For a very long time, security standards used in call centers were ear-marked as a storm in the coffee mug. However, times have changed, and in the recent, with almost 90% of the call center agents picking their activities from remote workplace/home, the dangers of spoofing attacks have sky-rocketed. We are constantly hawk-eying the perils of call center authentication standards, even as new MOs like man-in-the-middle (MiTM), unencrypted networks, malware distribution circuits, snooping-sniffing, and social engineering take new forms to steal valuable consumer and personal data. Much before you know it, it’s gone undetected, and untraced.
In 2020, especially when we are dealing with COVID-19 pandemic, authentication risks are as real as your pet plugging out the computer mains!
In the latest 2020 Call Center Authentication report, published by Neustar, virtual caller identity remains the biggest vector to launch Account Take Over (ATO) attacks; even bigger than the traditional spoofing attacks. By looking at the latest Neustar call center authentication report, one can state that the customer contact centers are tottering to fight against one visible threat- COVID-19 pandemic, and two undetected demons — spoofing and virtual callers.
What is Virtual Calling Spoofing?
A Virtual Calling uses a pre-set telephone or VoIP number to forward calls without directly using any direct telephone lines. It’s also called Direct Inward Dialing (DID) or Virtual Phone Number (VPN).
VPNs are provisioned to basically unite scattered staff, enabling them to work in a remote location or at multiple branch offices, In most cases (authenticated ones), VPNs are purchased from the UCaaS or cloud phone systems provider. However, the unregulated use of VPNs can also induce IP spoofing, becoming the biggest source of serious risks such as DoS/DDoS attacks, MITM attacks and network proliferation. VPN spoofing is a real danger in the current pandemic.
Caller identity can be completely masked by virtual calling platforms. Call center agents expressed their concern over Virtual calling routers, based on the recent spurt of fraud-inciting activities across the globe.
Neustar’s own customer data show that as many as 80% of account takeover attempts between September 2019 and February 2020 were made with virtual calling services, which allow criminals to make calls that will slip through spoof-detection systems. To combat this type of fraud, call centers will need to deploy tools that confirm each calling device’s uniqueness, authenticity, physicality and risk of fraud.
What did Neustar’s Call Center Authentication Report Find Out?
According to Neustar, caller identity remains a key concern for customer contact centers, with increased relevance to financial institutions in light of turmoil caused by COVID-19 pandemic.
Based on the survey involving contact center professionals, the report found out awareness of newer authentication technologies is continuing to grow, though knowledge-based authentication (using callers’ knowledge of personal and account information to validate their identities) remains entrenched.
Here’s a quick overview of what Neustar’s call center authentication report found out–
- Compared to traditional knowledge-based authentication (KBA), pre-answered phone call analysis awareness is still low. (82% versus 77%). Customers are still reluctant about divulging personal information during a virtual agent conversation.
- Only 23% of respondents positively expressed their preference for authentication to be completed by an agent conversation while 32% leverage the Interactive voice response system to fill in the information. 39% of the respondents preferred authentication before the call is answered.
- 70% of respondents zoom-in their focus on virtualized call services, stating these result in threat activity used by criminals to bypass spoof-detection tools.
- The science behind social engineering, a fast-emerging tech lingo, is also understood by some percentage of agents. Criminals are acquiring consumers’ data by socially engineering agents and selling them on the dark web and social media marketplaces.
Some institutions are at a much higher risk of KBA than the rest. The risk factors magnify depending on the scale and volume of data collected, stored and analyzed by these institutions. As a result, spoof agents see high-volume data collection agencies as a ready-made target to farm for their dark web business. Neustar has particularly warned the financial services industry about its concern about account takeover attacks via the voice channel, considering that call center agents become increasingly susceptible to social engineering attacks as customers’ personal information becomes less secure.
Add-on Security Measures in Dealing with KBA
The risk of account takeover is compounded by the growth in the use of virtual calling services. This year, more survey respondents saw an increase in virtualized calls (70%) than in spoofing (65%).
Although 54% of survey respondents said they were “somewhat” or “very” confident that KBA alone can accurately authenticate their callers, their stated plans suggest otherwise: just 17% plan to continue using only KBA in the year ahead.
In a recent interview, CEO of Security Division at NTT Matt Gyde told me, “With the practically overnight trend of work from home, we are going to see one of the biggest shifts in the industry. Our security is going to move from on-premise hardware-based control to security-as-a-service all based in the virtual realm. Companies that have thought through the online security of data, applications, users, and devices will be able to take advantage of that shift.”
The largest share (34%) plan to supplement KBA with one new technology approach to create two-factor authentication, while others plan to replace KBA with a new single-factor technology approach (12%) or a new two-factor technology approach (15%). Just 23% reported being unsure of their plans for multifactor authentication, the lowest share since the survey began in 2018.
Latest Case Studies Push the Need to Adopt Stringent Call Center Authentication and Security Standards
The issues addressed in the Neustar report are particularly relevant to financial institutions today, in light of the turmoil caused by the COVID-19 pandemic.
Neustar observed a significant increase in bank contact center call volumes in March, as the spread of the novel coronavirus led to branch closures around the country, followed by new daily call volume records in April.
One retail bank’s customer service center experienced three days with more than a million calls per day in April, reportedly due to consumers calling to check on the status of their direct-deposit government relief checks.
High call volumes, with associated long wait times for customers, increase the costs of relying on identity interrogation for authentication — in terms of both customer experience and agent time. The onboarding of less-experienced employees to accommodate these larger call volumes, combined with the typical crisis-related spike in fraudsters’ attempts to take advantage of the chaotic situation, means a greater risk of account takeovers via social engineering. Together, these factors further underscore the importance of streamlined, effective caller authentication.
Changes to authentication methods — particularly the adoption of multifactor authentication approaches incorporating newer technologies such as pre-answer phone call analysis — can enable organizations to simultaneously improve customer experience, operational efficiency and fraud-fighting ability.
The Neustar survey responses suggest that organizations are preparing to revisit and revise their approach to maintaining privacy while protecting customer relationships in the year ahead.
The weaponization of customer data acquired from call centers remains the biggest threat to the tele-agency business, even as lack of communication and voice quality highlight poor customer experience standards, inefficiency and trust.
However, the lack of security is what dents the current growth the most. Consumers, more aware than they ever were, would look at KBA conversations with suspicion and tap out agencies for misusing their personal information.
Currently, Neustar is a leader in identity resolution providing the data and technology that enable trusted connections between companies and people at the moments that matter most. Neustar offers industry-leading solutions in marketing, risk, communications, security and registry that responsibly connect data on people, devices and locations, continuously corroborated through billions of transactions.