From a fraud standpoint, 2014 has certainly started with a bang. After last year’s high-profile Target data breach, criminals wasted no time ringing in the new year hacking the systems of photo messaging giant, Snapchat, and upscale retailer, Neiman Marcus. Both breaches were revealed earlier this month.
While these data breaches exposed private customer information such as names, addresses, credit card numbers, PINs and phone numbers, what criminals likely didn’t get their hands on in these attacks were card limits and existing balances. In my experience, thieves are typically reluctant to sell a card in the underground economy if it doesn’t have “open to buy” availability on it. In other words, without knowing how much credit is left on the card sellers really don’t know what they’re selling and buyers don’t know what they are getting.
The problem is crooks can get this information from a bank’s IVR system by way of a person’s zip code, date of birth, or the last four digits of their Social Security number. That’s right. By providing as little as the last four digits of the card, criminals can access the card’s limit and balance without having to talk to a call center representative. That said, leveraging an IVR for card data on known compromised accounts is a high risk indicator for future fraud, particularly if the incoming phone number is spoofed or a non-recognized number.
So, how can financial institutions and other businesses stop criminals from accessing a contact center’s IVR system? Traditional knowledge-based authentication (KBA) solutions can’t because they don’t begin to identify the risk of the call until after they’ve answered the phone and ask several security questions. Whenever possible, you can bet crooks will avoid talking to a phone agent altogether.
The truth is there’s no manual KBA process that can stop crooks because there is no way to identify callers without first talking to them. The only authentication method today that proactively verifies each call pre-answer is the TRUSTID® Physical Caller Authentication. Using real-time telephone forensics, TRUSTID automatically validates the physical location of the telephone device to instantly determine when calls are spoofed, and verifies those that are authentic. And we provide this identity credential without the caller’s knowledge, and without relying on non-predictive personally identifiable information (PII).
When it comes to identifying customers over the telephone channel, the benefits of stopping fraud are abundantly clear. But this is only half of it. Most companies know that authentication provides many more benefits than simply fighting off crooks. The ability to quickly identify customers and accurately determine the risk of the call before it’s picked up can improve overall call center efficiency, saving businesses precious time and resources while building goodwill with their existing banking customers.