Federal Authentication Guidelines Overlook the Phone Channel
On February 15, Neustar was certified as conformant to the NIST Special Publication 800-63-3 digital identity guidelines. The certification affirms that federal agencies can use Neustar Inbound Authentication, Phone Takeover Risk, and Digital Identity Risk as they meet the standards for accurate, frictionless identity authentication.
Moving forward, Neustar will advocate for the addressing of a hazardous deficiency within NIST SP 800-63-3—specifically, with the phone channel. Contact center interactive voice response (IVR) systems and customer service representatives (CSR) perform many of the same sensitive and valuable transactions that are available on online systems. And yet the most common authentication mechanism in contact centers—knowledge-based authentication (KBA)—is significantly weaker than those guarding digital access to customer accounts. The risks are similar. The standards for mitigation should be, too.
Organizations that comply with NIST SP 800-63-3 yet overlook the phone channel as an attack vector expose their operations and customers to increased risk of account takeover and identity fraud, potentially resulting in millions of dollars in improper payments.
KBA is insecure over any channel
NIST SP 800-63-3 expressly disavows KBA for digital applications because, “The ease with which an attacker can discover the answers to many KBA questions, and relatively small number of possible choices for many of them, cause KBA to have an unacceptably high risk of successful use by an attacker.” The risk of KBA has increased with every data breach and oversharing instance of personal information on social media.
KBA’s insecurity cannot be mitigated by increasing the number or complexity of challenge questions. Such an effort is likely to cause more legitimate callers to fail authentication and go to a fraud department as false positives for closer scrutiny. This wastes the contact center’s resources, flies in the face of the Cross-Agency Priority goal to improve customer experience with federal services, and falls short of customers’ expectations raised by superior experiences in the private sector.
Confidence in KBA has been waning in the private sector for years. Blaming “breached data and social engineering tactics,” Aite stated in 2016 that “Account takeover fraud is so commonly enabled through the contact center that it should be renamed the cross-channel-fraud-enablement channel.”
“Contact center security needs a makeover,” Javelin Strategy & Research asserted in December 2019. “If one area has strong consumer authentication but another channel has limited resources, criminals will obtain information where they can first, then work through the channel that has the most funds available to steal.”
In the 2020 State of Call Center Authentication survey, respondents from the financial services industry—often a testing ground for fraud schemes that eventually appear in other verticals—were three times as likely as respondents from other industries to perceive the phone channel as a risk vector for account takeover attacks.
Despite this, a May 2019 report from the Government Accountability Office (GAO) found that: “most of the agencies that GAO reviewed (CMS, GSA, IRS, SSA, USPS, and VA) reported that they were not able to implement [NIST SP 800-63-3] … Until NIST provides additional guidance to help agencies move away from knowledge-based verification methods and OMB requires agencies to report on their progress, federal agencies will likely continue to struggle to strengthen their identify [sic] proofing processes.”
To attempt account takeover (ATO) through a federal agency’s contact center, criminals only need answers to KBA questions and access to call-spoofing software. More advanced criminals know to evade spoof-detection software with virtualized call services. The 2020 State of Call Center Authentication survey found that virtual calls were recognized as the fastest-growing ATO threat—70 percent of survey respondents saw “somewhat” or “much more” threat activity toward the call center as coming from virtualized call services than from call spoofing.
Virtualized calls favor criminals. The calls are legitimate, anonymous, and inherently invisible to spoof-detection technology. Criminals can call from anywhere in the world, from any internet-connected device. They run little risk of getting caught. To succeed, they first reach an agent from a virtual calling number that is unrelated to a customer’s record. When they connect, they combine ill-gotten answers to KBA questions with social engineering skills to trick frontline agents into granting control over a customer’s account. Fraud feedback data from Neustar’s customers show that over 50 percent of ATO attempts between September 2019 and February 2020 were made with virtual calling services.
These trends detract from federal contact centers’ mission fulfillment—68 percent of government customers contact federal agencies for service via the phone channel, more than double the rate of email, the second most common channel. Demand for services at all levels of government has increased substantially since the beginning of the COVID-19 pandemic. During a crisis, it is most important to provide an experience that gives customers confidence in their government. However, amid the surge of customer inquiries, bad actors have increased efforts to claim benefits to which they are not entitled.
