May 21, 2020
Security Challenge Questions
By Dave Krasinski, Senior Director of Identity Risk Solutions, Neustar
Helping Fraudsters, Frustrating CustomersFor the third year in a row, respondents to the Neustar 2020 State of Call Center Authentication Survey recognized the call center as a primary source for account takeover (ATO) attacks, second only to web-based attacks. This is consistent with the broad increase in identity-based fraud that began accelerating after the introduction of EMV chips in credit cards.
Do Challenge Questions Work?It is easier to take over an account than commit credit card fraud, especially over the phone, where knowledge-based authentication (KBA) reins. A majority of Neustar's survey respondents still trust KBA to accurately authenticate inbound callers.
Likewise, a commissioned study conducted by Forrester Consulting on behalf of Neustar (Mitigate Fraud and Consumer Friction with Integrated Identity Verification, February 2019) found that "92% of the fraud management decision makers we surveyed said that [KBA] is somewhat or very effective at reducing ID theft and fraud." If you are among the 92%, I've got bad news for you.
Related: Watch on-demand: Why Fraudsters Love Your Contact Center's Authentication, and Customers Hate It
What's at Stake with Inbound Caller Authentication?
- More fraud
- More frustration for customers
A Fraudster's Playground
Fraudsters can buy or find answers to most KBA questions. Consumers' personally identifying information (PII) has either been breached or shared on social media. When the criminal calls in, they will apply PII with social engineering tactics to convince the agent to grant him access to the customer's account.
The fraudster may go to the effort of spoofing a customer's phone number or simply use a virtualized call service to bypass legacy defenses. 70% of respondents to Neustar's survey saw "somewhat" or "much more" threat activity coming from virtualized call services. These services makes it easy to perpetrate ATO. Fraudsters create a free email account and then register it with a virtualized calling service that requires only an email account to activate. No other steps are needed; criminals can now make legitimate calls that will slip by spoof-detection technologies.
Virtualization frees criminals from the need to imitate specific callers' numbers. Rather, they only need to reach an agent from a legitimate number that is unrelated to a customer's record. When they connect they have an excellent chance of socially engineering the agent into granting control over a customer's account.
The threat of virtualized call fraud is pervasive. Fraud feedback data from Neustar's customers show as many as 80% of ATO attempts between September 2019 and February 2020 were made with virtual calling services.
KBA isn't just ineffective in preventing ATO attacks, it also actively degrades the customer experience.A Customer's Headache
Instead of taking an opportunity to build loyalty, greeting callers with KBA sends the message "We don't know you and we don't trust you." That is not how to address customers calling for help.
And yet, because potential fraudsters cannot be isolated, all callers must be subjected to more invasive authentication. It is jarring for customers expecting a smooth, easy experience similar to what they get online. The dissonance puts organizations reliant on KBA at a disadvantage with more innovative competitors.
Consumers want to resolve their issues quickly, but KBA extends average handle time by 30-90 seconds. Longer wait times extend the period during which callers can ponder, "Would I get faster service from this organization's competitors?" KBA frustrates customers and empowers criminals because it distracts from quickly resolving the original purpose of the call.
The solution? Authenticate callers without agent intervention. Not only has this been proven, but it also equates to less fraud, less friction, and more functionality.
The faster the person on the other end of the line can be authenticated, the better call centers can deliver safe, speedy experiences without compromising security.
Ownership-based authentication is a proven method of delivering on the promise of authentication without agent intervention. The process completes authentication before the caller hears "hello" making it faster and more secure than KBA.
With ownership-based authentication, average handle times go down while containment in the Interactive Voice Response system goes up. Trusted callers can be offered self-serve options that are too risky with KBA: contact information updates, loyalty program redemptions, and even shipping address changes for orders en route. Only the smaller remaining pool of unauthenticated callers get the full focus of the fraud department. This shrinks the proverbial "haystack" as well as reduces friction and optimizes expensive fraud personnel and resources.
In a time when many contact centers now view growth in terms of improving service rather than expanding size, contact centers need a cost-effective path toward offering greater functionality without jeopardizing the customer experience or risking more fraud loss. That is what ownership-based authentication provides.
How Neustar Can HelpNeustar Inbound Authentication improves call centers' ability to efficiently manage high volumes of consumer interactions by identifying callers -- even those calling from a number different than the one on file -- using the Neustar OneID® identity platform. In tandem, the solution authenticates callers by determining that each calling device is unique, authentic, physical, and presents little-to-no risk of fraud.
Before hearing "hello" approximately 90% of callers are identified and authenticated by Neustar Inbound Authentication. They can be routed into a Trusted Caller Flow for faster service and are offered higher-value self-serve options in an IVR. Call center agents can be shielded from social engineering attacks so they can focus on problem-solving. Only unauthenticated callers will be candidates for the fraud department.
Fraudsters hate it. Customers love it.
Watch on-demand: Why Fraudsters Love Your Contact Center's Authentication, and Customers Hate It