Follow the FFIEC’s New Guidance on Call Center Authentication with Caution
For the first time in 10 years, the Federal Financial Institutions Examination Council (FFIEC) has issued new guidance for financial institutions offering digital products and services: Authentication and Access to Financial Institution Services and Systems. The guidance expands beyond the domain of cybersecurity to account for customer call centers:
“Threat actors frequently have used social engineering and other techniques to deceive customer call center and IT help desk representatives into resetting passwords and other credentials, thereby granting threat actors access to information systems, user and customer accounts, or confidential information.”
The inclusion of customer call centers in the FFIEC’s guidance follows broad acknowledgement of the channel’s vulnerability. Contact center defenses are often less secure or efficient than those put in place to protect digital interactions and transactions. Nearly two-thirds of contact center leaders in financial services organizations feel somewhat or very concerned over fraud originating in the contact center.
The FFIEC’s guidance describes several possible approaches to prevent phone channel fraud, ranging from one-time passcodes to call-backs to additional agent training. Unfortunately, some of the approaches described either increase risk of fraud or are infeasible because they degrade customer experience or operational efficiency. Financial institutions may increase risk by following the FFIEC’s guidance without adequate consideration.
FFIEC’s recommendations for call centers vary in security and feasibility
Customer experience and operational efficiency demand consideration when evaluating the options listed in the FFIEC’s guidance. Call center leaders in financial institutions seek to balance the benefits of fraud prevention approaches against the imperative to improve customer experience and operational efficiency. Subjecting callers to overly strict authentication protocol can delay service, erroneously route legitimate customers to the fraud department (i.e., false positives), and increase average handle time. Degrading customer experience jeopardizes customer loyalty and lifetime value.
The FFIEC's guidance lists the following approaches for improving authentication and access management in customer call centers:
- Enhanced Authentication for Credential Reset. Enhanced authentication controls are applied to customer and user credential resets, such as sending an OTP to a pre-established communication device; using an authenticator application to provide an OTP; biometric voice recognition; enabling secure video chat features to confirm identity; and call-backs to a pre-established phone number.
- Identify Unauthorized Access Attempts. Controls identify deviations from a customer’s or user’s usual geographic location or method of communication for the account, such as an Internet-based communication application or an unidentifiable phone number.
- Lost, Stolen, or Changed Information and Devices. Controls establish processes for handling lost, stolen, or changed information and devices, including changes to established phone numbers or carriers.
- Training on Password Reset Process. Call center personnel are trained on verification and authentication processes for password resets.
These approaches vary in potential to improve security, customer experience, and operational efficiency. Below, I rank the FFIEC’s recommendations according to security and feasibility, beginning with the least effective choice.
Approaches that fail to fully address security, customer experience, and operational efficiency
Addressing lost, stolen, or changed information and devices provides criminals with ample opportunity
Compromises or changes to information, phone numbers, or carriers can indicate risk. However, addressing these issues affords criminals plenty of time—from the moment that the consumer discovers the compromise or change, through his or her reporting process to the pertinent financial institution, to the time when the potential vulnerability is closed. This delay could last for minutes, hours, or longer. Criminals need only minutes to take over and exploit a targeted account. This approach fails to meet the immediacy needed in call center security.
Using an authenticator application to provide a one-time passcode (OTP) adds too much friction for most consumers
Authenticator apps offer more security but require greater tech-savviness from consumers. The increased requirements often repel users. Just 0.7 percent of Twitter users report using an authenticator app. Only one-in-four U.S. adults can identify an example of two-factor authentication, a proxy pre-requisite to implementing an authenticator app. The amount of friction authenticator apps impose on users diminishes the apps’ feasibility and eclipses potential security gains.
Confirming identity via secure video chat may repel some consumers
A video call might be accessible to more consumers, given that the COVID-19 pandemic drove adoption of video chat platforms. However, this approach’s manual nature saps operational resources and degrades customer experience. Consumers expect quick, frictionless interactions. Requiring a secure video chat communicates a strong sense of suspicion, which detracts from customer experience.
Training call center personnel may cost more than it’s worth
Call center agents strive to fulfill customers’ needs quickly and efficiently. Fraudsters have long abused agents’ “helping gene.” Fraudsters call with a convincing story, socially engineer an agent into granting illicit account access or changing account information, and then take over a consumer account. This occurs despite agents’ training to beware social engineering tactics.
