ANI and Caller ID: A Trojan Horse for our Time
Blame phone spoofing. The telephone equivalent of a fake drivers license, spoofing allows criminals to falsify the calling party Automatic Number Identification (ANI), a key factor of authentication.
Conventional Defenses No Longer Work
In response to spoofing, call centers have come to rely heavily on knowledge-based authentication (KBA), or identity-interrogation, to verify customers’ identities: birth date, last four digits of social security number, mother’s maiden name, etc.
Unfortunately, this information isn’t really private any more. It’s available online for illegal purchase or through the tactics detailed below. Armed with this personal information and disguised with a spoofed ANI, criminals easily impersonate customers and commit fraud at major enterprises.
Today, large call centers waste millions of seconds –and dollars- on identity-interrogation that unnecessarily prolongs each call, frustrating customers, and empowering criminals.
Business Impacts of Dependence on Knowledge-Based Authentication
- Operational efficiency suffers because of poor IVR containment, increased agent handle time and turnover.
- Customer satisfaction declines when customers must undergo lengthy and insecure customer identity-interrogation and use agents for interactions that should be available in IVR.
- Fraud costs increase as organizations invest technology and staff to combat rising rates of account takeovers enabled by weak authentication.
Four Ways Criminals Overcome Identity-Interrogation
- Voice Phishing
Criminals call your customers while impersonating your enterprise – even your phone number. Claiming to verify some seemingly innocent information, these criminals often successfully extract personal information such as date of birth, last four digits of social security number, billing zip code, and account number. They get precisely what they need to circumvent your enterprise’s identity-interrogation protocols.
- Social Engineering Attacks
Armed with a spoofed ANI phone number, an earnest voice, and quick wit, criminals will call into your enterprise posing as a business partner or authority. Because they appear to be calling from a trusted source, and play the part well, they regularly trick trained employees. Whether they make account changes or acquire balance information, their success brings them another step closer to penetrating your defenses.
- Line Takeover
Knowing that banks use outbound return calling to authenticate large financial transactions, criminals will trick phone companies into temporarily diverting a victim’s phone number. Aided by this compliance and armed with the victim’s personal information, criminals can then persuade call center agents to conduct large transfers.
- Fraudulent Card Activation
Your bank sends a new debit card to one of your customers. But criminals get to the mailbox first. Armed with personal information –bought online or acquired through the above tactics- the criminal calls with a spoofed caller ID to activate the card. Their next stop, a spending spree on your customer’s account.
It’s Time to Rethink Caller Authentication
Large-scale call centers have two persistent problems. First, over reliance on knowledge-based authentication subjects customers to lengthy and frustrating identity-interrogation before problem resolution starts and second, bad guys still walk through the front door. Learn more about the pitfalls of KBA by reading our white paper.
Download Our KBA White Paper To Learn More