Posts Tagged ‘telephone channel’

Do your customer calls all look the same? They shouldn’t.

Posted on: January 30th, 2013 by art

Without the ability to verify the Caller ID or ANI, all customer calls can look the same to call center agents. This a risky proposition for any financial institution that handles thousands of customer calls each day. In other words, if all calls appear the same there’s no way to answer some of the key questions all banks should know about customer calls, such as:

Crowd of people

  • Which calls are trustworthy?
  • Which calls require further review?
  • Which calls require a contact center agent?
  • How can I better serve my customers?
  • How can I lower my authentication costs?

To improve the overall security and efficiency of the telephone channel, banking institutions need to be able to confidently identify which customer calls are trustworthy and which ones pose a risk. To be frank, any bank operating without a two-factor authentication strategy to verify callers is putting its entire enterprise, private business information and customers at risk.

With criminals potentially at every customer touch, combining multiple authentication methods is not only a federal requirement for fighting fraud, it’s a must in today’s banking environment.

Over the past few years, financial institutions have put a lot of resources into securing the online channel. According to some studies, these efforts have worked as the number of successful fraud attempts against banks have dropped. But this hasn’t stopped criminals from migrating to other, less protected banking channels like the telephone. This is where TRUSTID can help.

Our TRUSTID® Physical Caller Authentication tool is a proven network-based authentication solution that helps financial institutions proactively validate the Caller ID and ANI to secure the telephone channel, as well as reduce costs by spending less time interrogating customers and more time providing quality service over the phone. As a result of including a complementary, real-time authentication tool like TRUSTID to a bank’s anti-fraud arsenal, we help improve the overall customer experience and achieve true multi-factor authentication to protect one of the most highly used and targeted customer channels in the banking industry.

Stronger customer authentication only way to mitigate risk of bank fraud

Posted on: December 19th, 2012 by art

Sitting at the core of every financial transaction is trust. Without it, or worse, relying on  unvalidated resources like personal identifiable information (PII) to identify customers, puts every banking transaction at risk.

brick wallThe recent article, “$850 Million Scheme Exploited Facebook: Authentication, Secure Browsing Would Have Reduced Losses,” illustrates just how important customer authentication is. Even after the FBI arrested 10 individuals residing around the world in connection with a banking Trojan that stole credit card and bank account details from Facebook users who were duped into opening phishing emails they thought were from their trusted online friends, security experts don’t believe it will stop attacks on the popular social networking website.

Much like any other banking channel, financial institutions need to strengthen their customer authentication if they expect to stop fraud in the financial services industry, said Neil Schwartzman of secure messaging infrastructure provider, Message Bus.

“Real two-factor authentication would have made a difference here, on the bank side and prevented some of the financial losses that resulted after PCs were infected. Within the next two to five years, we will see stronger authentication everywhere, because the banks are going to get sick of the losses.”

Many banking institutions today still take phone calls without adequately validating the incoming call. As a result, they are putting themselves, their customers and accounts at risk of fraud. In short, operating without at least two-factors of authentication is a losing proposition in today’s volatile remote banking environment.

Whether a bank is communicating with customers in person, online or over the telephone, two-factor authentication is absolutely paramount for preventing fraudulent transactions and the monetary losses relating to illegal bank transfers, identity theft and credit card fraud.

To mitigate fraud over the telephone channel, the TrustID® network-based Physical Caller Authentication uniquely validates inbound contact center calls before they are answered. By validating the actual location of the telephone, financial institutions that were once susceptible to Caller ID spoofing and social engineering schemes can once again use the Caller ID and ANI as trusted sources for authenticating customers over the phone. This allows banks to proactively identify which calls can be trusted and which calls are high-risk, while adding an extra layer of authentication to better protect their customers’ bank accounts and confidential business information from telephone fraud, no matter if the criminal is attempting to commit fraud domestically or internationally.

Real-time telephone authentication needed to identify risky in-bound calls

Posted on: December 12th, 2012 by art

Card-not-present (CNP) fraud and account takeover typically refer to online crimes, but an increasing number of criminals are targeting call centers to perpetrate crimes that are normally associated with the Internet.

With financial institutions pouring so much effort and investment in online security strategies, banks really need to consider the same when protecting their call centers. Without effective authentication tools that can verify telephone locations, bank contact centers remain vulnerable to various types of fraud over the phone channel.

The way criminals scam bank phone representatives typically comes in the form of social engineering. For example, after placing a call to a bank’s contact center, the criminal impersonates a real customer in the attempt to trick a bank agent into revealing various pieces of financial information. Once they’ve acquired the person’s financial details, they call right back and talk to another representative to change the username and password on the account. When the information has been changed, they’ve hijacked the account. At this point, the legitimate account holder is unable to access their own account.