To support mission fulfillment, federal contact centers need to be able to block bad actors while serving customers efficiently and effectively. Phone channel authentication practices must be upgraded to the standard for digital authentication set out in NIST SP 800-63-3. Relying on KBA empowers criminals armed with customers’ personal information—while frustrating customers. The solution, proven in many major call centers, is to authenticate callers without agent intervention.
Treat each inbound caller by their trustworthiness
Fortunately, there are trusted solutions that directly address the deficiencies in phone channel authentication described above. Initiating an automated authentication process before the call is answered allows CSRs to spend more time on high-value service rather than low-value, insecure identity interrogation. Authentication methods that confirm the calling device’s legitimacy, determine that the call itself follows expected routing from one end of the telephone network to the other, and assign a strong authentication token are more robust than knowledge-based authentication and can mitigate common phone fraud risks such as call virtualization.
Ownership-based authentication is a proven method of delivering on the promise of authentication without agent intervention. The process completes authentication before the caller hears “hello,” making it faster and more secure than KBA. Customers’ physical, unique phones serve as reliable authentication tokens because they are uniquely attached to their owners, and because phone numbers act as unique, persistent identifiers.
About 75 percent of callers’ devices—mobile phones and residential cable and landlines—are unique and physical. When these calling phones are confirmed as authentic and their ANI matches the reference phone numbers on file, then the contact center can determine that it is engaged in authentic calls with customers’ unique, physical, legitimate phones. Third-party fraudsters will never be authenticated in error, because they cannot manipulate or bypass the process. High trust in the authenticated caller’s identity reduces the need for KBA questions, proportionately decreasing time to service.
About 25 percent of inbound call volume comes through methods that are not physical and unique: virtual call services, call-spoofing software, PBX switches, burner phones, prepaid phones, or public phones. If these calling devices do not display other risk signals, their callers can be moderately trusted and subjected to fewer KBA challenge questions, improving customer experience. However, some phones in this cohort (three to five percent) show significant risk signals and should be treated with extra caution.
Combining these two approaches to inbound caller authentication may become essential for helping federal contact centers to meet rising customer need efficiently, effectively, and safely. Trusted callers can be offered higher-risk self-service options traditionally reserved for agents, such as contact information updates and PIN resets. Shielded from social-engineering attacks, agents can focus on speedy resolution of more complicated matters. Less-experienced agents serve just high-trust callers. The smaller remaining pool of unauthenticated callers experience extra caution or diversion to the fraud department. Combined, this approach optimizes expensive fraud-prevention personnel and resources, sends a reassuring message to customers, and focuses agents on helping callers.
How Neustar can help
Neustar Inbound Authentication is a hybrid ownership-based authentication model that establishes an optimal level of trust for each caller by adapting uniquely to the caller’s device.
For the 75 percent of callers using physical, unique devices, Neustar Inbound Authentication confirms that the calling phone is engaged in a call with the call center through a real-time deterministic inspection of the call and calling device – prior to connection. Fraudsters never receive an authentication token (i.e., no false negatives), even when using virtual call services. Callers who pass inspection experience up to 80 percent fewer KBA questions, a boon to customer experience and the contact center’s operational efficiency.
A live inspection of the calling device is not possible for the other 25 percent of calls. Instead, Neustar Inbound Authentication leverages results from its history of processing billions of calls and additional data about calls, carriers, and network routing from its role as a licensed telephone carrier. The results give deeper insight into the characteristics and potential risks of unauthenticated calls and allow for the stratification of callers by trust level for the most appropriate treatment. Three to five percent of calls may be sent to a fraud department for closer scrutiny, along with many of the signals that drove the precaution.
NIST SP 800-63-3 addresses use of the Public Switched Telephone Network for digital identity authentication; “the verifier SHALL verify that the pre-registered telephone number being used is associated with a specific physical device.” Since account access over the phone channel poses the same risks as digital account access, the phone channel should be secured to the same standard.
Neustar will advocate for NIST SP 800-63-4 to account for the phone channel. However, that iteration of the special publication will likely not be published until 2022. It could be some time later before it is fully implemented in federal agencies’ contact centers. That is too slow to secure the benefits that sustain millions of Americans today. Federal contact centers, the services they manage, and their customers need action much sooner.