How Insurers Can Balance Identity Resolution with Customer Experience
While fraudsters thrive on information-sharing via the dark web, over on our side, ‘above the table,’ many organizations that compete for the same business are reluctant to join forces in the fight against fraud. The fear of collaborating with competitors outweighs the perceived benefit of that collaboration.
Fortunately, some industry groups do share insights and information. For example, the Insurance Fraud Enforcement Department (IFED), orchestrated by the London Police, provides a platform for insurers to report scams, pool evidence, and drive prosecutions. It’s successes like IFED that make us applaud industry roundtables like Pindrop’s where attendees came together to discuss emerging trends, attacks, and priorities.
Many of the topics of interest to participants (summarized here) resonate with the 2019 State of Call Center Authentication Survey that TRUSTID conducted in partnership with Customer Contact Week earlier this year. Although our pool of respondents tended to skew toward the financial services sector, we believe the quantitative nature of the findings are worth adding to this conversation. Financial services organizations tend to be early adopters of consumer identification and authentication technologies, enabling the ‘winners’ of that early favor to expand into other markets, like insurance.
Avoid Knowledge-based Authentication
The foremost takeaway from the roundtable called readers to ‘think beyond ‘secret’ security questions:’ knowledge-based authentication (KBA). “Unfortunately, KBAs [sic] foster friction during the call by extending hande [sic] times and frustrating customers.”
Agreed. Insurance companies need to minimize or avoid entirely KBA as fraudsters increase the frequency and sophistication of their attacks. Forrester found that 70% of successful fraud comes from the availability of consumers’ PII on the dark web. (Extending Average Handle Time and customer frustration are just two of the Ten Reasons Why KBA Threatens the Modern Call Center. Get the white paper for a discussion of the full list and what you can do about it.)
Our survey revealed a promising indication that reliance on KBA is waning: 50% more respondents expressed dissatisfaction with their current authentication approaches as compared to the previous year’s survey: 46% vs. 31%. (68% of those in financial services were ‘somewhat’ or ‘very’ unsatisfied.) Since single factor knowledge-based authentication (KBA) was the dominant authentication approach in [our 2018] study, we conclude that respondents’ dissatisfaction has to do with that approach.
Beware Virtualized Calls
Given that KBA by itself can't be trusted, it is critical to know the communication channels fraudsters use to attack call centers. Best practices are to identify trusted callers before they reach the IVR or an agent. Leaving caller identification and authentication until that contact is made just opens the door for social engineering. Calls that have been spoofed, manipulated or originated from virtual sources need to be guided appropriately before a voice conversation starts.
By ‘virtual sources,’ I mean web-based calling services (e.g., Skype and Vonage), Google Project Fi (routed through T-Mobile or U.S. Cellular), or a business PBX. They allow a work laptop, cell phone, and even a shared computer to access a virtual account and make anonymous and untraceable phone calls.
Across industries, our survey respondents recognized virtual calls as the primary vector through which they saw ‘much more’ criminal activity, marking a substantial shift away from spoofing, which now has many legitimate uses. Virtualization frees criminals from the need to imitate specific callers’ numbers. They just have to reach an agent from a number that is legitimate but unrelated to a customer’s record. When they connect, they have an excellent chance of socially engineering the agent into granting control over a customer’s account.
For more discussion about the rising threat of virtual calls, download ‘Four Challenges to Contact Center Authentication.’
Start with No-friction, Secure Caller Identification
Unfortunately for organizations, they can’t simply make caller identification and authentication more difficult. In 2016, First Annapolis found that "83% of online/mobile banking users have experienced step-up challenges while logging in to their account in the past year, and 49% said step-up happens ‘always’ or ‘frequently.’” 3% of those users changed banks, while another 3% considered doing so.
This point substantiates another finding from our survey: when asked about expectations for replacement technologies, over 90% of respondents ranked customer enrollment, authentication accuracy, and fraud detection as their top functional requirements. The prioritization of customer enrollment is telling. If callers won’t enroll in a new authentication approach—due to privacy concerns, impatience, lack of technical savvy, or otherwise—then the technology can’t deliver any benefit.
Don't Just Train Agents, Enable Them
The imperative to adopt easy security measures applies as much to contact center staff as it does to consumers. A security-first culture can bring substantial improvements in protection. Agent training is critical, but it’s just one element in a layered approach. Contact center agents need guidance on how much trust to extend to callers before they begin providing service.
In most cases, that guidance lets agents jump to helping trusted callers sooner. (Learn more about the Trusted Caller Flow.) In the remaining subset of cases where a caller’s risk can’t be determined before answering the call, such guidance puts agents into a more cautious mindset. That’s how to make the most of security training.
To that end, we found in our study growing interest in pre-answer authentication over technologies that require a caller’s engagement to function (like voice-bio). 54% of our survey’s respondents preferred authentication to complete before the call is answered, rather than post-answer, a 42% increase over the response in 2018. This change likely reflects respondents’ growing understanding of pre-answer authentication options. It comes at a good time.
Now that consumers’ offline data is available on the dark web, and online data is easily spoofed, it’s vital to combine multiple data sources and technologies to identify and authenticate consumers quickly. We found that mindset is taking hold in our survey respondents; preference for multi-factor authentication more than doubled between 2018 and 2019.
We hope the addition of our quantitative findings helps more insurers to build the business case for prioritizing the implementation of modern caller identification and authentication technologies. There’s a lot at stake. The FBI estimates that non-health insurance fraud reaches $40 billion per year, costing the average U.S. family as much as $700 per year in the form of increased premiums. We all have a stake in resolving this problem.