Protect your automated phone system from spoofed calls

Posted on: September 25th, 2014 by Art Barger

Following up on last week’s post about how data breaches can lead to call center fraud, I’d like to shift gears a bit from the actual crime to how financial enterprises can curb this growing problem.

Banks and businesses set up automated in-call telephone systems to create a faster, more convenient customer experience. The IVR system (or VRU) immediately routes callers to their chosen destinations. This allows customers to perform any number of functions on their own, including change their PIN and transfer funds without having to speak to a live operator. It’s much like the self-checkout at your local grocer.

While this is convenient for customers, it can also open the door for criminals to exploit weaknesses within the system. With the recently disclosed Home Depot credit and debit card breach, crooks with the right credentials slipped past weak authentication processes to change customer PINs.

Automated in-call telephone systems are designed to serve large customer call volumes. The process of verifying callers is largely driven by knowledge-based authentication (KBA) methods that require callers to correctly answers questions about their sensitive customer data. In today’s Internet environment, personal information is shared, sold and purchased like any commodity. When banks and businesses rely on highly accessible data to authenticate callers, they open themselves and their good customers up to potential fraud and risky activity.

This is why securing the automated telephone system without relying solely on non-predictive KBA is so important. With the real-time TRUSTID® Physical Caller Authentication solution, financial institutions are no longer susceptible to spoofed calls and social engineering tactics that lead to call center fraud. That’s because all inbound calls are proactively validated before the call is picked up by the automated call-in system or a call center agent.

Through this automated authentication process, if the call is determined to be high-risk, enterprises can choose where the call gets routed, or simply block it from entering the phone system altogether. If the call is verified as authentic, the IVR system may still require the customer to provide sensitive data before being allowed to perform certain functions, but KBA is not the only factor for authenticating the call. It’s now supported by two-factor authentication.

By automating the telephone authentication process, banks stay one step ahead of criminals. By the time a call is routed to the IVR system or telephone representative, TRUSTID has already provided an identity credential that tells businesses if the call is trustworthy or high-risk. This information allows banks to reduce fraudulent activity and accept more good calls faster, and with greater confidence.