Physical credit and debit cards are going the way of cash and checks, as more and more consumers turn to e-commerce and digital payment apps, and increasing numbers of brick-and-mortar retailers embrace proximity mobile payment.
At the same time, fraudsters are also moving away from physical credit cards, due in part to the implementation of security chips and are instead exploiting opportunities to take over financial accounts by using consumer data available from countless data breach to answer knowledge-based authentication questions.
In the face of this growing threat, financial institutions need stronger security measures, in particular more effective authentication, to protect against account takeovers.
Fortunately, the same trend that is driving the increase in mobile payments – the ubiquity of smartphones and consumers’ fierce attachment to them – also presents a potential solution: the ability to thwart fraudsters’ efforts by using customers’ phones as ownership-based authentication tokens.
Strengthening authentication
Most account takeovers occur via social engineering schemes in which criminals use hacked information and/or information gleaned from social media to impersonate legitimate customers – often over the phone, which has become the weak link for many organizations. Banks and other financial institutions have devoted significant resources to combatting fraud via their online channels, but many have been slow to implement more effective authentication measures for their contact centers.
Most contact centers continue to rely heavily on knowledge-based authentication – granting access to accounts if callers can provide the correct personal information – which means these organizations are vulnerable to account takeovers in a world where fraudsters have relatively easy access to this personal information.
Criminals frequently use Caller ID or automatic number identification (ANI) spoofing to cover their tracks and further deceive call center staff. And, unfortunately, this spoofing is not difficult to execute, thanks to the easy creation and manipulation of call signaling data, a lack of end-to-end encryption within the telephone network, and the multitude of attack opportunities presented by carriers with lax security practices.
More and more criminals are using virtualized call services, like Skype, to connect with call centers. These services are legitimate calls but can be made from any device and let the criminal remain anonymous and undetectable.
In an effort to mitigate the risk of phone fraud, some financial institutions perform probabilistic modeling on header data delivered when a call connects, but while these risk-assessment approaches can be helpful in detecting suspicious calls, they do not actually identify legitimate customers, who represent the vast majority of callers, or virtualized calls.
To positively identify their customers before their calls are answered, financial institutions can implement a complementary technology that uses customers’ smartphones as ownership-based authentication tokens. Customers are rarely without their phones, and as digital payments become more and more popular, people will be even more likely to have their digital wallets with them at all times.
An approach that audits all phone calls, devices and line types from within the global telephone network – end-to-end, from the caller’s phone to the contact center – can ensure that the phone call and device are real and unique and can thus provide a deterministic authentication outcome in the form of an ownership-based authentication token. With this highly accurate technology, the only way a fraudster could be authenticated would be to physically steal the customer’s phone and successfully unlock it.
This technology will also flag high-threat virtualized phone calls commonly used by criminals including VoIP and PBX calls.
Pre-answer caller authentication technology, which is invisible to the caller, provides another benefit as well, because it allows authenticated customers to be routed to a trusted caller flow that is not subject to annoying and time-consuming identity interrogation. Non-authenticated calls can then be stratified based on their risk scores and receive different authentication treatments or more rigorous examination by the organization’s anti-fraud tools and staff.
Staying ahead of the fraudsters
There are a wide variety of authentication solutions available, including biometric systems such as voice recognition technology, aimed at different needs and offering varying levels of authentication quality, coverage, speed and convenience. Other solutions, as mentioned, are aimed more at fraud detection than true authentication. Financial institutions need to educate themselves about the various alternatives and implement measures that will protect their customers’ accounts more aggressively.
Continuing to rely on knowledge-based authentication and basic spoof-detection tools is unlikely to stem the tide of account takeovers. And this means not only potentially significant losses to fraud but also the risk of penalties from regulators and lawsuits from affected customers.
Criminals are constantly changing their tactics, but financial institutions need to stay one step ahead. New technologies can help – including technologies that use customers’ smartphones to achieve significantly more accurate authentication and improve the effectiveness of fraud-fighting efforts.
About the Author
Patrick Cox is chairman and CEO of TRUSTID, which enables companies to increase the efficiency of their fraud-fighting efforts through pre-answer caller authentication and the creation of trusted caller flows that avoid identity interrogation, allowing resources to be focused on real threats.