Fraud has been a problem for contact centers for decades, but modern technology has given sophisticated fraudsters many new opportunities. Shirley Inscoe, senior consultant for Aite, noted in a recent webinar, “Over 42% of the contact center management surveyed reported that fraud was up in the last year, 26% said fraud was flat and 21% said fraud was down. One executive at a large call center commented that he had started seeing a significant uptick in organized fraud activity in just the last few months.”
Fraudsters have come up with hundreds of scams over the last few years, most involving social engineering, but the ultimate goal is almost always to impersonate a customer and gain control of their account. Once the fraudster successfully impersonates a customer, he can change PIN numbers or passwords, then transfer or withdraw customer funds.
Fraud detection is an ongoing game of cat-and-mouse between fraudsters and contact center management, with management virtually always playing catch up. Call-forwarding-based fraud, for example, has been a major issue over the last few years. Once in a while, however, a new security technology comes along that gives the white hats the upper hand for a period of time, and phone- and call-printing appears to be such a technology.
We all have had the experience of calling a bank or a merchant where we do business, and having to answer several personal questions to verify our identity. This is called knowledge-based authentication (KBA). Unfortunately, this verification method is not foolproof, as fraudsters today often have access to a great deal of personal information about their intended victims.
This has led to a situation where contact centers are not just asking for your social security number or date of birth, but are also asking deep biographical questions like what is your mother’s maiden name or what was the name of the school where you went to first grade.
This kind of in-depth KBA is problematic on two levels. First, it simply takes too long. You can be asked to answer up to eight or nine questions, which could take longer than 90 seconds. In fact, the average KBA process takes over 60 seconds. Vijay A Balasubramaniyan, CEO of Pindrop Security, comments, “While KBA authentication typically takes over a minute today, phone and call-printing allows authentication within 18 to 20 seconds on average.”
Second, many people simply can’t remember obscure biographical details like the name of their first school, and become frustrated by the entire process. Inscoe commented, “I had two institutions tells me that 15% of their legitimate clients are not able to answer the KBA questions asked them.”
Static KBA is just asking one or two verification questions, such as social security number or address, and the questions remain the same every time. Dynamic KBA is when the verification questions are changed regularly, and a longer list of personal info, some of which a fraudster is unlikely to know, is used. However, even dynamic KBA does not provide highly robust security today, as a fraudster can easily get access to credit reports and other sources that provide detailed information on their intended victims.
Voice biometrics (creating voice prints of specific callers based on recorded calls) is another known anti-fraud technology. Voice printing is a reactive technology, however, as screening out callers based on voice biometrics only happens after you have identified a fraud; you are still vulnerable to ongoing fraud until the fraudster has been identified and voice-printed. Voice biometric systems are also relatively expensive.
Phone- and Call-Printing
One of the most recent security technologies is called phone-printing. Phone-printing extracts over 100 features from a call, creating a unique phone fingerprint on the basis of loss characteristics, noise characteristics and spectral characteristics.
The phone fingerprint allows the white hats to almost instantly know whether it was a landline, cell phone or VOIP, and to identify where the call is originating, as well as whether it is using Skype or Google Voice or another network. The overall analysis results in a risk code being assigned to the call. A high risk code alerts the contact center agent or triggers a transfer of the call to the fraud risk team.
Balasubramaniyan explains, “Let’s say the number is a land-line in Atlanta that’s never been quoted, and it’s been working for the last three months. Once we have that information we compare it to the audio characteristics. Then we can say, wait a minute, why is a landline in Atlanta sounding like a Skype phone in Nigeria. There is something very wrong with this call.”
Balasubramaniyan also highlights the robustness of phone-printing technology. “With our multi-factor solution, we have a [fraud] detection rate of well over 80% across all deployments, and we have a false positive rate of less than 2%.”