by crooks. In all fairness, many of the fraud prevention programs like Card Activation are publicized because they require customer involvement or are instructional in nature (asking for the 3-digit code on the back of the signature panel) to good cardholders.

One of the primary benefits of the TrustID® Telephone FirewallTM solution, is that it is invisible to the criminals and undetectable to upstanding customers. Knowing what inbound calls are high risk prior to answering the call provides banks and other financial institutions a huge advantage over the criminals, and an opportunity to dramatically improve the customer experience through reduced interrogation, otherwise known as KBA (knowledge-based authentication).

Because the TrustID Firewall is completely transparent to both customers and criminals, and developed using data from a highly complex telephone network, it doesn’t provide crooks with any insight into how they are detected. As a result, customers go about their business without interruption and crooks have nothing to test against to breach the system.

Much like its historical predecessors (i.e. Card Activation Stickers, Falcon, Device ID, Caller ID), the TrustID Telephone Firewall transforms the way banks service their customers. It fundamentally changes how financial institutions authenticate customers and routes calls to reduce fraud losses, drive down operational expenses, and improve the overall customer experience.

 

How ANI and Caller ID spoofing impacts the customer experience

Posted on: May 31st, 2011 by art

Over the past several weeks, I’ve talked about the ease at which illegal ANI and Caller ID spoofing is perpetuated. I’ve articulated how the tools available on the market are easily obtained, and that, outside of the TrustID® Telephone FirewallTM solution, there are no known products to identify and stop unlawful spoofing.

This week, I’d like to turn my focus from fraud losses and increasing operational expenses caused by illegal spoofing and social engineering and discuss the customer experience, and the negative impact these types of unwanted activities can have on a financial institution and its brand.

This scenario is best set up by outlining the many parallels between airport security and the financial services industry. After the horrific events of 9/11, the airline industry took the necessary steps to protect its customers and business assets. This resulted in hundreds of millions of world travelers going through an extensive pre-flight security ritual to help prevent another disaster. Today, this mandatory security screening process costs the airlines industry billions of dollars, and is completely frustrating to the 99.9% of good travelers who have no criminal intent. While the airlines continue to search for better means to make the process more efficient, cost-effective and customer friendly, they really have made little progress.

This year, the financial services industry will receive over nine billion telephone calls. Nearly 100% of the customers initiating those calls will go through some form of authentication. Much like the airport security business, 97% or more of those customers are legitimate customers that have no intent to commit a crime. Also, like the airline industry, this enhanced authentication process — deemed necessary to stop identity theft — costs the banking industry hundreds of millions of dollars and frustrates its customers. Perhaps one stark difference between the two industries is our authentication process is really not that effective at stopping criminals. In other words, crooks can easily beat it.

Can you imagine a day when you could walk into an airport with your e-ticket in hand and walk straight to your gate? How nice would that be? No waiting in security lines, removing your belt, shoes, jewelry, computer or watch. Suppose this new airport security was completely transparent, undetectable to customers’ means of picking out risky passengers for screening and letting the upstanding citizens proceed without question. As a frequent traveler, which airport would you prefer to travel?

Now imagine those customer calls coming into your respective call centers. What if you could identify the 3% of calls deemed “high risk” through a pre-answered authentication solution without putting the 97% of good customers in the same boat? How much would the customer experience improve if your good customers didn’t have to go through the same interrogation process as the high risk calls? How much would the 10- to 20-second reduction in your average handle time per call save you in operating expenses? Imagine a world where your IVR or call center agent picks up every call by saying: “Thank you for calling (Bank Name). For your security, we have validated your phone number. How may we assist you today?”

The TrustID Telephone Firewall authentication solution does just that. We enable financial institutions to confidently identify calls coming into a bank’s call center before the call is answered, while remaining undetectable to callers and invisible to criminals. As a result, TrustID improves the overall customer experience, a key component to customer satisfaction.

If you have yet to watch our demo on how easily Caller ID and ANI spoofing occurs, and how the TrustID firewall stops it, feel free to contact me at any time to learn more about the many benefits TrustID provides that go beyond fraud savings.

 

Yes… ANI CAN be spoofed!

Posted on: May 25th, 2011 by art

In last week’s blog, I questioned how big of a problem we have with Caller ID and ANI spoofing? The gist of the article was that, as industry experts, we know we have an issue with identity theft as we’ve installed very onerous process’s to better authenticate our customers on inbound calls.

