2018 Learnings on Call Center Authentication
Call centers need to move beyond knowledge-based authentication
2018 was another year of rampant data breaches, with criminals targeting organizations in all sectors of the economy. According to the Identity Theft Resource Center, the first half of 2018 saw 668 confirmed data breaches representing 22.41 million records exposed.
In light of these attacks, what measures are organizations that deal with customer contact information - such as financial institutions, e-commerce companies, healthcare organizations and government agencies - implementing to ensure that customers' stolen information can't be used for account takeover fraud and other types of crime?
Here at TRUSTID, a Neustar company, we've reviewed the year's developments and our own research to identify four key learnings from 2018:
1. The phone channel is at high risk.
Several industry experts at the recent Money 20/20 USA conference - including Jim Hickman, assistant vice president of financial crimes operations at USAA, and Tom Poole, senior vice president for digital payments and identity at CapitalOne - agreed that call centers are where most fraud starts. Account takeovers tend to show up in the online channel, but the majority of fraudsters initiate their efforts by socially engineering call center agents in order to reset passwords for online accounts.
One of the reasons call centers are such a popular target is the lack of effective authentication measures. Most contact centers continue to rely heavily on knowledge-based authentication (KBA) - granting access to accounts if callers can provide the correct personal information, such as a Social Security number and mother's maiden name. But as data breaches continue to flood the dark web with consumers' personal information, fraudsters are finding it relatively easy to access stolen information that allows them to pose as legitimate customers. Add the inherent vulnerabilities of the telephone network (easy spoofing via creation and manipulation of call signaling data, a lack of end-to-end encryption within the network, and the many attack opportunities presented by carriers with lax security practices) to criminals' increasing creativity and skill with social engineering, and it's clear why call centers need stronger authentication solutions.
2. Call center agents don't trust KBA.
TRUSTID's 2018 State of Call Center Authentication report, which is based on an extensive survey of contact center professionals, revealed that although KBA remains the default authentication method for call centers (used in some form by 92 percent of respondents' organizations), only 10 percent of respondents said they felt very confident in the ability of KBA to accurately authenticate callers, while nearly 40 percent expressed little to no confidence in KBA. More than half of respondents in financial services expressed dissatisfaction with their current authentication approach. Increase ANI match by soft-linking trusted phone numbers.
3. Call center professionals want alternative technologies that will enable them to effectively and efficiently validate customers over the phone channel.
KBA - which in the call center context takes the form of identity interrogation - is unpopular for a variety of reasons: it provides a false sense of security (the ready availability of customer information on the dark web makes it too easy for fraudsters to deceive call center agents), it degrades the customer experience (callers must submit to identity interrogation before receiving answers to their questions), and it drives up costs (the process lengthens agent handle times). Not surprisingly, 92 percent of survey respondents said they want new technologies to reduce agent time spent on authentication, and 80 percent said they would like authentication to be completed pre-answer or in the interactive voice response portion of the call.
4. The growing recognition of the limitations of KBA is steering contact centers in a new direction for caller authentication.
Although change may be slow, the market is recognizing the limitations of KBA - particularly as more and more organizations disclose major data breaches. Awareness of other authentication methods, such as voice-biometric solutions and pre-answer phone call analysis, is growing, which suggests that the market is poised for a new technology adoption cycle. For a new technology to thrive, it must prove that it can meet the market's needs, and it is evident that in addition to improved accuracy, the market wants an authentication solution that will make life easier for call center agents. New technologies must therefore be fast and easy to implement and allow callers to complete authentication by themselves, before speaking with an agent. The growing recognition of the limitations of KBA is steering contact centers in a new direction for caller authentication.
Even if all future data breaches could somehow be prevented, so much information has already been lost to criminals that the industry will never be able to put the genie back in the bottle. Data security, though critical, isn't enough; organizations also need to make sure that information that has already been acquired elsewhere cannot be used in account takeovers.