The fraudster called the credit card company with a simple request; he was traveling out of the country and wanted fraud controls lifted on his account for 30 days. The call center agent obliged, opening the account to pending theft. How did this happen? Because the fraudster used publicly available data to pass the first set of security questions that the agent used to verify his identity. Second, he called from a low-cost telecommunications carrier, making it easier to cover his tracks and mask his true caller ID used to help verify him. But had the call center used phone printing to trace the call to his true location and phone, or voice biometrics to verify his voice, the fraud may have been prevented.
Call Centers at Risk
Fraudsters are increasingly exploiting weaknesses in call center and help desk user authentication processes. Common caller authentication methods typically inconvenience legitimate users, and don’t keep determined bad players out. Current authentication methods fail in three ways:
Knowledge-based authentication: Most call centers rely on knowledge-based authentication (KBA) — also known as security or life history questions — to authenticate users before executing their high-risk transactions or discussing their account details. However, depending on the user population, 10 percent to 25 percent of users, almost all of whom are legitimate, fail to answer the questions correctly, while some fraudsters correctly respond by using culled or stolen information.
PINs: Using PINs to authenticate users is also circumvented by criminals who capture these PINs during phishing or automated teller machine (ATM) skimming attacks. Users often use the same PIN on the ATM channel and in the call center. A 2011 Gartner survey of U.S. consumers found that about 60 percent use the same online password whenever they can. We expect the same is true with PINs used across the ATM and call center channels.
Caller ID: This method of identifying a caller is prone to circumvention by criminals who call through anonymizer services that hide the true originating point and phone number.
Vulnerable Call Center Agents
Our clients in the financial services sector report that up to 30 percent of fraud perpetrated against customer accounts is cross-channel. Furthermore, our clients that have implemented phone printing in their call centers say the fraudsters identify a handful of the most gullible and accommodating call center agents, and repeatedly perpetrate their social engineering tactics on the same agents.
Verifying Callers with Biometrics
The best security is always layered security, and this principle holds true when securing the telephony channel. Voice biometrics can capture fraudster voices and put them on a blacklist that can be used for future voice comparisons and verifications of individual callers. This technology has been successfully used by law enforcement and intelligence agencies for a few years, including in recently disclosed surveillance activities undertaken by U.S. intelligence agencies. However, voices can be distorted or synthesized, making it harder to identify a fraudster, which is why a layered strategy that also uses phone printing works best for fraud prevention.
Printing the Phone and Tracing the Call to Verify the Caller
Phone printing provides added security and is helpful in detecting fraudsters who are calling in. Enterprises cannot rely on caller ID to identify a caller (as most do now), because true caller IDs are easily disguised by fraudsters and other bad actors who use anonymizer services that hide their true phone numbers. Phone printing serves the same function for phone calls as device fingerprinting does for online interactions.
For example, it can detect if an individual is calling from 1,000 miles away from where he or she is purporting to call from, according to the stated caller ID. Phone printing gathers as much information as possible on the phone call to detect whether the call is actually originating from the point or location it claims, and from the phone type it purports to be (for example, a cell or landline versus a voice over IP [VoIP] phone).
When a fraudster is detected, his or her phone print is added to a blacklist of “bad” callers. This blacklist is then used to compare with new incoming calls. Blacklists are populated when an enterprise confirms the phone print of a bad caller, and also through honeypot and research techniques that, for example, capture and then research calls made by fraudsters in mass vishing (phone phishing) attacks.
About 70 percent of call center fraud is perpetrated by the same actors, so blacklisting their phone prints is a useful measure for stopping fraudsters in their tracks.
Phone printing combined with voice biometrics provides the strongest method for detecting fraudsters who call into enterprises, but using each technology on its own also has many proven benefits. It’s best to implement voice biometrics and phone printing for the call center passively at first, to prove ROI and benefits before disrupting operations. The main disadvantage to passive mode is that fraudsters and other bad actors cannot be stopped in their tracks while on the phone with an agent.
Avivah Litan is a vice president and distinguished analyst at Gartner. Her area of expertise includes big data analytics for cybersecurity and fraud, fraud detection and prevention applications, authentication, identity proofing, identity theft, and insider threats.