Based on some telephone conversations, emails and meetings this past week, I’ve learned that I have gotten a little ahead of myself here. Apparently, there is still a fairly large contingent in our senior fraud community that seems to be under the impression that ANI CAN’T be spoofed.

I decided I’m not going to beat myself up too badly having made the assumption my readership understood that ANI could be spoofed. A short six months ago, I had similar beliefs about ANI/Caller ID and, I too, felt I had a vendor solution to control it. I’ve also had the recent advantage of working with the experts at TrustID to show me how easy it is to spoof ANI and been able to review some actual live data that has run through our forensics to see how frequently numbers are being manipulated.

If you get one thing out of this weeks blog I want it to be that, yes, ANI CAN be spoofed. It’s easy to do, and is occurring every day in your respective organizations. It’s causing significant losses in fraud, additional increases in operational expense, and is damaging your brand through deteriorating customer experience.

The other important takeaway this week is to know that I’m not referring to the simple applets that are being offered on smartphones that allow you to spoof calls. We need to understand that there are more robust software applications (Asterisk) that are easily installed that allow anyone to spoof ANI. Until the TrustID® Telephone FirewallTM solution came along, there had not been any known solution that has been able to detect ANI spoofing.

Regardless of your industry, be it banking, airlines, health care, if you’re reading this blog. I encourage you to pull together the right people in your respective organizations and have TrustID do a demo for you. We can show you the ease at which ANI is being spoofed and our ability to detect it prior to you answering the call.

 

Caller ID Spoofing: How big of a problem is it?

Posted on: May 17th, 2011 by art

Many banking security professionals spend a significant amount of time pondering how bad of a problem unlawful Caller ID and ANI spoofing really is. I should know, I’m one of them. If we take a step back and think about it practically, we know spoofing happens all the time for any number of reasons. We know social engineering occurs, and that the financial services industry has a pretty significant problem with identity theft.

I doubt too many experienced industry people reading this blog will dispute it’s an issue we have to deal with. While these terms have only become part of our vernacular within the past few years, there’s no doubt they support the notion that we have a serious problem.

Certainly, it’s not atypical that banks have reacted, and will continue to react as the crooks test our systems looking for the weakest link. To combat this problem, banks and other industries have responded with different levels of risk-based authentication processes — anywhere from simple customer questions like their mother’s maiden name, date of birth, or the last four digits of their social security number to more elaborate and personal knowledge-based verification (KBA), “out-of-wallet” type of questions.

More recently, many banks have also deployed (for a fee) a popular vendor solution that actually purchases data from the spoofing sites, which, in turn sell back the phone numbers that are being spoofed to their company’s 1-800 numbers. While this worked, initially, it never really felt good. It sort of felt like paying money to the very companies that were causing the problem. The larger concern is the tool cannot manage the growing number of spoofed calls that pop up, nor can it combat hacker-developed spoofing programs opposed to commercial spoofing. And this doesn’t touch on the more sophisticated software that goes way beyond simple spoofing sites, like Asterisk, available on the market today.

Lastly, some banks are trying to train and re-train representatives. This is an uphill battle given the high employee turnover rates, and the fact the crooks actually have the answers to the KBA questions, anyway. Add this to growing customer frustrations, and it’s not a reliable nor scalable solution.

So, how big of a problem is illegal Caller ID and ANI spoofing? The reality is we don’t know. Looking at the issue holistically across our respective organizations, we do know our efforts to mitigate harmful Caller ID spoofing and social engineering schemes are onerous and expensive. We know these threats are intrusive to good customers and the processes mentioned above, which, unfortunately, are becoming increasingly ineffective against them.

Until recently, I thought the banking industry had no viable, cost-effective means to fight unlawful Caller ID and ANI spoofing. All that changed after I learned about the TrustID® Telephone FirewallTM solution. To me, being able to stop illegal spoofing and reduce fraud losses while cutting operational expenses in your call center and restoring customer confidence and satisfaction is a win/win all the way around. And that’s what TrustID provides in one solution.

If you’d like to learn more about our telephone firewall solution, or would like a demo, feel free to contact me at your convenience at (831) 274-2042.

 

The dual challenge of fraud and debilitating fraud prevention programs

Posted on: May 10th, 2011 by art

During my first few weeks at TrustID, I’ve reached out to a number of key contacts across the industry to discuss the growing concerns around Caller ID and ANI spoofing, social engineering, and the negative impact today’s fraud prevention programs have on banking customers and profitability. It’s this dual challenge that most fraud teams deal with every day.

