Posts Tagged ‘telephone authentication’

Study finds banks not meeting customer demands

Posted on: April 24th, 2013 by art 30 Comments

Customer service has always been at the root of customer satisfaction. In the financial services industry, without providing an exceptional customer experience banks simply won’t be able to retain current customers or attract new ones.

While we known the impact dissatisfied customers can have on a bank’s brand and overall success, a recent study by Cisco found that banks are falling short of meeting customer demands for more personalized service.

In the article, “Banks Fall Short On Delivering Personalized Service for Customers, Study Finds,” Cisco’s Customer Experience Report found that 69% of U.S. customers would be willing to give their bank more personal information if it resulted in better overall service. However, 58 percent of bankers said they had enough personal information on their customers. These somewhat conflicting views show that financial institutions are not meeting their customers’ expectations.

Customers in the study cited that the most important areas of personalized service were identity theft protection (77%), personalized advice to increase their savings (73%), more financial education (67%) and an assessment of their personal financial health compared to other customers (47%).

Cisco’s financial services marketing manager, Al Slamecka, said the problem with fulfilling customer needs is not a lack of personal data, but rather gaining a better understanding of customers across the organization.

In recent years, balancing customer service with enterprise demands has been a challenge for many financial institutions. From a customer’s point of view, it can often look as though customer service has taken a back seat to the bottom line. While banks are working hard to meet growing customer demands across all banking channels, providing an efficient, customer-friendly experience that addresses the customer’s needs is critical to a bank’s brand and improving the overall customer-bank relationship.

At TRUSTID, we understand how the success of a bank’s entire enterprise is directly dependent on the customer experience. That’s why our TRUSTID® Physical Caller Authentication tool is designed to invisibly verify customers over the telephone channel to streamline the interaction between customers and banks. By proactively validating the Caller ID and ANI before the inbound call is answered, bank contact center agents can immediately begin servicing the customer’s needs the moment they pick up. As a result of providing highly secure, convenient and efficient service over the telephone is one example of how financial institutions can give customers the trust and respect they want and deserve from their bank.

Alternative authentication methods needed in today’s call center environment

Posted on: April 17th, 2013 by art 7 Comments

The need for alternative methods to identify customers over the telephone has been a long time coming. In my opinion, every day that a bank waits to add new authentication solutions into the mix is another day criminals can take advantage of defeatable security tools.

You see, crooks want financial institutions to continue to use things like security questions to identify customers. That’s because they’ve pretty much mastered the art of beating knowledge-based authentication solutions. When banks rely on personal information that, ideally, only the customer should know, they put themselves at a disadvantage because today’s digital world exposes more personal identifiable information (PII) than every before.

Combing the Internet, today’s thieves are able to collect enough information on an individual to correctly answer challenge questions and socially engineer bank call center agents into divulging sensitive financial data; enough data, in fact, to access other people’s bank accounts.

Even the FFIEC (Federal Financial Institutions Examination Council) recognizes that more information is needed to identify bank customers today. While the FFIEC authentication standards include “something you know” (password, PII) methods, they strongly recommend combining that with at least a second layer of authentication to improve the level of verification for identifying customers over the phone. That would come in the form of either “something you have” (telephone, ID card, security token) or “something you are” (fingerprint, DNA, retinal pattern) that takes separate approach to verify customers.

What differentiates the TRUSTID® Physical Caller Authentication tool from other solutions is it goes straight to the heart of the crime — the telephone — to proactively validate the Caller ID and ANI as the phone rings. By identifying the physical location of the phone making the call, TRUSTID gives banks real-time intelligence on inbound calls before they are answered. This works as the first layer for authenticating customers.

If TRUSTID’s real-time telephone network forensics authenticates the call as genuine, it routes the call to a call center agent without interrupting the customer experience. If it determines the call is spoofed, the bank can route the call based on the risk it poses to the system. By better understanding the risk of each call, TRUSTID provides a critical extra layer of authentication that’s sorely needed in today’s call center environment, as well as to help fulfill the latest federal security requirements.

Call centers warned about Telephony Denial-of-Service (TDoS) attacks

Posted on: April 10th, 2013 by art No Comments

Imagine a call center without the ability to take inbound calls or make outbound calls. That’s the impact that growing Telephony Denial of Service (TDoS) attacks can have on targeted call centers. Sort of the cousin to online DoS attacks, TDoS as designed to incapacitate call centers after initial calls for fraudulent transactions are made.

