Credit Union Call Centers Seek Balance

Credit union contact center employees, who are now handling more than calls, are trying to strike a balance between acting as crime scene investigators checking identities and helpful agents attempting to sustain or improve the member experience.

This second and final installment in a two-part article series looks at call center threats, and possible solutions available through digital identification and bot mitigation.

Two CUSOs that recognize how credit unions are straining to find the right security-experience equilibrium – the Columbus, Ohio-based Sherpa Technologies, aimed at simplifying digital transformation solutions, and Denver, Colo.-based CULedger, focused on delivering a premier network of one-to-one financial exchanges – reached a Letter of Understanding (LOU) to collaborate with Sherpa’s verification partner, ID-Pal.

“We partnered with ID-Pal because it is a compliant, end-to-end solution that offers a comprehensive and seamless verification and member experience. Additionally, we chose to become an investor in CULedger due to its promise to deliver innovative digital experiences and open platforms to the credit union industry,” Keith Riddle, president/CEO of Sherpa Technologies (which is wholly-owned and funded by the $3.5 billion Columbus, Ohio-based Corporate One Federal Credit Union), said.

John Ainsworth, president/CEO of CULedger, added, “The joint solution with Sherpa and ID-Pal provides credit unions the opportunity to integrate a next-generation verification process for members.”

The LOU enables the CUSOs to collaborate on the development and delivery of a more efficient, secure authentication method and digital identity to credit union members. By utilizing CULedger’s MyCUID, which gives credit union members a portable, lifetime digital identity, members receive a tokenized credential that is created instantly using the ID-Pal verification process. Members can use this credential to authenticate themselves at any time via any channel, from the branch to mobile. The credential provides this authentication not only to the member’s own credit union, but to any other CULedger network-enabled credit union or business.

Riddle explained all identity verification experiences, whether it’s a call center, digital mobile experience or a shared branching experience, have to be taken into account from a total fraud and security management aspect. He maintained Sherpa is dedicated to simplifying credit unions’ digital transformation efforts and leading them through those member experience challenges, such as member verification, along that path.

Riddle pointed out the New York, N.Y.-based McKinsey & Company discovered that using a high-assurance identity process for registration could lead to a 90% cost reduction in customer onboarding alone. (McKinsey also reported that worldwide, theft of consumer identity theft costs businesses an estimated $141 per person).

Riddle said unless call centers use advanced tools such as digital identity verification, they must rely on the old standbys such as out-of-wallet questions (gathered during the member’s registration process) and knowledge-based authentication (KBA).

A variety of KBA scenarios create tension because members sometimes have difficulty remembering abstract things like a previous address or automobile. “The knowledge-based authentication, whether it’s in the call center [or during] onboarding, has started to create friction,” Riddle admitted.

Some identifying data is no longer retrievable for many folks because due to security and data breach concerns, credit reports are being locked down. Riddle explained agents may need to rely on a combination of inaccurate, stale and external data.

Riddle also stressed the importance of allowing members to manage their data from a current, forthcoming, regulatory and preferential standpoint within a platform. Sherpa uses Mosaic, a cloud-based digital development and integration system to bring pieces together and create a fluid member experience. “With ID-Pal, they have an experience that can be used by the credit union, and branded and deployed very quickly. That experience can be componentized and integrated within their existing digital banking.”

Riddle emphasized, “CULedger and the MyCUID application is about the ability of a member to control their identity and how that’s distributed to their credit union today, and a different credit union that participates within that same application in the future.” Additionally, credit unions need to be at the forefront of providing digital ID management as a service to their members “to create that foundation of what’s called self-sovereign identity, where I control everything,” he said.

While small financial institutions, many of which are credit unions, struggle to stay ahead of cybersecurity threats, fraud gangs constantly upgrade their technology capabilities.

Reid Tatoris, vice president of outreach and marketing for the San Francisco, Calif.-based robot detection and mitigation company Distil Networks, said, “When I think about bots and financial institutions, the biggest challenge is account takeover, with the hacker using a bot to break into customer accounts and then steal personally identifiable information.”

Tatoris indicated malicious bots fall into two categories: Those that try a bunch of different password combinations, but are less effective since security measures have been put in place to limit the number of login attempts; and the more threatening credential stuffing bots, which use valid authorizations purchased on the dark web. “It’s a little harder to protect against [them] because they have the correct login information,” Tatoris pointed out. Often these account takeover attacks utilize passwords gained from a data breach.

Distil reported in its 2018 study “The Anatomy of Account Takeover Attacks” that once data from breaches takes on a public life, websites experience a 300% increase in volumetric credential stuffing attacks, many aimed at financial authentications, with weekends being the most susceptible time. “About 40% of all account takeover attacks happened during that time,” Tatoris said. This shows cybercriminals are not only upgrading their hacker tools but also optimizing their strike schedule.

Tatoris warned that while financial institutions can have really good security measures in place, through no fault of their own, user credentials may end up in the stealing hands of hackers because of a break somewhere in the information custody chain. More than 2.2 billion login credentials have been compiled, ready for hackers to use, according to researchers from the Hasso Plattner Institute in Germany.

Making matters worse are users. “Not only do they reuse passwords, but they will reuse the same password on every site they log into,” Tatoris observed. “I’ve seen the security experts estimate that somewhere between 3% and 5% of your users’ credentials are likely available on the dark web. If you’re a financial institution, some subset of users’ credentials is available for hackers.”

Obviously financial institutions are much bigger targets than other sites because they have really sensitive information, Tatoris noted. “When it comes to personal information, there is not much difference from a bank to a credit union for the hacker.”

However, the response to a breach is probably going to eat up a larger percentage of a credit union’s resources than a large bank’s.

“If I’m a hacker and I have a list of, let’s say, a million dial-in user credentials, the only way this is valuable to me is if I use automation tools to try and test that against different websites,” Tatoris explained. “Obviously it makes no sense for me to go in and manually type in a bunch of credentials into a credit union page to see if it potentially goes.”

However, there are automation tools that credit unions can use to protect their site from automated intrusion attempts. Tatoris said although only a handful of requests may originate from a specific IP address, “We are going to look at, where is it coming from, what does the browser look like? What is the device like? Sometimes we’ll detect that this is bad traffic before it even gets to the site.” That’s really important, he added, because most of the attacks seen today are distributed from a device and IP address that have never been seen before.

The next thing Distil does, once a user actually hits the login page, is observe how they interact. “We’re looking at mouse movements, how they click, how they type, how they scroll on the page, to see if they interact like a normal human being,” Tatoris said.

Tatoris observed recently as organizations get better at defending their website, mobile bots and APIs are becoming much bigger targets. Large financial institutions have huge teams building and servicing their apps, while credit unions and other smaller institutions do not tend to have such resources available. If a sophisticated hacker finds security on the mobile side is not as deep as security on the credit union’s website, that offers an easier avenue to drive through.

Distil’s technology protects websites, mobile apps or APIs – wherever the attacks come from.