With recent headlines focusing on the threats malware poses tofinancial institution security, less attention has been placed onthe information vulnerabilities that exist through call centercommunication – something experts said mobile technology could helpkeep at bay.

Call center fraud perpetrated through social engineering hasrecently taken place in banking call centers, and in theseendeavors, fraudsters used stolen credit card information toactivate Apple Pay accounts on new smartphones to buy expensivegoods.

Social engineering is not a new method of fraud, however. TheDepression-era bank thief John Dillinger succeeded at hissophisticated schemes, which ranged from posing as a bank alarmsystem salesman to pretending to film a bank robbery scene in orderto stake out potential bank targets.

Today, skilled social engineers don't need to be quite astechnical, John Zurawski, vice president of marketing for Chicago securitycompany Authentify, explained. As an example of a common ploy,Zurawski stated, “Hello my neighborhood credit union, this is Roy,I've forgotten the password to my account and I have to make apayment, I am going to get tagged with a late fee, you've got tohelp me.”

Training for service representatives focuses on helpingcustomers, not authenticating them, and that's why the core offraud in the call center is still good old-fashioned socialengineering, he said.

Recently, an Apple Pay sign-up flaw led to unusually high ratesof fraud from thieves using stolen credit card numbers. In theseinstances, fraudsters loaded iPhones with stolen, card-not-presentcard information and essentially turned that data into physicalcards via Apple Pay.

Cherian Abraham, a Richmond, Va.-based payments and fraudconsultant, put the Apple Pay fraud rate at 6%, much higher thanthe microscopic, traditional credit card fraud rate of 0.001%.Abraham wrote in a blog post that fraud through Apple Pay “isgrowing like a weed, and the bank is unable to tell friend fromfoe. No one is bold enough to call the emperor naked.”

The weakness in Apple Pay lies in the way it accepts new creditcards into its system. Because Apple wanted its system to be assimple as possible, the company required consumers to submit littlebeyond their basic credit card information. Further, Apple does notprovide much additional information to financial institutions, suchas phone numbers and addresses, to help detect fraud.

When customer care centers saw that accounts were flagged, theyresponded by helping fraudsters, who disguised themselves ascustomers, use their cards, leading to more fraudulent cards beingapproved for Apple Pay use.

“Call centers are a poor approach for two reasons,” Abrahamwrote. “One, fraudsters are better at social engineering than callcenter reps are at sniffing out fraud.”

The advantage for credit unions is that they might know theirmembers better. However, hoping a service representative recognizesa member's voice is not a defense strategy in itself, and as callcenter fraud continues to affect institutions, they can respondwith innovative defenses and fresh technology, such as biometrics,experts said.

For example, Authentify recently launched the AuthentifyxFASecureCallCenter, an application that pre-identifies andpre-authenticates mobile users wanting to speak to a call centerrepresentative using voice biometrics.

To utilize SecureCallCenter, users log into their institution'smobile app, then tap a call center button, which triggersAuthentifyxFA's biometric authentication sequence. Concurrently, avoice channel opens to the call center. Once the user issuccessfully authenticated, the SecureCallCenter app connects theend user's call and passes the contact and account information to amodule at the call center's console.

This prevents the service representative from having to spendtime verifying the member's address or asking challenge questions,and because the app sits on the end-user's smartphone, there's noneed for the financial institution to invest in biometrictechnology itself. Zurawski explained that typically, inboundbiometrics technology is installed on-site as part of a callcenter's technology, and financial institutions pay by the seat,which can get expensive.

One advantage of mobile technology is that it does offerautomatic, mutual authentication, which has always been a HolyGrail of validation, Zurawski said. He maintained that at somepoint, the voice channel telephone number that accompaniessmartphones may become as important of an identifier as a SocialSecurity number.

If the experts are correct, credit unions may need all the helpthey can get when it comes to call center fraud. In a recent blog,Avivah Litan, an analyst for Stamford, Conn.-based IT research firmGartner, said financial institutions can anticipate assaults oncall centers to increase, adding that since credit unions and bankshave amplified investments to protect their online bankingplatforms, fraudsters have zeroed in on the call center.