According to the article, “Telephony Denial-of-Service Attacks Prompt Federal Attention,” the Department of Homeland Security and FBI recently issued a “situational awareness bulletin” after a number of TDoS attacks were targeting public safety and emergency services call centers. The alert warned that criminals were phoning the call centers impersonating agencies to collect outstanding payday load debt of $5,000. If the targeted employees didn’t agree to pay, the caller would launch the attack that flooded the call center with enough traffic to disable any incoming or outgoing calls for a period of time.

While the recent attacks have targeted public safety telephone lines, the complaints don’t stop there. Many believe criminals are expanding the types of industries they are targeting. In the memo, the DHS said attackers are “targeting various businesses and public entities, including the financial sector and other public emergency operations interests, including air ambulance, ambulance and hospital communications.”

Using network-based forensics to verify in real-time the exact location of the telephonic device calling bank call centers, we at TRUSTID has seen similar TDoS attempts. Because spoofing Caller ID and ANI is a key component to TDoS attacks, curbing these attacks requires the ability to understand if inbound calls pose a risk before the phone is picked up.

In doing so, financial institutions need to find a better way to authenticate their customers over the telephone channel and protect their call center agents from answering spoofed calls in the first place. The TRUSTID® Physical Caller Authentication solution validates whether all inbound calls can be trusted, or if they are high risk. By knowing if a call is trustworthy or not before it happens, banks can mitigate their risk of TDoS attacks and other social engineering scams without having to invest precious time and resources on known fraudulent calls.

Are you relying on outdated authentication tools?

Posted on: April 3rd, 2013 by art No Comments

Those of us in the telephone authentication industry can see the shortcomings of the different types of customer identification methods. While this has been evident for some time now, what continues to be an uphill battle is educating financial institutions about the risks of using outdated and ineffective authentication tools to identify customers over the telephone channel.

At last month’s BAI Payments Connect Conference, business leaders from around the globe met to discuss how various forms of fraud impact banks – from account-opening fraud to social engineering and call center fraud. No matter what channel criminals choose, the conclusion among fraud experts is bank fraud is on the rise.

Ori Bach, a call center monitoring expert with NICE Systems, echoed what we’ve been saying all along — knowledge-based authentication (KBA) and Caller ID are broken, call center fraud is up, and untrained personnel are falling for preventable tricks. Collectively, all of these pieces are contributing to increasing fraud losses.

I don’t mean to beat a dead horse, but I can’t stressed enough how important it is to continue informing financial institutions about the risks they face using beatable authentication methods, particularly those that depend on personally identifiable information (PII).

At TRUSTID, we agree with all of Bach’s conclusions, including:

 

  • KBA is not predictive: With personal information available via social websites such as Facebook, PII-based methods for authentication is diminishing. As a result, KBA can no longer be the single solution for identifying customers over the phone.
  • Caller ID is broken: With a wide availability of spoofing tools, calling party number spoofing has become a low cost and power penetration tool used to impersonate identity and actual location over the telephone channel.
  • Untrained call center agents are easily fooled: If bank representatives aren’t up to speed with the latest fraud techniques, they will continue to fall for Caller ID spoofing and social engineering scams.

As stewards of customer authentication for the banking industry, part of our job is to continue educating financial institutions about the many risks of fraud, and the real dangers if using outdated authentication tools. Each week, I have eye-opening conversations with fraud managers that still rely on old-school methods to identify customers. Over time, this essentially puts both their bank and customers at greater and greater risk.

The unfortunate part is many of these fraud risks are preventable. By implementing a multi-factor authentication strategy that doesn’t rely on PII to identify customers, banks can reduce their risk against many of today’s fraud techniques that result in millions of dollars in fraud losses each year.

Phone-based authentication should enhance the customer experience, not erode it

Posted on: March 27th, 2013 by art 67 Comments

Should banks add phone-based authentication? Any financial institution that provides services over the telephone channel needs to have some way to authenticate every call coming into their call center. While the answer to that question is pretty evident, the bigger question banks should be asking themselves is what type of solution best fits their business model.

With fraud protection the top priority for authenticating customers over the telephone, another criteria for phone-based authentication is that it shouldn’t interrupt the customer experience. According to the recent article, “Two Factor Or Not To Factor? An Online Security Conundrum,” the main argument against phone-based authentication is it adds friction to the sign-in process. Does it? Well, it depends on the type of service being used.

Of course consumers want both a secure and seamless way to gain access to their banking accounts. After all, who wants to answer a bunch of challenge questions every time they go to access their account? While there are various authentication methods financial institutions can choose from, many can still delay the process by a few minutes. This lengthy phone interrogation can test the goodwill of customers, giving them the impression that their needs aren’t not the top concerns of banks.