When this happens, quite often the victim does not have the immediate knowledge that their account has been taken over. As a result, the criminal has enough time to conduct a myriad of crimes including fraudulent purchases and transfers that can clean out an entire account before any wrongdoing is discovered.

In an age of highly sophisticated criminal tactics, sometimes it can be the simplest methods that catch banks off guard. This is why it is so important for financial institutions to make sure all customer channels have effective authentication solutions in place to mitigate their risk of fraudulent transactions.

Today’s banks need to arm their call centers with authentication solutions that provide true multi-factor protection against risky inbound calls. While many banking institutions still depend on knowledge-based authentication (KBA) security questions to identify customers over the telephone, these methods can be defeated by sophisticated criminal tactics.

 A complementary fraud prevention tool like the TrustID® network-based Physical Caller Authentication can provide an extra layer of protection to proactively identify risky calls before they are answered. By automatically validating the actual physical location of the landline or mobile phone calling into a contact center, financial institutions can automatically identify in real-time when a Caller ID or ANI has been spoofed to better protect their phone channel and make sure their customer information and confidential data does not get in the wrong hands.

Protecting your customer data over the holiday season

Posted on: November 28th, 2012 by art

Protecting the integrity and confidentiality of your customer data is one of the most important services any bank can provide, no matter what time of year. This can ring especially true during the busy holiday shopping season. With bank call center agents likely fielding more risky telephone calls over the holidays, it is more important than ever for financial institutions to have a robust authentication process in place to validate incoming calls without impacting the overall customer experience.

The recent article, “8 Ways to Safeguard Customer Data,” provides several steps for helping businesses protect their private information, including familiarizing employees with their data policy and educating customers about their security efforts. But when it comes to protecting the telephone channel this time of year, banking institutions need real-time authentication tools that allow them to proactively and non-intrusively identify good callers from risky ones.

For combating bank phone fraud, the article also highlights the importance of establishing robust authentication processes to help prevent contact center agents from unknowingly divulging financial details to criminals hiding behind spoofed Callers IDs and social engineering schemes. Armed with a couple of key credentials, it isn’t difficult for crooks to trick bank representatives into thinking they are legitimate customers, says Kim Martin of IVR platforms developer, Voxeo.

“If you have two pieces of information about a person, it’s easy to fool someone into believing you’re that person.”

The fact is it only takes a few pieces of personal identification information (PII) to defeat more traditional methods for customer identification such as knowledge-based authentication (KBA). This means that financial institutions cannot rely on single factors of authentication to identify banking customers, whether online or over the telephone. Once a criminal possesses the correct PII to answer security questions, a second layer of authentication is required to confirm whether the caller is authentic or not.

A complementary security solution does this, and also meets one of the FFIEC’s components for “multi-factor” authentication, is the TrustID® network-based Physical Caller Authentication tool. Using real-time telephone network forensics, TRUSTID determines the authenticity of the incoming telephone phone to validate whether it’s a legitimate call or identifies it as a spoofed call. This is automatically done in seconds before the call is picked up. So, the customer experience is not interrupted, and criminals are pushed out before they can get in. Once the bank determines the risk of the call, it can then route it to the appropriate pool or IVR option for processing.

By non-intrusively validating good customers and invisibly identifying bad ones, banks can service good customers faster and stop criminals dead in their tracks. This not only helps them better protect customer data but makes the telephone channel a highly efficient and safe way to bank over the holidays, and year around.

Growth of mobile banking reinforces need for multi-factor authentication across all customer channels

Posted on: November 21st, 2012 by art

When it comes to banking, we know customers are looking for ease and convenience. To satisfy those demands, financial institutions are doing whatever they can to provide highly efficient and secure banking environments that allow customers to bank over a number of channels. At this point, it’s safe to say the banks that don’t already offer banking services across multiple channels have missed the boat, and will probably be playing catch up for some time.

According to the report, “The Dangers of Mobile Banking,” convenience appears to be the driving factor behind the rapid growth of mobile banking. The 2011 Customer Trends Survey released some interesting findings, including 70% of customers use their mobile devices for 24×7 banking access while 65% said it saves them time. In other words, customers want to make payments fast and on their terms, whenever they want.

While speed and convenience tops the priority list for many customers, this has created another significant challenge for banks offering new channels — security. With research firm Frost & Sullivan expecting the number of people using mobile banking services to increase from 12 million in 2009 to 45 million by 2014, it really doesn’t matter how many channels banks offer; the simple fact is financial institutions operating without a secured environment won’t be able to retain current customers or win over new ones, no matter how fast and convenient the service is.

