In a shift, call centers have become the weakest link in banks’ security chains, rather than online banking platforms, according to experts.
“It used to be easiest for criminals to fraudulently access accounts online,” says Ben Knieff, head of fraud product marketing at Nice Actimize, a provider of financial security solutions that today launched a new Contact Center Fraud Prevention solution. “But as online security has improved over the last several years, they moved to call centers, which seemed like soft targets.”
What makes call centers soft targets, unfortunately, is also what makes them attractive service portals for customers: the human touch. Fraudsters are aware that call center agents are trained to solve customers’ problems in the shortest amount of time, and they use scripts to help them say just the right things to persuade agents to grant them access, Knieff says. Manipulating agents in this way is referred to as social engineering.
Social engineering pits service against security. Since bank executives don’t want front-line agents to worry about fraud attempts, agents are instructed to refer suspicious calls to a hotline, on which specially trained fraud analysts can subject the call to more scrutiny.
Beyond red flags raised by agents during problematic calls, there is risk-driven authentication based on customer requests. While a request to check a balance may not result in an authentication challenge, a request to transfer fund likely will.
So what is to be done when a call seems suspicious? Banks separate genuine customers from fraudsters using a method known as multi-factor authentication. The traditional factors are something you have (such as an ATM card) combined with something you know (your PIN or information on past transactions.) The third factor is something you are — and verifying this is the gold standard. This third factor is also where voice biometrics come in. Biometrics create a unique signature based on something about you that no one else has — the patterns in your iris or, in the case of call centers, your voice. A customer’s calls can then be authenticated based on this “signature.”
In years past, voice signatures used to be stock phrases (“The quick brown fox…”), but more recently voice signatures are able to be created passively, just by “listening” to a customer’s conversation. Voice biometrics are a highly accurate way of verifying a user’s identity.
“Bank fraud is increasing,” says Knieff, “or at a minimum, the attacks are increasing, and becoming more sophisticated.” A technological arms race with criminals is on, and banks must devote more resources to fighting back. Criminals, of course, don’t need to bother with going through proper channels or regulations — they just peck away until something works.
Banks’ efforts to fight the good fight are hampered by complicated in-house tech setups that result from multi-vendor environments and acquisitions, which often pair disparate systems. On top of that, call centers may use different authentication challenges than online banking. To overcome this “channel challenge,” Knieff says, banks must look at fraud as a holistic or pan-organizational challenge, and use flexible technology to help them react quickly to attacks and identify fraud attempts in a multi-channel environment. Authentications should be standard across channels to cut down on weak links and soft targets and present a unified front against attackers.
The multi-channel challenge also applies to customer service, where user experience is best kept uniform no matter how customers interact with bank representatives. Balancing security and service at every touchpoint will be a challenge for banks going forward, but as Knieff points out, “The worst service of all would be to let a customer’s account be compromised.”