Information security has emerged as a significant concern for businesses that use call centers and Interactive Voice Response or voice portal systems for customer service, which include financial services institutions, insurance agencies and health care companies. Here, Knowledge Center contributor Ron Settele explains how companies can safeguard against a contact center security breach, while meeting new regulatory demands to prevent identity theft.
theft remains a major problem in the United States, with Americans
losing $45.3 billion last year. In 2007 alone, 8.4 million adult
Americans, or one in 27, were the victims of identity fraud
While this is a drop of 11 percent from the $51 billion lost in
2006, it's still a significant issue for consumers. Contact centers and
IVR (Interactive Voice Response) / voice portal systems are
particularly vulnerable since existing methods of confirming callers'
identities are insecure.
Understandably, consumers today are concerned about security. When
it comes to access to voice self-service systems, they are not
satisfied with PIN numbers and content knowledge alone for identity
verification. Compared to current authentication methods, an increasing
number of consumers feel that the use of their voiceprint would go a
long way in making their transaction more secure and convenient.
Most consumers would enroll their voiceprint with their financial
institution, for example, if given the opportunity.
Established in 1979, the Federal Financial Institutions Examination Council (FFIEC
a "formal interagency body empowered to prescribe uniform principles,
standards and report forms for....financial institutions." In 2001, the
FFIEC provided specific guidance on authentication in an Internet
banking environment. In 2005, it updated that guidance to include
high-risk services performed through telephone banking systems and call
centers attached to financial institutions. As financial institutions
enhance their Internet banking security, threats will migrate to other
access channels--mainly the telephone.
The insurance and health care industries are being similarly
impacted by the Privacy Rule under HIPAA (Health Insurance Portability
and Accountability Act of 1996). HIPAA itself protects "individually
identifiable health information" held or transmitted, in any form,
whether electronic, paper or verbal. HIPAA's Privacy Rule
establishes regulations for the use and disclosure of Protected Health
Information (PHI), which is any information about an individual's
health status, including biometric identifiers such as finger and
Both of these policies are forcing organizations to a heightened awareness of how to address critical security issues.
Until very recently, you could always count on being prompted for
your account number and the last four digits of your social security
number when accessing a self-service system. In many cases, the same
would be true when speaking to a live agent. Times have certainly
changed! There are now many methods available to enhance caller
authentication. However, no single method is adequate. Utilizing
multiple "factors" to authenticate the identity of a caller is advised.
What is a factor? The FFIEC places factors into three specific categories:
Category #1: Something the user has, such as an ID card, security token, software token, phone or cell phone
Category #2: Something the user knows, such as a password, passphrase or PIN number
Category #3: Something the user is (such as voiceprint, fingerprint or retinal pattern)
In some cases, providing access with a single-factor, multi-item
authentication would be considered adequate. In this case, challenging
the caller with pieces of information that only they would be likely to
know are used. These solutions are typically simple to implement and
could be deemed adequate for callers accessing information that is not
But that's where the rub is! Opinions differ widely as to what types
of information should be deemed sensitive. And, with the proliferation
of information that can be accessed via the Internet, could
single-factor, multi-item authentication ever be viewed as secure
Multifactor and risk-based authentication solutions
These concerns by the consumer are pushing enterprises to consider
multifactor and risk-based authentication solutions. Using something
the user "knows" in combination with something they "are," provides a
much more secure environment in which callers can access account
information and transact business. The ability to compare and verify a
voice sample from the caller against the voiceprint found in the
customer profile (for the account being accessed) significantly
increases the likelihood that the right person is attempting to access
Even more secure authentication methods are available if other
parameters are taken into account. What if, on top of the multifactor
authentication method described above, the system also took into
account the number from which you were calling? Or how about whether or
not the transaction you are performing is typical based on past
behavior? How about taking into account the "Superman Effect?" What do
I mean by that? It's when someone tries to access your account from Los
Angeles and then tries again just an hour later from New York City.
Risk-based authentication can take all of these parameters into
account and more. How about taking into account access attempts from
the Internet and the contact center? Solutions such as these are
available today and can be tailored to meet your business needs. Market
and regulatory pressure is building to require enterprises to deliver
more secure access to customer account information. How secure is your
Ron Settele is a Customer Authentication Specialist within the Relationship Technology Management (RTM) business unit at Convergys Corp.
He has more than 23 years of experience in providing product management
and product marketing leadership at high-technology solutions providers
such as MCI and Alcatel.
During his six years at Alcatel, he led both product management
and product marketing teams that delivered and marketed telephony
offerings to the carrier market. Prior to that, while at MCI, he
led a team of product managers that defined solutions to provide
sophisticated calling features.
Ron holds a U.S. patent for intelligent routing of international
call traffic. He earned a Bachelors of Engineering in Mechanical
Engineering from Stevens Institute of Technology. He can be reached at Ron.Settele@convergys.com.