Identity Thieves Dialing In To Call Centers To Finish The Job
Organized crime rings increasingly are targeting the call centers of financial institutions, which already are reeling from constant denial-of-service attacks, according to a new report.
Phishing and other common attacks conducted by organized cybercriminals sometimes yield enough information about an individual to trick call center operators into giving attackers complete control over a victim's account, said Shirley Inscoe, a fraud expert and senior analyst at Aite Group. Inscoe interviewed executives at 19 of the top 40 U.S. financial institutions. The executives identified a disconnect between IT security teams that deal with cybercriminal activity and the actual fraud happening over the phone.
"If the fraudster gets one additional piece of data about that customer, they are happy and they can do this repetitively and get all the information they need to ask for a password to reset or set up online banking for first time," Inscoe told CRN. "The service representative's focus is not on antifraud measures, it's on taking care of the customer's needs and handling the call as quickly and efficiently as they can."
[Related: Top 10 Password Data Breaches Evoke Urgency For Stronger Credentials ]
The results of Inscoe's study mean there is more opportunity for service providers and resellers to sell additional antifraud measures into contact centers. Voice biometrics, in particular, may be ready for broader adoption, according to Inscoe. Fraudsters are taking notice of the increased volume at call centers due to ongoing denial-of-service attacks, Inscoe said, adding that when contact center operators are inundated with calls, they take shortcuts and make errors they might not typically make.
Standard high-volume contact centers have been using knowledge-based authentication, typically challenge and response questions based on information gleaned from a variety of publicly available databases and credit reports, but its effectiveness has eroded. The verification questions are being defeated because attackers are gaining access to those databases, fraudulently retrieving a person's credit report and other details through social networks and blog posts.
"Sometimes the bad guys know the answers to the [knowledge-based authentication] questions better than the real customers do, and oftentimes the customer gets irritated when they don't know the answer to a challenge question," Inscoe said.
In March, Equifax and other credit bureaus publicly acknowledged data breaches that exposed credit files. Often, attackers are defeating authentication measures designed to protect third-party access to victims' credit reports to gain access to the sensitive information. The problem also was highlighted when a Wired reporter had his identity stolen last year. Tech support at Amazon gave a key piece of information over the phone that enabled Apple to release information, giving the attacker control of the reporter's iCloud account and other services.
Solution providers told CRN that systems such as voice biometrics, which mitigate call center fraud, are a niche market. Smaller firms are not interested in additional features and technology, but larger firms with high call volumes are likely candidates, said Kevin Smith, a consultant and technician at eSmith IT, a Huntersville, N.C.-based partner of Fonality, a maker of PBX systems based on the open-source Asterisk project. Asterisk makes it relatively easy to add features and capabilities when a client needs them, Smith said.
"Even though a lot of clients have the ability to record and review inbound calls, we see that feature rarely being utilized," Smith said. "Antifraud measures are something larger call centers might employ."
NEXT: Call Center Fraud Handled By Established Vendors
Many providers are selling commercial call management software to companies with fewer than 20 extensions, said Randy Kremlacek, president of Hayward, Calif.-based TeleDynamic Communications, a reseller of Digium Switchvox call center systems. Those firms likely stick with the features they have unless they grow in volume and need additional capabilities, Kremlacek said.
Inscoe said she has seen some bank call centers bolstering knowledge-based authentication with voice printing and other voice biometrics technologies designed to verify callers by the tone and tenor of their voices. Some technologies also use behavioral analytics to score callers against the potential for fraud. In addition, contact centers are recording and storing known fraudulent calls to see if the fraudsters attempt to call back.
Many of the technologies rely on engines driven by established firms including Authentify, Nuance Communications and VoiceVault. Agnitio and Convergys specialize in voice recognition, and Pindrop Security, NICE Actimize and Mattersight conduct audio analysis to detect fraud, Inscoe said.
Eve Maler, principal analyst at Forrester Research, said early adopters of voice biometrics are using the technology at a less granular level, such as identifying whether a male speaker is impersonating a female customer.
Maler recommends call center operators consider using a customer authentication assessment framework if additional measures are needed. The goal is to find the right balance by reducing fraud without increasing customer frustration, Maler said.
Key is being able to understand the organization's risk posture and tie together account registration, login security policies, authorization measures for higher-risk tasks such as transferring large sums of money and account recovery procedures. Some firms are finding success linking logins with a customer's social network services. Ensuring that issues can be resolved online reduces costs significantly because Forrester estimates that a single call to resolve a login issue can cost as much as $10.
Inscoe agrees that challenges exist to addressing fraud in the call center using voice biometrics. Many financial firms in the study indicated that they record calls but don't retain them long enough to feed voice printing antifraud systems with usable data.
"Security is certainly a big part of the cost equation, but finding value may be more about boosting efficiencies," Inscoe said. "There's a strong need to bring together IT and business to mitigate the costs associated with fraud at contact centers."
PUBLISHED JULY 11, 2013