Last year’s FFIEC supplemental guidance outlined the blueprint for the level of security that financial institutions need to combat fraud and succeed in today’s competitive banking environment. At the heart of those requirements is customer authentication. This doesn’t mean a single type of authentication solution across all channels, but multiple security tools that give all channels true multi-layered authentication, whether the customer is paying online or requesting a bank transfer over the telephone.

The TrustID® network-based Physical Caller Authentication validates the actual physical location of the landline or mobile phone calling into a bank’s call center to identify the “something you have” device, an essential component of the FFIEC’s multi-factor authentication paradigm. By invisibly validating the Caller ID and ANI before the telephone is picked up, banks can accept business from good customers faster, saving them valuable time on their banking activity. At the same time, financial institutions can secure their telephone channel by spotting spoofed calls in real time to proactively stop criminals from getting through to socially engineer contact center agents.

Courts ruling against banks not compliant with FFIEC regulations

Posted on: November 14th, 2012 by art

A number of recent court cases have ruled against banks for failing to prevent fraudulent bank transfers. While you would think this type of liability would help motivate financial institutions to implement a multi-layered security system that meets the Federal Financial Institutions Examination Council’s (FFIEC) regulations, banks still operate without complying with the new multi-factor authentication recommendations.

In the article, “Coping with the Threat of Fraudulent Funds Transfers,” three banks that have falling victim to fraud may have to pay upwards of $460,000 in damages. That’s a steep price for not implementing adequate security measures to stop the vast scope of criminal schemes like stolen credentials, account takeovers and social engineering that target the financial services industry.

If today’s dangerous cyber attacks or costly court rulings aren’t enough to get banking institutions to comply with the FFIEC guidelines, I don’t know what will.

From an authentication perspective, any financial institution operating today should either be in the process of either implementing or evaluating their current security strategy because that’s what it takes to protect their multiple banking channels against the growing list of fraud attacks. Making sure your bank has the strongest fraud detection solutions in place is essential to building a multi-layered defense that’s needed in today’s quickly changing banking environment.

This means employing at least two of the three types of authentication procedures recommended by the FFIEC for identifying banking customers across multiple banking channels, including online banking and the telephone channel. The three factors include: 1) something the user knows [e.g., password, PIN], 2) something the user has [e.g., ATM card, telephone], and 3) something the user is [e.g., biometric, fingerprint].

For financial institutions that perform high-risk transactions, this is a must. According to a legal memorandum recently published on the NC Bankers Association website, customer authentication that employs a single-factor authentication such as the widely used challenge questions (otherwise known as the knowledge-based authentication (KBA) method), or even two factors of authentication that fall under the same category as defined by the FFIEC, can be defeated by today’s advanced fraud tactics, leaving customer accounts and confidential banking information susceptible to fraud.

Challenge questions are not always effective. When frequently repeated, they are more likely to be exposed to fraudsters. FFIEC guidance notes that a search engine is all it takes to discover the answer to many challenge questions, such as mother’s maiden name or year of graduation. Due to the amount of information available on the Internet, the FFIEC no longer views these basic challenge questions to be an effective risk mitigation technique. 

The ability to prevent various types of fraud attacks across all banking channels requires financial institutions to deploy multiple fraud-fighting solutions that help achieve the FFIEC’s three critical authentication factors. The TRUSTID® Physical Caller Authentication tool is a complementary customer authentication solution that fulfills the important “something the user has” category. Using undetectable network-based caller authentication to validate the Caller ID and ANI, TRUSTID helps financial institutions secure the telephone channel from fraudulent bank transfers.

TRUSTID: A one-way mirror to identifying bank phone fraud

Posted on: November 7th, 2012 by art

Phony bank callbacks. Fake robocalls. Customer impersonators socially engineering call center agents. How does anyone really know who they are talking to over the telephone these days?

Trust over the telephone channel has clearly gotten out of control; so much so that financial institutions today cannot afford to operate without effective authentication tools that allow them to identify whether they are talking to a legitimate customer or an actor hiding behind a spoofed Caller ID or ANI. If not, banking institutions and their customers will continue to fall victim to criminals who successfully socially engineer bank representatives over the phone to obtain personal information and access legitimate bank accounts.

What if you could validate the legitimacy of every call coming into your contact center before your agents even picked up the phone? How valuable would that be to your security strategy, business operations, and your overall ability to provide a better customer experience, all at the same time?