When I reflect back on my 30 years in the industry. the most challenging times came when incidents of fraud were spiking and losses were spiraling upwards. This reminds me of a time early in my career, before I had any experience with fraud. It was one of those career defining moments that you never forget. In what seemed at the time like an unfortunate encounter with the head of a partner program I was running, his one-way lecture to me was simple and straightforward:

“Stop punishing all of my good customers to stop a few bad ones. You are costing me money.”

That single comment still resonates with me today and certainly shaped my views on how to best approach the many fraud challenges that I mentioned above. It is our responsibility in each of our respective organizations to help protect our assets and our customers from fraudulent activity, to maintain or enhance our respective brands and, most importantly, drive profitability.

The ongoing game of cat-and-mouse with criminals continues today. Only now, the fraud can move rapidly and is truly global in nature. Our collective goal, my personal goal and my reason for joining TrustID is as simple and straightforward as those words spoken to me over 30 years ago:

“Help protect our banking customers from fraud in the most cost-effective manner and enhance their brands without punishing their good card members.”

I’m extremely excited to be working with the very talented, highly innovative team here at TrustID. As we move down this path, I plan to provide additional insight into the issues we all face and how TrustID helps aid banking and financial institutions in both an efficient and cost-effective manner. During this time, I encourage your responses and would love to hear from you privately if you are interested in discussing specific issues you are facing, or if you would like to learn more about the TrustID® Telephone FirewallTM solution.

Renowned fraud detection and prevention expert joins TrustID

Posted on: April 27th, 2011 by Pat

This week, I wanted to focus on a new addition to the TrustID team. I am extremely excited to announce that internationally renowned fraud detection and prevention expert, Art Barger, has joined TrustID. With more than 30 years experience in operating banking fraud detection and prevention systems for one of the world’s leading banking companies, I’m confident that Art’s wealth of industry knowledge and deep understanding of bank operations, fraud mitigation and risk management will be instrumental in taking TrustID to the next level.

After serving 20 years as senior vice president and head of North America fraud operations at HSBC, Art brings invaluable insight into the day-to-day operations and the level of security required to prevent harmful fraud activities that continue to cost banks and financial services companies millions in losses each year. His experience makes him a key resource for assisting banks with their authentication and security implementations, both of which are critical to our customers’ success in reducing costs, growing revenues, and improving their brand through reduced customer interrogation.

Art also shares a similar perspective around the importance of securing the telephony system. As banks and financial institutions focus their security efforts on web-related fraud and online authentication, they are overlooking the fact that criminals use the telephone to obtain information they need to carry out fraud across other channels, including the Internet. In Art’s words:

“… the real threat is the telephone channel. The best investment a bank can make in securing their Internet channel is a caller-transparent and effective telephone authentication process such as the Telephone Firewall.”

Because current knowledge-based authentication (KBA) methods are expensive, intrusive and ineffective against threats like Caller ID and ANI Spoofing and social engineering schemes, it’s important for banks to use a telephone firewall solution that validates the physical location of the caller beyond the information they provide. Fraud prevention tools such as the TrustID® Telephone FirewallTM validation solution are critical to restoring the calling party number of incoming calls as a reliable and trustworthy credential for identity authentication.

As TrustID’s new senior vice president, Art will leverage his hands-on industry experience and longtime service on industry boards and committees including the MasterCard Global Fraud Committee, to help our customers mitigate telephone fraud in the financial, telecom, healthcare and retail industries. This is why I’m happy to have an accomplished individual and business leader like Art Barger on board at TrustID.

 

 

  • REQUEST INDUSTRY BRIEFING PAPERS
  • VIEW DEMO
  • USE CASE
  • ANI SPOOFING TOOL

  • CISO Text

             

    Authentication without caller involvement materially improves the customer experience, especially for ‘premier accounts.’ TRUSTID will greatly assist with not only customer service, but also with board level compliance issues.

    – CISO, top 10 global bank

  • CISO 2 Text

             

    As less customer PII is made available to our contact  center advocates for identity validation, our enterprise risk of a costly data  breach is dramatically decreased.

              – CSO, global financial company

    Offshore agents are highly vulnerable to fraud schemes  and social engineering. TRUSTID’s solution enables informed routing decisions,  optimizing agent cost reduction programs.

             - CISO, top 10 global bank           

  • VP Quote text

         

    Since  it is now commonly sold by criminals, personal information for identity authentication is no longer the single solution to identity resolution. The  value of knowing reliably that a customer is calling from their phone is far better security than knowing the last four digits of someone’s SSN.

    - VP of Card Fraud, large international bank