Call Centers: The Weakest Links in Authentication Chain

More than half of financial services industry respondents, and 32% of all respondents, recognized the phone channel as the primary source of account takeover attacks in a new call center report.

The “2019 State of Call Center Authentication,” from Portland, Ore.-based caller authentication and fraud prevention systems provider TRUSTID, a Neustar company, revealed evolving criminals’ tools and tactics, and call center leaders intentions to fight back while preserving the customer experience.

The report confirmed financial call center professionals are under attack with social engineering attempts from fraudsters looking to takeover customer accounts. Some other survey findings included threats from a new dangerous vector, virtualized calls, rising; call center representatives preferring caller authentication to occur before answering the call; and the number of companies planning to implement multi-factor authentication doubling this year.

The call center report also disclosed business leaders’ maturing attitudes about implementing protective measures as criminals continue to exploit the call center for ATOs. It all revolves around authenticating callers. “If criminals can pass through that defensive measure, then they can take over consumers’ accounts,” Patrick Cox, Neustar vice president and general manager of TRUSTID, said.

The report suggested credit union call centers, like many financial institutions, are the most exploited areas in a credit union’s security perimeter. As credit unions strengthen their cybersecurity defenses, fraudsters instead target call centers with easily obtained personally identifying information from the dark web.

“One hundred percent of account takeovers occur after weak authentication. None of your credit union readers would ever offer to give money to an unauthorized person or a stranger so that somehow people beat the authentication process,” Cox emphasized.

The call center survey results spotlighted six insights:

1. Call centers are now the vector of choice for criminal attacks. This year, 51% of respondents from the financial services industry, and 32% of all respondents, recognized the phone channel as the primary source of ATO attacks. “Fraudsters increasingly recognize it as the weakest link in an organization’s attack surface,” the report emphasized.
2. Virtualized calls pose the greatest ATO threat. Across all industries, respondents recognized much more criminal activity coming through virtualized calls (40%) than spoofed calls (32%). Criminals are increasingly turning to web-based calling services (Skype), Google Project Fi (routed through T-Mobile or U.S. Cellular), or a business PBX as the biggest threat vector to call centers today. “The calls are authentic, unique and legitimate.”
3. Customer experience and fraud prevention expected to improve in tandem. Despite the shifting threat landscape, and concurrent pressure to deliver the best customer experience possible, 76% of call center leaders felt they could prevent ATO without obstructing their customers’ experience. Call report survey data also suggested eagerness for change with 46% ‘very’ or ‘somewhat’ dissatisfied with their current caller authentication method(s), a 50% increase since 2018.
4. Pre-answer authentication emerged as preferred choice. There is growing interest in pre-answer authentication approaches to speed the verification process – with respondents increasingly recognizing speed as essential to delivering the best customer experience possible.
5. Easy customer enrollment tops requirements. Three clear frontrunning priorities emerged: easy user enrollment, if callers refuse to sign up for a new authentication approach then the technology can’t deliver any benefit; improved fraud detection, 91% of respondents rated this as a high priority; and authentication accuracy: respondents will only consider new technologies that can authenticate legitimate callers.
6. Plans for true multi-factor authentication doubled. The percentage of respondents not knowing their organization’s plans for MFA dropped from 36% to 27%, indicating more organizations formalizing plans to reduce their dependence on a single-factor knowledge-based authentication approach. Respondents planning to replace KBA with an MFA approach based on new technologies more than doubled from 8% to 17%.

In January Sterling, Va.-based information provider Neustar, completed its acquisition of TRUSTID. The purchase, announced in November, is part of the company’s effort to grow its portfolio, customer base and revenue.

Read more about the importance of caller verification in the April 3 issue of CU Times.