Enhancing and Securing the Authentication Experience in the Government Call Center
The National Institute for Standards and Technology (NIST) recently posted a call for comments associated with Special Publication 800-63-4 (Draft) for Digital Identity Guidelines. The guidelines set the controls and technical requirements to meet various digital identity management assurance levels and cover identity proofing and authentication of users (i.e., employees, contractors, or private individuals) interacting with government information technology systems over open networks.
Routine and timely updates to these standards are increasingly important as federal agencies deliver more secure digital services as part of an omni-channel strategy. The call center is gaining importance in the omni-channel service delivery strategy. Customers tend to use this channel for high-value interactions, when they can’t complete a digital transaction (e.g., password reset), or increasingly when they initiate a transaction on a mobile device but need a service agent’s help to resolve it.
In all these scenarios, seamless and strong authentication methods are required to deliver both the modern, omni channel experience customers expect, and the security agency leaders require. And while NIST SP 800-63 no longer recognizes knowledge-based authentication (KBA) as an acceptable authenticator, it is a common practice in many contact centers. As an authentication method, KBA is lacking in both security and an enjoyable customer experience.
Confidence in KBA has waned for years
As far back as 2016, Aite stated that, “Armed with breached data and social engineering tactics, organized fraud rings are probing financial institutions for the information they need to access customer funds, and the point of least resistance is often the contact center.”
Similarly, in a May 2019 report (GAO-19-288), the Government Accountability Office (GAO) stated, “data stolen in recent breaches, such as the 2017 Equifax breach, could be used fraudulently to respond to knowledge-based verification questions. The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led [NIST] to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications.”
A customer calling a government contact center to check on her benefits, financial assistance, health care, or other critical government services qualifies as a sensitive application. Use of KBA during these interactions should be significantly minimized and simplified to enhance security and reduce threats, such as account takeover.
According to the 2020 State of Call Center Authentication survey, companies in the financial services industry report continued concern about account takeover attacks via the voice channel. Call center agents have become increasingly susceptible to social engineering attacks as customers’ personal information has become easier to acquire illicitly. The report also noted that the risk of account takeover has compounded by the growth of virtualized calls placed through the internet.
In a July 2020 Advisory on Cybercrime and Cyber-Enabled Crime, the Financial Crimes Enforcement Network (FinCEN) identified account takeover as one of several red flag indicators. The Advisory letter described how criminals try to exploit financial institutions’ remote systems and customer-facing processes, “A customer calls a financial institution to change account communication methods and authentication information, then quickly attempts to conduct transactions to an account that never previously received payments from the customer."
In our experience, relying on the use of multiple questions empowers criminals armed with customer’s personal information, frustrates customers, and reduces agents’ productivity because it distracts from resolving the original purpose of the call quickly. The solution, proven in many major call centers, is to authenticate callers without agent intervention.
Authenticate callers before they hear "hello."
For government call center managers looking to enhance and secure the inbound call authentication experience, there are innovative alternatives available to authenticate callers. For example, Neustar Inbound Authentication was nominated for an ACT-IAC innovation award in recognition of its ability to enhance and secure the authentication experience in the call center. The solution completes authentication before the caller hears "hello," making it faster and more secure than KBA. This solution is in use in the call center operations of the largest banks in the U.S.
Neustar commissioned Forrester Consulting to research and construct a Total Economic Impact™ framework for organizations considering Neustar Fraud and Authentication Solutions, including Inbound Authentication. Based on interviews with several organizations, Forrester constructed a composite company and then estimated the total economic impact of Neustar’s fraud and authentication solutions. Key findings for the composite company include the following:
- Reduced phone fraud, $2.1 million benefit. The Neustar Inbound Authentication product helped verify the identities of incoming callers. Those designated as a higher risk went through additional identification and security procedures. The companies reduced overall phone fraud losses by identifying higher-risk callers through evaluating phone number reputations and voice-over-IP telephony signaling attributes.
- Improved customer service agent productivity, $3.1 million benefit. Customer service agents spent less time verifying inbound callers’ identities with Neustar Inbound Authentication. The customer service centers’ average handle time for inbound calls declined by one minute.
- Reduced false positives, $0.3 million benefit. With more accurate inbound caller identification, fewer legitimate customers were flagged as risky. Customer service agents saved time on unnecessary authentication of legitimate customers.
Neustar commissioned Forrester to develop an ROI Calculator from these findings and Forrester’s proprietary Total Economic Impact methodology. Interested parties may receive access to a custom, high-level estimate of the total economic impact of Neustar’s Inbound Call Authentication solution after answering a few questions about their call center’s activity.
Neustar looks forward to the results of the ACT-IAC awards. We welcome the opportunity to continue to contribute to the ongoing discussions regarding authentication standards in the government call center.