One of the main objectives of an effective telephone authentication solution should be to quickly and non-intrusively verify customers without them knowing it. We at TRUSTID believe customer authentication should not impede the user experience at all. In fact, we think it should enhance it.

By combining innovative technology with the keen understanding of what customers expect from remote banking services, the TRUSTID® Physical Caller Authentication tool uses real-time telephone network forensics to invisibly validate the Caller ID and ANI before the call is answered. Achieving customer verification without requiring customers to answer security questions allows call center agents to immediately begin addressing the customer’s needs the moment the phone is picked up.

Imagine the impact on your business operations and customer relationships if you could validate them before the call is answered. Not only would you maintain and strengthen the confidence and goodwill of your customers, you could also save operating expenses through lower average call handling (ACH) times that other knowledge-based authentication (KBA) methods simply can’t do.

In other words, when it comes to customer authentication, the value of putting your customers’ needs first and delivering safe, exceptional service that exceeds their expectations can create a more satisfied banking experience without eroding it with costly and cumbersome challenge questions.

Bringing the power of information back to banks

Posted on: July 17th, 2012 by art

When it comes to bank fraud, the old adage that information is power is true. This is certainly the case when it applies to criminals who steal private information to commit bank fraud. Once a criminal has access to somebody’s personal information, they can use it to socially engineer call center agents, open new accounts, unlock passwords and correctly answer bank security questions over the telephone.

In the article, “U.S. Credit reports and Knowledge Based Authentication Compromised,” Gartner’s security analyst Avivah Litan discussed the various ways criminals use consumer information to their advantage. Her conclusion? Banks that use knowledge-based authentication (KBA) solutions as the primary method to identify customers and protect their business environment should rethink their defense strategy.

Why? The answer to that is simple; crooks have the information to defeat most of today’s KBA and personally identifiable information (PII) defenses. To take it a step further, even data held by credit bureaus and public data aggregators to protect businesses aren’t immune to such attacks. As the MSNBC article, “Hackers turn credit report websites against consumers,” suggests, these databases should not be used as trusted sources for verifying customers because they, too, can also be compromised.

With hackers now able to undermine consumer credit scores, obtain private passwords, answer out-of-wallet security questions, and use call-forwarding to reroute and intercept bank callbacks to customers, Litan said that KBA has lost its ability to adequately protect bank information and customer accounts.

Of course, at TRUSTID® we’ve known about the weaknesses in KBA and the risky handling of PII all along. That’s why we focus on identifying customers by the actual device which, in this case, is a landline or mobile phone they use to contact banks rather than the falsified information criminals can use to create the false trust needed to socially engineer banks over the telephone channel.

To hide their true identities, criminals spoof their Caller IDs to trick banks into thinking they are somebody else. The TRUSTID® Physical Caller Authentication tool doesn’t get fooled by manipulated CallerID and ANI, or any other social engineering scheme that originates from stolen information. How do we do it? We validate incoming calls before any of the trickery takes place — before the call is answered.

By proactively identifying the physical location of the landline or mobile phone the customer is calling from, banks use this data to determine in real-time whether an incoming call can be trusted or is high risk. In today’s age of information manipulation, that’s intelligence that can help transfer power from criminals back to banks.

How invisible customer authentication blindsides criminals attempting phone fraud

Posted on: July 11th, 2012 by art

Much like any new or popular remote device, criminals see the telephone as a potential vehicle for fraud. Although low-tech by today’s standards, crooks still see value in using the phone as a way to commit crimes against financial institutions.

If trends like Juniper Research’s prediction that mobile device usage will become a $630 billion industry by 2014 hold true, social engineering over the telephone will not be going away anytime soon. If anything, crimes originating from telephones — whether a landline or mobile phone — will likely escalate along with overall consumer usage.

Despite these increasing threats, this doesn’t mean banks should stop servicing customers over the telephone channel. Personally, I don’t believe this will ever happen. Here’s why. First, the telephone remains one of the financial industry’s most widely used means of communicating with and serving customers. Second, with mobile technology growing like never before, there are too many opportunities for banks to grow new business to ever shut the door on the phone channel.

That said, the answer isn’t to eliminate one of the banking industry’s most relied upon customer service and sales channels. With more advanced Caller ID spoofing technology available for criminals to exploit banks’ security gaps and weaknesses, financial institutions need to proactively identify criminals before thieves have the opportunity to socially engineer their call centers. What I mean by this is banks need to find a way to validate who’s on the other end of the telephone line before the call is answered.

