Identify theft remains a major problem in the United States, with Americans losing $45.3 billion last year. In 2007 alone, 8.4 million adult Americans, or one in 27, were the victims of identity fraud.
While this is a drop of 11 percent from the $51 billion lost in 2006, it’s still a significant issue for consumers. Contact centers and IVR (Interactive Voice Response) / voice portal systems are particularly vulnerable since existing methods of confirming callers’ identities are insecure.
Understandably, consumers today are concerned about security. When it comes to access to voice self-service systems, they are not satisfied with PIN numbers and content knowledge alone for identity verification. Compared to current authentication methods, an increasing number of consumers feel that the use of their voiceprint would go a long way in making their transaction more secure and convenient. Most consumers would enroll their voiceprint with their financial institution, for example, if given the opportunity.
Established in 1979, the Federal Financial Institutions Examination Council (FFIEC) is a “formal interagency body empowered to prescribe uniform principles, standards and report forms for….financial institutions.” In 2001, the FFIEC provided specific guidance on authentication in an Internet banking environment. In 2005, it updated that guidance to include high-risk services performed through telephone banking systems and call centers attached to financial institutions. As financial institutions enhance their Internet banking security, threats will migrate to other access channels–mainly the telephone.
The insurance and health care industries are being similarly impacted by the Privacy Rule under HIPAA (Health Insurance Portability and Accountability Act of 1996). HIPAA itself protects “individually identifiable health information” held or transmitted, in any form, whether electronic, paper or verbal. HIPAA’s Privacy Rule establishes regulations for the use and disclosure of Protected Health Information (PHI), which is any information about an individual’s health status, including biometric identifiers such as finger and voiceprints.
Both of these policies are forcing organizations to a heightened awareness of how to address critical security issues.
Until very recently, you could always count on being prompted for your account number and the last four digits of your social security number when accessing a self-service system. In many cases, the same would be true when speaking to a live agent. Times have certainly changed! There are now many methods available to enhance caller authentication. However, no single method is adequate. Utilizing multiple “factors” to authenticate the identity of a caller is advised.
What is a factor? The FFIEC places factors into three specific categories:
Category #1: Something the user has, such as an ID card, security token, software token, phone or cell phone
Category #2: Something the user knows, such as a password, passphrase or PIN number
Category #3: Something the user is (such as voiceprint, fingerprint or retinal pattern)
In some cases, providing access with a single-factor, multi-item authentication would be considered adequate. In this case, challenging the caller with pieces of information that only they would be likely to know are used. These solutions are typically simple to implement and could be deemed adequate for callers accessing information that is not considered sensitive.
But that’s where the rub is! Opinions differ widely as to what types of information should be deemed sensitive. And, with the proliferation of information that can be accessed via the Internet, could single-factor, multi-item authentication ever be viewed as secure enough?
Multifactor and risk-based authentication solutions
These concerns by the consumer are pushing enterprises to consider multifactor and risk-based authentication solutions. Using something the user “knows” in combination with something they “are,” provides a much more secure environment in which callers can access account information and transact business. The ability to compare and verify a voice sample from the caller against the voiceprint found in the customer profile (for the account being accessed) significantly increases the likelihood that the right person is attempting to access the account.
Even more secure authentication methods are available if other parameters are taken into account. What if, on top of the multifactor authentication method described above, the system also took into account the number from which you were calling? Or how about whether or not the transaction you are performing is typical based on past behavior? How about taking into account the “Superman Effect?” What do I mean by that? It’s when someone tries to access your account from Los Angeles and then tries again just an hour later from New York City.
Risk-based authentication can take all of these parameters into account and more. How about taking into account access attempts from the Internet and the contact center? Solutions such as these are available today and can be tailored to meet your business needs. Market and regulatory pressure is building to require enterprises to deliver more secure access to customer account information. How secure is your customers’ information?
Ron Settele is a Customer Authentication Specialist within the Relationship Technology Management (RTM) business unit at Convergys Corp. He has more than 23 years of experience in providing product management and product marketing leadership at high-technology solutions providers such as MCI and Alcatel.
During his six years at Alcatel, he led both product management and product marketing teams that delivered and marketed telephony offerings to the carrier market. Prior to that, while at MCI, he led a team of product managers that defined solutions to provide sophisticated calling features.
Ron holds a U.S. patent for intelligent routing of international call traffic. He earned a Bachelors of Engineering in Mechanical Engineering from Stevens Institute of Technology. He can be reached at [email protected].