One Step Ahead It is not unusual for fraudsters to mix and match techniques
BCy Dr. Kornel Laskowski
ontact center fraud is increas- ing at an alarming rate, and with no end in sight. Accord- ing to Aite Group, a research and advisory firm, losses
incurred by account takeovers at contact centers are expected to reach $775 million in 2020, nearly double the amount from just five years ago. And, while organizations that do not have a contact center are also suscep- tible to data breaches, contact centers are unique because they potentially expose their customer data through an additional chan- nel, the telephone.
This data can be accessed in several dif- ferent ways, including voice interaction with an agent, voice interaction with an Inter- active Voice Response (IVR) system, and DTMF interaction with an IVR system. Traditional fraud prevention methods that contact centers use to safeguard customer data—such as the validation of passwords, personal information, and originating phone numbers—are proving to be not as effective today as once hoped.
It is not unusual for fraudsters to mix and match their techniques. They may attempt to digitally breach a database server, try to guess account passwords, or access a secure network. But if the targeted organization has a contact center, as many institutions in healthcare and finance do, the savvy fraud- ster is likely to make use of it. By exploit- ing a contact center agent’s desire to provide good customer service, a scammer may ob- tain partial access to an account of interest. Through each subsequent phone interaction, he or she may be able to collect yet another piece of Personally Identifiable Information (PII)—such as a birth date or a social secu- rity number. If a fraudster cannot obtain enough PII data to breach an organization’s security measures, he or she can supplement it with data stolen in past data breaches.
Not only do they have multiple channels at their disposal, but potential fraudsters also benefit from the very nature of contact centers. The larger the targeted organization, the more agents are likely to be needed to staff its con- tact center. This virtually ensures that a fraud- ster’s every phone call is handled by a differ- ent person, leaving the full scope of an attack unknown. Furthermore, Caller ID spoofing technology, which hides the true originating location of a phone call, makes it possible to thwart attempts to consolidate calls originat-
ing from the same phone number.
Just as criminals are using more advanced
techniques, contact centers too must up their game and employ new approaches to secu- rity. One that is particularly gaining momen- tum is biometrics—verifying someone based on his/her unique observable traits rather than knowledge of personal information. Juniper Research predicts that the number of mobile users authenticated via biometrics, such as face or voice recognition, will jump from about 429 million this year to more than 1.5 billion in 2023.
Using Biometrics to Prevent Fraud
Voice biometrics can address current contact center security challenges in two main ways, depending on whether the caller is a first-time offender or a known perpetrator. A first-time offense is more likely to be flagged if the ac- tive authentication phase of a contact center call analyzes not just the caller’s knowledge of
a password or a PII element for an account, but also the caller’s voice. A caller whose voice does not match that on file can be stopped be- fore the authentication phase is over, and not be allowed to access the account.
Voice biometrics can also analyze a call beyond its authentication phase, with passive (as opposed to active) verification. Passive verification doesn’t require the caller to do or say anything in particular since voice analysis occurs in the background during the caller’s natural conversation. It leads to the accumu- lation of a “voiceprint”—a set of uniquely identifying characteristics of the human voice—which can be compared at any time to the account’s voiceprint on file. This enables potential first-time fraudsters to be identified regardless of what they are saying, leading to real-time denial of account access.
In these ways, voice biometrics in both active and passive modes can help to flag potential first-time fraudsters. Of course, not every voiceprint mismatch is a harbinger of
WWW.SECURITYTODAY.COM 27
VOICE BIOMETRICS
vectorpouch/Shutterstock.com