For years, banks have relied on knowledge-based authentication (KBA) tools to identify customers over the telephone. As bank fraud has evolved, particularly over the telephone channel, criminals have found ways around traditional defenses that depend on personally identifiable information (PII) to trick unsuspecting bank reps into divulging private information or allow access to customer accounts.

Various spoofing technologies and the Internet have played roles in the evolution of bank phone fraud, but if we aren’t careful our own defenses can also be counter productive in our efforts to protect our customers and proprietary company information. Relying solely on KBA to identify banking customers over the telephone today is essentially operating under a false sense of security. And if we think we are authenticating customers, when in reality we’re are simply unknowingly letting more through, will only add to the problem and overall fraud loss.

Stopping bank fraud over the telephone channel requires the ability to instantly authenticate inbound phone calls before they are answered. It’s that simple. This doesn’t give criminals the chance to leverage their weapon of choice — the telephone — to perpetrate fraud. And unlike KBA solutions, it doesn’t test the goodwill of our customers through identity-interrogating, which is non-predictive in analyzing risk, anyway.

A security solution like the TRUSTID® Physical Caller Authentication tool works like a one-way mirror to telephone fraud. Using real-time telephone network forensics to invisibly determine the authenticity of the caller’s phone number before the call is answered, TRUSTID instantly validates the physical location of the landline or mobile phone making the call. Financial institutions can use this undetectable caller authentication to stop criminals in their tracks with zero impact to the call center agent’s work time or additional telecom costs.

On the flip side, this non-intrusive method allows banks to route good customer calls to the appropriate operator pool, where a bank representatives can immediately start serving their needs for a better overall customer experience.

Are recent DDoS attacks really a decoy for bank call center fraud?

Posted on: October 31st, 2012 by art

Last month, cyber attacks launched against several U.S. banks showed us how customer traffic is redirected to other banking channels, increasing volume and creating security vulnerabilities in other channels including the call center. More recently, distributed denial of service attacks (DDoS) were launched against more U.S. banking institutions, once again illustrating how cyber fraud in one customer channel can directly impact another.

In the BankInfoSecurity article, “DDoS Attacks: First Signs of Fraud?” Akamai’s Mike Smith points out the often overlooked association between cyber attacks like DDoS and call centers. While this link is absolutely true, there doesn’t seem to be enough attention on this important connection.

More often than not, when financial institutions are implementing authentication strategies the online channel and the telephone channel are seen as separate components, requiring completely different authentication tools and solutions to secure these respective channels. While identification processes may be different, considering one without the other can create security gaps that can leave customer accounts vulnerable to social engineering attacks.

Smith also reminds us how DDoS campaigns have been used for fraud in the past to distract banks while they conducted fraudulent transactions in the background. Much like a decoy that has security teams all running to put out one fire, criminals have launched cyber attacks with the intention to perpetrate fraud or take over accounts through another channel that is less protected or less likely to detect or prevent fraud such as the telephone channel.

While DDoS attacks can be used as a distraction for fraud, Smith believes these attacks are used as more of a delay tactic where they occupy the resources so they don’t have time to deal with the real threat. When these attacks cause a bank’s website to go down, a bank’s got an instant customer satisfaction issue. As a result, backup banking channels like call centers experience a higher volume of traffic, which can leave them unprepared and vulnerable to fraud.

When financial institutions rely on knowledge-based authentication (KBA) methods to identify customers over the telephone, lengthy security questions can impact both customer satisfaction and the bank’s ability to detect fraud and other social engineering schemes.

Without relying on personally identifiable information (PII) or telephone interrogations to identify customers, the TRUSTID® Physical Caller Authentication tool makes sure banks are prepared to authenticate a higher volume of calls by automatically validating the physical location of the Caller ID and ANI before the phone is picked up. By instantly authenticating good and bad customers over the phone, TRUSTID ensures financial institutions are always prepared to identify legitimate customers in real-time, as well as detect and stop criminals who conducted the original DDoS attacks only to perpetrate account takeovers over the telephone channel.

Exceptional customer service no longer an option, it’s a banking necessity

Posted on: October 24th, 2012 by art

In today’s age where customer retention and loyalty is as good as your last phone call, providing a fast and satisfying banking experience is more important than ever. With new regulations like the FFIEC Guidelines holding financial institutions more accountable than ever before, fulfilling federal requirements without sacrificing customer care is one of the top challenges many banks face today.

The recent American Banker article, “The Golden Rules of Retail Banking Customer Service,” highlights the important role that quality service has on customer satisfaction and retention. As ever-shifting banking trends such as the growing mix of sales channels and banking fees confuse and frustrate customers, banks have to work smarter and be more diligent to maintain customer trust and provide top flight customer care. If they don’t, customers will certainly find someone who will.

