ATM-style security can thwart social-driven account takeovers

Register now

With data breaches continuing to make regular headlines and social media sites under fire for mishandling users’ data, consumers are becoming increasingly aware of the value of their personal information.

Social media sites act as feeding grounds for criminals looking for personal information that can help them deceive call center agents and gain fraudulent access to financial accounts.

Many customer call centers rely on knowledge-based authentication to grant access to accounts. In other words, customers verify their identity by demonstrating knowledge of personal information, sometimes information as basic as address, date of birth and mother’s maiden name. Identifying details can also include information such as a person’s high school mascot, musical instrument of choice or make and model of first car.
Because criminals have easy access to social media sites and consumers are still learning just how public their information may be, allowing personal knowledge to serve as a security key makes consumers’ financial accounts highly vulnerable.

Most account takeovers occur via social engineering agents who use hacked customer information to impersonate legitimate customers. As long as callers are authenticated based on their responses to questions about personal information, companies will be vulnerable to account takeovers by fraudsters who can also answer those questions.

Given that social privacy has been called into question, businesses that believe they have implemented strong measures to protect their customers’ information are likely not doing enough. They need to defend themselves against criminals who have gained access to information about their customers from other sources. This approach requires more robust customer authentication processes for call centers, including the critical element of multifactor authentication.

In multifactor authentication, knowledge (something the user knows, such as a PIN or date of birth) should be combined with inherence (something the user is, such as a voiceprint or fingerprint) or ownership (something the user has, such as a trusted phone or debit card).

ATM use, for example, requires dual-factor authentication in the form of a physical card and a PIN, and this same concept should be extended to phone transactions. Adding these higher- quality authentication approaches also allows for a reduction in questions and time spent on identity interrogation. Approaches like pre-answer authentication, can complete a strong verification process before the customer’s call is even answered.

Authentication technologies are advancing rapidly. Call centers can implement faster and more secure authentication processes by deploying solutions such as voice recognition systems or telephone network forensics systems that verify the authenticity of a call from a customer’s registered phone. As a result, the caller’s phone can serve as a physical ownership-based authentication token.

The good news is that many new authentication technologies are not only more accurate than identity interrogation, but also result in a better customer experience and reduced call center operating costs. Selecting the right authentication technology can be a win-win-win: more satisfied customers, decreased costs and more effective fraud-fighting efforts.

For reprint and licensing requests for this article, click here.
Payment fraud ATMs Social media Online payments ISO and agent