Not All Greens are Created Equal
A growing number of contact centers are evaluating authentication solutions that promise to turn callers’ phones into a mechanism for establishing callers’ authenticity. When successful, this approach mitigates fraud, improves customer experience, and increases operational efficiency.
Unfortunately, some phone-based authentication solutions have vulnerabilities that cause them to mistakenly authenticate callers who are not rightful account holders, increasing risk of account takeover (ATO)and associated financial and reputational damage. This is why, in part, Aite stated, “Account takeover fraud is so commonly enabled through the contact center that it should be renamed the cross-channel-fraud-enablement channel.”
Contact center leaders increase risk of enabling fraud when they overlook fundamental differences in the most common approaches to establishing callers’ authenticity with their phones. The risk has negative ramifications for both customer experience and operational efficiency.
Two common, but flawed, approaches to phone-based authentication
Confirming the caller’s claimed identity via their phone hinges on the type of device the caller uses. Unique and physical devices can serve as high-quality authentication tokens for callers. Other types of devices, described later, cannot. Knowing the device type helps to establish the caller’s authenticity.
There are two common approaches to assessing the calling device: probabilistic and deterministic. Each has value, but also limitations. Probabilistic approaches calculate a numeric score representing the probability that the caller is who they say they are. The score is based primarily upon an analysis of phone number reputation and the call’s signaling data (aka SIP header data). On the other hand, deterministic approaches deliver a binary yes/no authentication decision after inspecting the call and calling device. We will discuss the probabilistic approach first.
Probabilistic authentication: broadest coverage, but only moderate trust
Probabilistic risk assessment affords some value as a fraud check in low-risk circumstances. The 90 to 95 percent of inbound callers whose phones do not display significant risk signals can be moderately trusted and subjected to fewer knowledge-based authentication (KBA) challenge questions, improving customer experience and operational efficiency.
However, this approach cannot assign high confidence in callers’ identities. Call signaling data, one fundamental input to the probabilistic score, can be manipulated by criminals using call-spoofing software. By iterating on different access points and editing signaling data, criminals can find a combination that is, as far as a probabilistic risk assessment is concerned, indistinguishable from an actual call.
Because some fraudsters will always be able to pass a probabilistic risk assessment, contact centers end up having to treat all of their inbound call volume with caution. This prevents contact centers from achieving the full value of knowing whom to trust and limits the degree to which they can ease their authentication protocol for trusted callers and maximize operational savings.
In addition, probabilistic assessments of call signaling data do nothing to combat virtual call services, the preferred platform for phone fraud today. Virtual calls—through web-based calling services (e.g., Skype and Vonage), Google Project Fi (routed through T-Mobile or U.S. Cellular), or a business PBX—are authentic, legitimate, and unique. According to Neustar internal data, virtual calls represent approximately two percent of all call volume today.
It is much easier for criminals to reach a call center with a virtual service than to go through the effort of engineering a spoofed call that can beat spoof-detection tools. Virtual calls’ signaling data and call certificates are correct and will pass by technology designed to detect errors in SIP data. In fact, even the best SIP header data provides no information to distinguish virtual calls from VoIP calls tied to physical addresses.
With a virtual call service, criminals can call from anywhere in the world, from any internet-connected device. They run little risk of getting caught. To succeed, they first reach an agent from a legitimate number that is unrelated to a customer’s record. When they connect, they have an excellent chance of socially engineering the agent into granting control over a customer’s account.
Fraud feedback data from Neustar’s customers show over 50 percent of account takeover attempts between September, 2019 and February, 2020 were made with virtual calling services. In 2020, virtual calls were recognized as the fastest growing account takeover vector. 70 percent of call center leaders reported seeing "somewhat" or "much more" threat activity toward their call centers as coming from virtualized call services.
This fraud risk forces contact centers to use KBA as a supplementary measure for determining each caller’s trustworthiness. Unfortunately, KBA invites more fraud risk, degrades customer experience, and increases average agent handle time by 30 to 90 seconds.
Call center leaders who champion a caller authentication solution that relies solely on probabilistic risk assessment set themselves on a fraught path. The inability to assign a high level of trust to trustworthy callers limits the value of options that can be offered in the IVR. Callers with higher-value matters will still need to speak with an agent. While agent KBA may be shortened somewhat with a probabilistic approach, customer experience is still sub-optimal. Callers must still endure identity interrogation before they can get to the reason for their calls. Meanwhile, dedicated fraudsters still have a meaningful chance of successfully taking over customers’ accounts with nothing more than a virtual call service, the victim’s personally identifying information, and some basic social engineering skills.
Organizations that implement a probabilistic-only caller risk assessment will not realize the full value of using callers’ phones as authentication tokens.
Deterministic authentication: high trust, but lower coverage
Deterministic approaches deliver a binary yes/no authentication decision after inspecting the call and calling device—down to the physical address of a landline or the SIM card of a mobile phone. When the calling phone is confirmed as authentic and the ANI matches the reference phone number on file, then the call center can determine that it is engaged in an authentic call with the customer’s unique, physical, legitimate phone. This deterministic process, based on telephone network forensics, turns callers’ phones into ownership-based authentication tokens.
High trust in the caller’s identity reduces the need for KBA questions, proportionately decreasing agent average handle time and associated operational costs. Third-party fraudsters will never be authenticated in error, because they cannot manipulate or bypass the process.