With customer loyalty being tested at every touchpoint — whether you’re servicing a customer over the counter, online or over the telephone — providing efficient, highly personalized customer service across all customer channels is no longer an option in today’s banking industry, it’s a necessity. Not including customer service initiatives in your overall business strategy or investing in the operational and security tools and technologies to get you there will eventually impact your customer satisfaction rating.

The article points out a number of things banking institutions can do to improve customer satisfaction across all channels. But achieving this is not easy. It’s a process that requires continuous measuring, analyzing and improving your overall business approach and strategy; then, once you’ve achieved that, repeating the process all over again.

When it comes to the telephone channel, addressing and satisfying your customers’ needs is about being proactive and resolving issues before they impact your ability to deliver exceptional customer service. One of the ways is to deploy security tools that allow you to work more efficiently within a more secure environment.

The TRUSTID® Physical Caller Authentication tool helps banks do both by taking a proactive, non-intrusive approach to authenticating customers over the telephone. By validating the Caller ID and ANI before the call is answered, TRUSTID allows financial institutions to take action against high-risk calls in real time. This process invisibly shuts the door on spoofed calls, essentially stopping fraud before a criminal has the opportunity to socially engineer a call center representative.

It also allows banks to quickly accept good customers with confidence without having to interrogate them with a bunch of non-predictive knowledge-based authentication (KBA) questions. This way, banks don’t waste valuable time or money on bad calls and can address good customers’ needs at the onset of each call, all of which provides for a better overall customer experience.

Access to mobile phone numbers could lead to social engineering

Posted on: October 17th, 2012 by art

Let’s face it, our mobile phones have become an extension of ourselves, with their whereabouts always within arms reach. The personal information that our smartphones contain goes beyond our own memory, which is exactly why criminals are so keen on targeting our phones, the data they contain and what they can unlock.

Knowing this, it continues to blow my mind when I come across articles like last week’s “Facebook lists user phone numbers for all to see.” In the article, the world’s leading social network still makes available users’ mobile phone numbers for anyone to access. With a little bit of ingenuity, security researcher, Suriya Prakash, said anyone can gain access to the one device that connects our personal and online information.

“I would consider my most ‘personal’ data saved on Facebook to be my mobile number as it is somewhat of a bridge interlinking both my personal and online life. I would not like people I don’t want getting a hold of it.”

With one billion Facebook users out there, this is a treasure trove of personal information for crooks. By collecting something as simple as a mobile phone number, a motivated criminal can begin creating a profile for purpose of social engineering an individual, as well as committing bank fraud if they can match that individual to a bank.

Yet, this is only the tip of the iceberg when it comes to gathering personal information from social websites.

Not quite easily understood are the apps that ask you questions like, “How well do you know John Doe?” Or, run you through a series of personal questions such as, “What is your favorite color?” “We’re was John Doe born?” or “What was John’s first car?” that are answers to many knowledge-based authentication (KBA) solutions.

With a website like Facebook sharing personal identifiable information (PII) with the rest of the world, financial institutions need to have a customer authentication strategy in place that identifies customers over multiple channels, including the telephone channel. Using powerful, real-time telephone network forensics, the TRUSTID® Physical Caller Authentication solution validates the Caller ID and ANI before the telephone is answered. Within seconds, banking institutions can determine if the call is authentic or identify that it is a spoofed call. At that point, the bank can route the call based on risk to the appropriate contact center agent or IVR for processing.

Either way, leveraging TRUSTID’s effective telephone authentication tool can play an important role in preventing social engineering attempts against today’s banking institutions and achieving optimal efficiency.

  • REQUEST INDUSTRY BRIEFING PAPERS
  • VIEW DEMO
  • USE CASE
  • ANI SPOOFING TOOL

  • CISO Text

             

    Authentication without caller involvement materially improves the customer experience, especially for ‘premier accounts.’ TrustID will greatly assist with not only customer service, but also with board level compliance issues.

    – CISO, top 10 global bank

  • CISO 2 Text

             

    As less customer PII is made available to our contact  center advocates for identity validation, our enterprise risk of a costly data  breach is dramatically decreased.

              – CSO, global financial company

    Offshore agents are highly vulnerable to fraud schemes  and social engineering. TrustID’s solution enables informed routing decisions,  optimizing agent cost reduction programs.

             - CISO, top 10 global bank           

  • VP Quote text

         

    Since  it is now commonly sold by criminals, personal information for identity  authentication is no longer the single solution to identity resolution. The  value of knowing reliably that a customer is calling from their phone is far better security than knowing the last four digits of someone’s SSN.

    - VP of Card Fraud, large international bank