While many banks still use personally identifiable information (PII) in the form of telephone security questions to authenticate customers, these knowledge-based authentication solutions are basically “after the fact” solutions that essentially allow criminals in the door. When crooks reach this point, they have a significant advantage over unsuspecting call center agents. By correctly answering a series of security questions, the criminal’s trap is set. Gaining a false sense of trust with call center agents puts crooks in the position to obtain the personal or account information they need to access another person’s bank account.

To keep call center representatives from falling into this trap, banks need to authenticate callers before the phone conversation begins. That way nothing’s left for interpretation, and agents don’t fall prey to stolen information. In other words, identifying risky calls before the call is picked up is essential for reducing bank telephone fraud.

The TrustID® Physical Caller Authentication tool does this by automatically validating the Caller ID and ANI before the phone is answered. While remaining invisible to criminals and non-intrusive to customers, TrustID identifies the physical location of the landline or mobile phone in real time so financial institutions can see when an incoming call is coming from a legitimate customer or from an entirely different location. This level of validation blindsides criminals before they can attempt to defraud bank call centers, giving them an advantage over Caller ID spoofing and social engineering schemes conducted over the phone. Along with keeping fraudsters in check, TrustID’s non-intrusive, customer friendly approach also allows banks to improve the overall customer experience.

Proactive Caller ID validation can help banks determine level of risk

Posted on: June 27th, 2012 by art

When someone applies for a bank card, whether it’s a credit, debit or ATM card, they receive the physical card in the mail. At that point, according to a 2009 Portland State University survey, more than 80% of people activate their cards by calling a toll-free (800) number.

With a large percentage of people still relying on the telephone to activate bank cards, it’s not surprising that criminals, too, would use the telephone to perpetrate any number of fraud attacks against banks.

Today, social engineering scams conducted over the telephone such as “vishing” (voice phishing), pretexting and fraudulent card activation pose serious threats to financial institutions and banking customers. These highly sophisticated, yet rather low-tech fraud techniques, are primarily aimed at obtaining private information to fraudulently gain access to legitimate bank accounts with the end goal of wiping them out without the bank knowing it.

Unless financial institutions can validate the Caller ID or ANI, telephone-based schemes that combine Caller ID spoofing with clever social engineering will continue to bypass anti-fraud tools like knowledge-based authentication (KBA) that depend on personally identifiable information (PII) to detect and stop bank fraud.

A security tool that is re-establishing the Caller ID and ANI as trusted sources for identifying fraud is the TrustID® network-based Physical Caller Authentication solution. Using TrustID’s API to transmit the Caller ID credentials before the call is answered, real-time forensics determines within seconds if the call can be trusted without relying on any type of PII or having to put customers through a cumbersome phone-based interrogation process.

By instantly identifying the physical location of the landline or mobile phone before the call is picked up, TrustID allows financial institutions to determine the level of risk of incoming bank calls to proactively stop everything from tricky social engineering scams to fraudulent bank card activation.

Is out-of-band verification counterproductive to your compliance and security efforts?

Posted on: June 27th, 2012 by art

As financial institutions scramble to implement authentication solutions to comply with the FFIEC’s Guidance, many banks and credit unions admit they are still confused about the type of tools that are needed to meet the new authentication regulations, as well as better protect their customers and private company information against the latest fraud techniques.

While banks are still figuring out what solutions to deploy to improve their ability to detect and stop fraud, BankInfoSecurity’s 2012 Faces of Fraud survey has revealed some of the top anti-fraud investments for banks and credit unions this year. They include:

 

  • Improved out-of-band verification
  • Enhanced controls over account activities
  • More internal and external audits
  • Improved vendor management practices
  • More anti-money-laundering tools
  • Enhanced dual authorization through difference access devices
  • Improved tracking of high-risk customers and members

While challenge questions have long been used by financial institutions to authenticate customers over the telephone channel, in today’s fraud landscape knowledge-based authentication (KBA) may actually cause more harm than good. In particular, out-of-band verification (mentioned above) can be counterproductive in several ways, including:

 

  • Harmful to customer goodwill: Putting banking customers through cumbersome telephone interrogations is not only frustrating to customers, it creates an unpleasant experience that can cause harm to the customers’ trust and goodwill. A quick, non-intrusive tool that authenticates customers over the telephone channel can improve the overall customer experience and help mend the profitable bank-customer relationship.
  • Increase operating expenses: Labor/employee costs is one of the most expensive areas of any large operation. Yet, banks continue to invest in KBA authentication solutions that increase average call handle times. Instead of pouring more money into solutions that lengthen call times, financial institutions should deploy authentication tools that help drive down average call handle times to save operating costs.
  • Doesn’t stop criminals: Even the most advanced challenge questions can be no match for highly sophisticated social engineering schemes. Armed with stolen personal information, criminals can convince call center agents into divulging private account information. Authentication solutions that don’t rely solely on knowledge-based information to verify customers don’t operate under the false trust that can be orchestrated by clever crooks.