While a deterministic approach offers greater authentication accuracy than a probabilistic assessment of call signaling data, its coverage is dictated by the caller’s choice of device. 75 percent of the time, that device is physical and unique—mobile phones and residential cable and landlines—establishing high trust in the caller’s identity. However, 25 percent of inbound call volume comes through devices that are not physical and unique: PBX switches, burner phones, prepaid phones, public phones, or phones whose SIM card has been swapped recently or whose number was recently reassigned.
When this happens, around 25 percent of the time, contact centers must fall back on their next-best authentication strategy. The gap in coverage translates into more fraud risk, operational costs, and caller frustration.
Between these two approaches, contact center leaders are forced to choose between the higher coverage of a probabilistic approach and the greater accuracy of a deterministic approach.
The best of both worlds
Rather than choosing between probabilistic or deterministic, forward-thinking contact centers use a hybridized approach to caller authentication that combines the best of both. (See chart, below.) Since 75 percent of call volume takes place over unique, physical devices, 75 percent of inbound callers can be deterministically authenticated. These callers experience substantially less KBA, gain access to more high-value self-serve options (reducing IVR-to-agent transfers), and cannot, by definition, be third-party fraudsters.
The remaining 25 percent of calls are analyzed with a high-quality probabilistic process to estimate callers’ trustworthiness. Probabilistically approved callers can be moderately trusted and subjected to fewer KBA questions.
This combined process takes full advantage of the unique power of physical calling devices as ownership-based authentication tokens, while improving operational efficiency and customer experience for the most callers possible.
How Neustar can help
Neustar Inbound Authentication is a hybrid model that establishes an optimal level of trust for each caller by combining probabilistic risk assessment and deterministic authentication.
For the 75 percent of callers using physical, unique devices, Neustar Inbound Authentication confirms that the calling phone is engaged in a call with the call center through a real-time deterministic inspection of the call and calling device. Callers that pass inspection receive the highest-value authentication token and experience up to 80 percent fewer KBA questions.
For another 15 to 20 percent of calls, a live inspection of the calling device is not possible. Instead, Neustar Inbound Authentication leverages results from its history of network forensic processing of billions of calls and additional data about calls, carriers, and network routing from its role as a licensed telephone carrier. This allows Neustar Inbound Authentication to assess unauthenticated calls in detail far beyond what is possible solely with a probabilistic analysis of SIP header data. The results give deeper insight into the characteristics and potential risks of unauthenticated calls, and also allow for the stratification of callers by trust level.
This hybrid model unlocks a cascade of benefits for contact centers and their customers:
- Reduced or eliminated agent KBA. Average handle times for deterministically authenticated callers decrease by 30 to 90 seconds per call. As a result, each call costs 45¢ to 90¢ less for agents to handle. Agents get to the service portion of each call faster. Callers’ needs are serviced faster. Of the remaining pool of callers, another 15 to 20 percent are moderately trusted and require a reduced authentication challenge. This block of callers—90 percent of call volume—experience authentication 40 to 80 percent faster than they would with standard KBA.
- Reduced IVR-to-agent transfers by 10 percent.Deterministically authenticated callers can be trusted with higher-value IVR options, such as resetting passwords and PINs, adding a cardholder, changing an address, and more. The easier authentication experience, in concert with the richer range of self-serve options, reduces caller frustration with the IVR and thus “pounds outs” to live agents. The reduction in IVR-to-agent transfers drives an average $5.50 savings per IVR-contained call.
- Greater fraud containment. Deterministic authentication driven by telephone network forensics mitigates risk of social engineering. Fraudsters never receive an authentication token (i.e., no false negatives), even when using virtual call services. As a result, the fraud department can dedicate expensive personnel to monitor for fraudsters in the much smaller subset of non-authenticated callers. The body of probabilistic signals that inform each non-authenticated call’s score is available to the fraud department for analysis.
- 10% increase in customer satisfaction metrics. Speedier time to resolution improves callers’ experiences and satisfaction. Deterministically authenticated callers can be automatically routed into the fastest flow with the most self-service options. Those who need to speak with an agent are greeted with, “How can I help you?” rather than, “Who are you and can I trust you?” Using customers' phone numbers to retrieve and display their records on agents' desktops boosts agent efficiency. When agents know they can trust callers, they can begin solving problems sooner.
These benefits come from knowing exactly how much each caller can be trusted. Callers in each trust level experience a different flow.
Move callers to the Trusted Caller Flow™ approach as soon as possible
Screening callers shares similarities with the airport security industry’s trusted flow: TSA-Pre. Participating frequent flyers spend less than five minutes on average to pass through security. By moving trusted passengers through the security line faster, TSA staff can focus their payroll-intensive process and expensive equipment on the remaining pool of travelers.
The process is similar in a call center. Callers that are deterministically authenticated receive an authentication token and may be routed into a Trusted Caller Flow for faster service. Non-authenticated callers are stratified by trust level. Moderately trusted receive faster-than-normal authentication. If the credentialed ANI is unknown, it can be added to the caller’s account to streamline authentication of future calls from that device. Low-trust callers experience standard KBA questions and IVR permissions. No-trust callers receive stepped-up authentication or the full focus of fraud-fighting resources.
Contact centers stand at the front lines of customer service. Inbound caller authentication sets the tone for the rest of the interaction. The fundamental differences between probabilistic and deterministic caller authentication influence how efficiently and effectively contact centers are able to treat each caller. It pays to be able to tell the difference between each segment of callers as quickly as possible.
 “Because not all channels are protected in the same way, criminals will find the most vulnerable point to exploit. If one area has strong consumer authentication but another channel has limited resources, criminals will obtain information where they can first, then work through the channel that has the most funds available to steal.”