Curbing Contact Center Authentication Breaches

By nature, criminals who choose to commit their crimes over the internet are on a mission to find new and creative ways to simultaneously defraud both consumers and companies. It doesn't help that traditional contact center authentication methodologies are easily circumvented by social engineering, which enables fraudsters to prosper.

The average smartphone or laptop computer is biometrically protected via fingerprint identification. Consumer-facing websites can only take credit cards via PCI-compliant mechanisms, and many demand two-factor authentication to access consumer accounts. In data centers, companies spend tens of millions of dollars, are subject to rigorous regulatory oversight, and face massive liability issues if they don't effectively guard access to banking, insurance, medical and numerous other sources of highly sensitive personally identifiable information (otherwise known as PII). Yet when users contact their credit union (or any of the other above-referenced organizations), all they need to supply is basic personal information – the same information that an experienced hacker can glean, often from public domain sources or simple social engineering, in minutes.

Recommended For You

Anyone who's called a service agent in the past several years knows the drill. After waiting, you're asked three or four questions that combine personal information (name, date of birth and the last four digits of a credit card or Social Security number) and specific information about the account in question ("name one recent transaction," "name your last cash withdrawal," etc.). Once you give answers to these questions, you're "authenticated" and offered full access to all account information. Moreover, you can ask the agent to run almost any type of process – taking a loan, approving a questionable transaction, transferring money – anything at all. And that's a problem.

What's Broken?

At one point in time, this authentication methodology may have provided a reasonable amount of security. But in today's hyper-connected world, social engineering based on information easily found via social networks and Google searches makes getting three to four answers "right" almost too easy.

Moreover, today's call center agents are overworked, undercompensated and not generally trained to detect socially-engineered frauds. In the interest of customer satisfaction, agents are often instructed to ask as many questions as it takes to receive the right number of "correct" answers. And, many call centers are outsourced. This means that any given agent may serve a number of different clients, with no tight managerial supervision by the company that actually "owns" the customers. These cost-conscious, outsourced call centers typically do not maintain the same level of vigilance and dedication to managing – and thwarting – security threats.

With Risk Comes Cost

According to a 2017 report by call center anti-fraud and authentication company Pindrop, the call center fraud rate jumped a whopping 113% from 2015 to 2016, with the loss per call amount estimated around $0.58 per call. That might not seem like much, but multiply it times the hundreds of thousands of calls large corporations field each year, and it's easy to see how hugely impactful this problem truly is.

There are also other less obvious, yet equally important, costs to broken call center authentication processes. They include:

Operational costs. Effectively verifying a caller's identity takes time, even when using flawed protocols. Call time, as any customer service stakeholder knows, has a direct impact on the bottom line. Moreover, fraudsters make five calls for every transaction – five times more than a legitimate customer would for the same transaction. And effective social engineering takes time, too. All this dramatically impacts call center overhead.
Regulatory liability. The burden of fraud prevention falls squarely on the shoulders of service providers and regulators do not take kindly to violations of privacy regulations. Fines and sanctions are common and can be steep, and even criminal charges are not unheard of.
Brand and reputational damage. Call center fraud is effectively a data breach, and the public and media (not to mention social media) are harsh judges of such violations. Service-intensive industries like finance, healthcare and insurance are especially vulnerable to measurable brand equity damage from these incidents.
Customer experience. As awareness of the threat of fraud grows, many call centers adopt more stringent and time-consuming authentication procedures. This not only raises the average cost of resolution, but also dramatically degrades the overall call center customer experience, with frustratingly-long wait times and noticeable agent irritability.

Finding a Resolution

The ubiquity of smartphones can facilitate a sea change in call center security. Unfortunately, most call centers are not yet making full use of common smartphone feature sets. Without radical business process adaptations or even massive investments in technology, call centers can still effectively and safely authenticate their callers. Here's how:

Automate authentication. There are numerous methods by which callers can authenticate themselves prior to reaching an agent. Companies can employ centralized solutions such as voice biometrics to screen callers. Or they can authenticate using solutions that rely on typing in a username and password, pattern authentication, or even fingerprint and face recognition. All this takes place before live agent interaction – eliminating the possibility of social engineering and lowering the burden on agents.
Use in-call authentication. For call centers that prefer live agent authentication, smart agent-caller collaboration tools give callers the ability to use the camera on their smartphone to authenticate via selfie and photo ID – just like they would do in a real branch. Service providers can make this type of authentication mandatory – and any customer who opts out would be required to sign a waiver acknowledging that his or her private data may be at risk.

As the customer service industry continues to experience unprecedented technological development, the ongoing success of a company will be determined by its ability to address developing challenges with new technology available. Authentication breaches have been a long held challenge to call center operators, with potentially detrimental implications when inadequately addressed. Isn't it time the industry knocked this issue out?