The last thing banks want to do is disrupt or hinder their efforts to comply with FFIEC guidelines and safeguard all of their customer channels. But that might be exactly what they’re doing when they rely solely on KBA solutions to identify customers over the phone.

When it comes to meeting the FFIEC authentication guidelines and proactively identifying customers over the telephone channel, the TrustID® network-based Physical Caller Authentication tool uses Caller ID and ANI as trusted sources to automatically verify customers pre-answered. This eliminates annoying challenge questions that criminals prepare for to defeat KBA-only defenses, improves customer trust and the overall customer experience, and drives down average call handle times to avoid unnecessary operating costs that continue to chip away at financial institution’s operating budgets.

Ignoring the telephone channel leaves bank reps susceptible to social engineering

Posted on: May 29th, 2012 by art

Ignoring emerging social engineering threats and hoping your bank is not targeted by criminals is an unrealistic and ineffective way to stop attacks in today’s threat landscape. That’s the consensus of Symantec’s new Internet Security Report.

In the BankInfoSecurity article, “Social Engineering: Mitigating Risks,” Liam O Murchu, the manager of operations at Symantec Security Response, said lax security procedures, failing to address known security gaps, and not keeping up with fraud trends can make organizations susceptible to the latest incarnation of attacks launched by today’s crafty social engineers.

O Murchu said in recent years it’s become more difficult for criminals to launch silent attacks that don’t tip off the infected user, so they’ve been changing their ways. Today, they are designing schemes to exploit the weaknesses of the user instead of the weakness of the system. Since there’s no product that controls human behavior, we’re starting to see more social engineering attacks that are effectively convincing users into fall into their trap.

“At the end of the day, the user is definitely a vulnerable point in the chain and we need to have the technology that can aid them in making better decisions and protect them.” 

O Murchu added that organizations that have lax security procedures in place or have either overlooked or ignored some aspect of security are the most likely to be hit by social engineering attacks.

One area that has been overlooked has been the telephone channel. Not for a lack of usage, but primarily because of the perceived notion that most of today’s criminals are focused on the Internet to carry out their dirty deeds. While more Internet savvy criminals, combined with the proliferation of easy-to-use malware toolkits, have put pressure on financial institutions’ IT security teams to deploy solutions to stop online attacks, ignoring the telephone channel can leave banks vulnerable to social engineering.

While education can certainly help bank call center agents become more aware of new and evolving criminal tactics, each time they pick up the phone they are still exposed to methods aimed at convincing them to divulge personal or account information.

The TrustID® network-based Physical Caller Authentication tool prevents bank representatives from finding themselves in this situation by automatically verifying the physical location of the telephone before it is answered. Using Caller ID and ANI as validated sources to instantly authenticate legitimate customers and identify fraudulent ones before criminals can talk with bank representatives, TrustID adds a critical layer of defense against Caller ID spoofing and social engineering schemes aimed at defraud today’s banking institutions.

  • REQUEST INDUSTRY BRIEFING PAPERS
  • VIEW DEMO
  • USE CASE
  • ANI SPOOFING TOOL

  • CISO Text

             

    Authentication without caller involvement materially improves the customer experience, especially for ‘premier accounts.’ TrustID will greatly assist with not only customer service, but also with board level compliance issues.

    – CISO, top 10 global bank

  • CISO 2 Text

             

    As less customer PII is made available to our contact  center advocates for identity validation, our enterprise risk of a costly data  breach is dramatically decreased.

              – CSO, global financial company

    Offshore agents are highly vulnerable to fraud schemes  and social engineering. TrustID’s solution enables informed routing decisions,  optimizing agent cost reduction programs.

             - CISO, top 10 global bank           

  • VP Quote text

         

    Since  it is now commonly sold by criminals, personal information for identity  authentication is no longer the single solution to identity resolution. The  value of knowing reliably that a customer is calling from their phone is far better security than knowing the last four digits of someone’s SSN.

    - VP of Card Fraud, large international bank