Advanced training could reduce this problem. Most contact centers have a fraud department trained to effectively serve callers who merit additional caution. However, training all contact center agents on more disciplined authentication protocol may be infeasible. Due to the high rate of call center employee turnover, a significant portion of that investment in training will walk out the door every year.
Sending an OTP to a pre-established device requires additional hardening
Nearly 70 percent of consumers used OTP via SMS/text message to validate their identities during a new account opening in 2020. Unfortunately, this increased use of OTP may have helped to fuel the rise in account takeover fraud over 2020.
OTP sent via SMS began losing popularity since at least 2016 because of the ease with which the passcodes could be intercepted. The FFIEC’s guidance acknowledges the vulnerability of OTP to “man-in-the-middle attacks, such as when a hacker intercepts a one-time security code sent to a customer.” OTP sent via automated phone calls present the same risk.[i]
A swapped-out SIM card, an unauthorized number reassignment, or call forwarding activated without the customer’s knowledge facilitates phone fraud. Once a customer’s phone has been taken over, fraudsters can use it to create a new account using the victim’s information, infiltrate an existing account and change the associated phone number, or intercept outbound texts or calls.[ii]
Effective approaches to improving security, customer experience, and operational efficiency
Authenticating callers with voice recognition
Using callers’ unique voice signatures for authentication increases security and improves customer experience. To enroll, customers provide a reference voice print after authenticating via another means. Thereafter, a caller’s live voice sample can be compared to the customer’s reference voiceprint for authentication. The comparison takes place while the caller engages with an agent or IVR—without interrupting the purpose of the call.
The challenge with voice biometric authentication (“voicebio”) comes during enrollment. Some consumers may not consent to participate due to privacy concerns. Participating consumers must still authenticate before providing a voice sample, leaving customer call centers to manage with other approaches. Combining voicebio with a device-based authentication approach achieves multi factor authentication that accurately and effectively flags high-risk calls for additional inspection while expediting service for legitimate customers.
Identify deviations from a customer’s usual method of communication for the account, such as an internet-based communication application or an unidentifiable phone number
Because solution providers and the STIR/SHAKEN protocol effectively mitigated call spoofing, criminal attempts to impersonate a customer calling from the customer’s number have less chance of succeeding. Criminals must call from an unrecognized number and attempt to convince a call center agent that they are the legitimate customer.
Very often, customers call in from a different phone number than the one associated with their account. Some may have recently switched carriers. That variability opens the door to fraudsters who know to call from unidentified numbers or virtual calling applications and claim to be legitimate customers.
Skype and Google Voice lead the virtual calling space, but they require some identifying information to create an account—a potential risk factor for some criminals. Hundreds of lesser-known virtual call services preserve anonymity during account creation. These services allow criminals to place legitimate, untraceable calls from anywhere in the world, ostensibly from any area code. Because calls from these apps are not spoofed, they will receive a high-level STIR/SHAKEN attestation.
Market studies show a rapid rise in use of virtual call apps to attack call centers. In 2021, half of call center leaders observed an increase of fraudsters using virtual call services to launch anonymous attacks. Because customer call centers cannot trust the authenticity of customers’ phone numbers, they resort to other authentication approaches that delay service and require more resources.
Financial institutions face a fraught business environment, caught at the center of fraudsters’ increasingly sophisticated tactics, consumers’ rising expectations for frictionless experiences, and growing regulatory pressure to protect consumer accounts and assets. While considering the approaches to securing call centers described in the FFIEC’s guidance, financial institutions must choose the solution that best helps to mitigate these pressures.
Authenticate inbound callers pre-answer
The challenges with most of the above approaches derive from post-answer authentication. Requiring caller engagement during authentication increases risk of fraud, frustrates customers, and drives operational waste. To satisfy the FFIEC’s guidance to identify emerging threats with layered security measures, without impacting customer experience or operational efficiency, callers should be identified and authenticated before they hear “hello”—even when they use different phone numbers than those on record.
Unique, physical devices—mobile phones and residential cable and landlines—can help to significantly expedite pre-answer authentication for 70 to 75 percent of inbound call volume. Confirming the calling phone’s authenticity and matching the calling number to the reference phone number on file allows the contact center to identify and authenticate callers definitively—similar to the way credit cards facilitate cashless transactions.
