With cybercrime skyrocketing over the past two decades, companies that do business online — whether retailers, banks, or insurance companies — have devoted increasing resources to improving security and combatting Internet fraud. But sophisticated fraudsters do not limit themselves to the online channel, and many organizations have been slow to adopt effective measures to mitigate the risk of fraud carried out through other channels, such as customer contact centers. In many ways, the phone channel has become the weak link.
Most contact centers have continued to rely heavily on knowledge-based authentication to grant callers access to their accounts. However, the ready availability of personal information, either stolen in data breaches or gleaned from social media, makes it increasingly easy for criminals to impersonate customers. Add in some Caller ID or automatic number identification (ANI) spoofing, and fraudsters are well on their way to deceiving call center staff and taking over customer accounts.
The phone channel is uniquely vulnerable to spoofing for a number of reasons:
1. Easy creation and manipulation of call signaling data. An incoming phone call contains signaling data with billing and routing information. However, it is simple for a hacker to alter legitimate call signal data, which is why spoofing has become an epidemic. Spoofing is simply changing or falsifying call-signaling data. It's easy to do using any of dozens of software tools such as FreeSWITCH or Asterisk. When a criminal originates a call, he or she can create all the signaling data needed to mimic a legitimate calling number.
2. Lack of encryption. Most websites today can encrypt a communication system end-to-end, from the browser to the web server. In contrast, very few telephone calls are encrypted end-to-end. This is because the security infrastructure that is mature in web communications is still in its infancy within the telephone network. Getting encryption in place is a slow process because it requires compatible and reliable networking capabilities for telephone communications among all the carriers in the world. That is a long process. In the meantime, this means that the vast majority of telephone calls and their call signaling data are sent in plain text and can be manipulated.
3. Many opportunities to launch attacks. There are thousands of telephone carriers in North America alone, and tens of thousands of global partners that offer access to place calls. Fraudsters exploit carriers and partners with lax security practices or no enrollment requirements. This enables criminals to remain anonymous and leaves them free to launch attacks without any repercussions.
By iterating attacks with multiple signatures on different access points, criminals will find a combination that can perfectly mimic calls from major carriers. Once successful, they can mimic calls from all the customers of that carrier.
Knowledge-based authentication, or KBA, is just as vulnerable because of fraudsters' relatively easy access to the personal information needed to correctly respond to call center agents' identity interrogation. This information can be purchased on the Dark Web or unearthed by simply scouring the social media sites of an account takeover target.
So, how do we forge a more secure path forward? The basic answer, no matter the particular security solutions involved, is multifactor authentication. Multifactor authentication is a strategy in which inherence and/or ownership factors (that is, something known by a person and/or something in their physical possession) are used to verify a caller's identity, thus reducing or eliminating reliance on KBA and spoof detection. A bank would never allow ATM use without knowledge of a PIN and ownership of a physical debit card, and it's time for companies to adopt this same approach to secure their phone channels.
Multifactor authentication has long been recognized as more secure, and the available tools are becoming increasingly sophisticated. For example, to incorporate an inherence factor, which uses a physical attribute of a caller, contact centers can deploy voice recognition systems. These systems obtain a voice print from a caller and compare it to a reference voice print to make an authentication determination. (Note: TRUSTID offers pre-answer caller authentication as an alternative to KBA and as part of a multifactor authentication solution. Many companies in the industry provide additional caller authentication solutions for multifactor authentication.)
A complementary technology uses a caller's phone as an ownership-based authentication token. This approach audits all phone calls, devices, and line types from within the global telephone network to ensure that the phone call and device are real and unique and can thus provide a deterministic authentication outcome in the form of an ownership authentication token.
In transitioning to an optimally secure authentication solution, voice biometrics or phone ownership authentication can be paired with KBA to create a quick-fix two-factor authentication approach. Our recent survey of contact center professionals showed that the majority of organizations planning to move to multifactor authentication expect to do so by adding a new factor to their existing KBA process.
Companies that want to gain their customers' trust must show that they take information security seriously. This means not only employing robust measures to prevent data breaches but also implementing multifactor authentication systems to ensure that personally identifying information stolen from other companies or gleaned from social media profiles will no longer empower fraudsters to access customer accounts.