To distinguish customers from possible fraud threats, other call signals inform a probabilistic pre-answer risk assessment, such as STIR/SHAKEN attestation, calling history, call routing, and line type. Insights from these assessments help to stratify non-authenticated callers into “trust levels” and refocus valuable fraud-fighting resources. Only risky callers receive stepped-up authentication or the full focus of the fraud department. This reduces the search for “a fraud needle in a haystack” into a more efficient search in a much smaller population.
Unlike authentication approaches which require fraud feedback to ward off future attacks from the same source, device-based authentication flags risky callers without referring to a past fraud incident. Detecting and preventing “first-time attacks” reduces fraud loss, while also providing an important signal for other fraud tools’ future reference in a layered security approach.
How Neustar helps financial institutions (and other verticals) follow best practice
Neustar Inbound Authentication is a hybrid ownership-based authentication model that establishes an optimal level of trust for each caller by adapting uniquely to the caller’s device. It satisfies the word and spirit of the FFIEC’s guidance on protecting customer call centers.
For the 75 percent of callers using physical, unique devices, Neustar Inbound Authentication confirms that the calling phone is engaged in a call with the call center through a real-time deterministic inspection of the call and calling device. Fraudsters never receive an authentication token (i.e., no false negatives), even when using virtual call services. Callers that pass inspection experience up to 80 percent fewer knowledge-based authentication (KBA) questions, reducing average handle time by 20 to 70 seconds, a boon to customer experience and operational efficiency.
A live inspection of the calling device is not possible for the other 25 percent of calls. Instead, Neustar Inbound Authentication leverages results from its history processing billions of calls and additional data about calls, carriers, and network routing from its role as a licensed telephone carrier. The results give deeper insight into the characteristics and potential risks of non-authenticated callers and allow for the stratification of callers by trust level for optimal treatment. Three to five percent of calls may be sent to a fraud department for closer scrutiny, along with many of the signals that drove the precaution.
Completing a trust assessment before callers hear "hello" enables contact centers to mitigate risks in accordance with the FFIEC’s guidance. Stratifying callers by trust level reduces false positives sent to the fraud department and shrinks the pool of callers that merit closer scrutiny, improving the department’s effectiveness and efficiency. Shortening the trust assessment experience for trustworthy callers and offering more valuable self-serve options improves customer satisfaction and reduces average handle time. Contact centers that invest in pre-answer inbound authentication to prevent fraud also invest in happier and more loyal customers.
 Javelin Strategy & Research, Securing the Contact Center
 New York Times Wirecutter, The Best Two-Factor Authentication App
 Twitter, Account Security
 Pew Research, Americans and Digital Knowledge
 Quality Assurance and Training Connection, Exploring Call Center Turnover Numbers
 Avoxi, Attrition Rates by Industry
 Javelin Strategy & Research, 2021 Identity Fraud Study
 Security Week, NIST Denounces SMS 2FA - What are the Alternatives?
[i] Increasingly, fraudsters are succeeding at socially engineering consumers into divulging OTP over scam phone calls, rather than intercepting the OTP, a burgeoning identity fraud vector known as voice phishing (“vishing”). In other instances of voice phishing, a consumer may receive an alarming text message falsely claiming that a valuable account has been compromised and urging the consumer to call a fraudster’s phone number to resolve the matter. Vishing does not require the technological proficiency of traditional man-in-the-middle attacks. Fraudsters simply need to establish credibility and urgency before deceiving prospective victims over a phone call.
[ii] One-time passcodes (OTP) sent via SMS or call-back require additional checks to ensure that the phone number receiving an OTP belongs to the rightful consumer and is not at risk for being taken over by a fraudster. This “hardening” restores two benefits of OTP: consumers are familiar with the technology, and the required infrastructure (i.e., the phone network and consumers’ personal handsets) is widely established and adopted.
Neustar Phone Takeover Risk restores the OTP as a secure, easy, and convenient authentication measure via verifying consumer phone ownership. Using continuously corroborated data with authoritative linkages to the phone’s owner, Neustar provides the real-time intelligence needed to determine whether a phone number poses a high risk or low risk, helping mitigate fraud while also improving operational efficiencies. Identifying high-risk phone numbers reduces new-account and account takeover fraud. Verification insights support organizations to assign a higher degree of trust when using mobile applications, as well as promote online registrations and verify transactional activities in real-time.