Security Challenge Questions
Helping Fraudsters, Frustrating CustomersFor the third year in a row, respondents to the Neustar 2020 State of Call Center Authentication Survey recognized the call center as a primary source for account takeover (ATO) attacks, second only to web-based attacks. This is consistent with the broad increase in identity-based fraud that began accelerating after the introduction of EMV chips in credit cards.
Do Challenge Questions Work?It is easier to take over an account than commit credit card fraud, especially over the phone, where knowledge-based authentication (KBA) reins. A majority of Neustar's survey respondents still trust KBA to accurately authenticate inbound callers.
Likewise, a commissioned study conducted by Forrester Consulting on behalf of Neustar (Mitigate Fraud and Consumer Friction with Integrated Identity Verification, February 2019) found that "92% of the fraud management decision makers we surveyed said that [KBA] is somewhat or very effective at reducing ID theft and fraud." If you are among the 92%, I've got bad news for you.
Related: Watch on-demand: Why Fraudsters Love Your Contact Center's Authentication, and Customers Hate It
What's at Stake with Inbound Caller Authentication?
- More fraud
- More frustration for customers
A Fraudster's Playground
Fraudsters can buy or find answers to most KBA questions. Consumers' personally identifying information (PII) has either been breached or shared on social media. When the criminal calls in, they will apply PII with social engineering tactics to convince the agent to grant him access to the customer's account.
The fraudster may go to the effort of spoofing a customer's phone number or simply use a virtualized call service to bypass legacy defenses. 70% of respondents to Neustar's survey saw "somewhat" or "much more" threat activity coming from virtualized call services. These services makes it easy to perpetrate ATO. Fraudsters create a free email account and then register it with a virtualized calling service that requires only an email account to activate. No other steps are needed; criminals can now make legitimate calls that will slip by spoof-detection technologies.
Virtualization frees criminals from the need to imitate specific callers' numbers. Rather, they only need to reach an agent from a legitimate number that is unrelated to a customer's record. When they connect they have an excellent chance of socially engineering the agent into granting control over a customer's account.
The threat of virtualized call fraud is pervasive. Fraud feedback data from Neustar's customers show as many as 80% of ATO attempts between September 2019 and February 2020 were made with virtual calling services.
KBA isn't just ineffective in preventing ATO attacks, it also actively degrades the customer experience.A Customer's Headache
Instead of taking an opportunity to build loyalty, greeting callers with KBA sends the message "We don't know you and we don't trust you." That is not how to address customers calling for help.
And yet, because potential fraudsters cannot be isolated, all callers must be subjected to more invasive authentication. It is jarring for customers expecting a smooth, easy experience similar to what they get online. The dissonance puts organizations reliant on KBA at a disadvantage with more innovative competitors.
Consumers want to resolve their issues quickly, but KBA extends average handle time by 30-90 seconds. Longer wait times extend the period during which callers can ponder, "Would I get faster service from this organization's competitors?" KBA frustrates customers and empowers criminals because it distracts from quickly resolving the original purpose of the call.
The solution? Authenticate callers without agent intervention. Not only has this been proven, but it also equates to less fraud, less friction, and more functionality.
The faster the person on the other end of the line can be authenticated, the better call centers can deliver safe, speedy experiences without compromising security.
Ownership-based authentication is a proven method of delivering on the promise of authentication without agent intervention. The process completes authentication before the caller hears "hello" making it faster and more secure than KBA.
With ownership-based authentication, average handle times go down while containment in the Interactive Voice Response system goes up. Trusted callers can be offered self-serve options that are too risky with KBA: contact information updates, loyalty program redemptions, and even shipping address changes for orders en route. Only the smaller remaining pool of unauthenticated callers get the full focus of the fraud department. This shrinks the proverbial "haystack" as well as reduces friction and optimizes expensive fraud personnel and resources.
In a time when many contact centers now view growth in terms of improving service rather than expanding size, contact centers need a cost-effective path toward offering greater functionality without jeopardizing the customer experience or risking more fraud loss. That is what ownership-based authentication provides.
How Neustar Can HelpNeustar Inbound Authentication improves call centers' ability to efficiently manage high volumes of consumer interactions by identifying callers -- even those calling from a number different than the one on file -- using the Neustar OneID® identity platform. In tandem, the solution authenticates callers by determining that each calling device is unique, authentic, physical, and presents little-to-no risk of fraud.
Before hearing "hello" approximately 90% of callers are identified and authenticated by Neustar Inbound Authentication. They can be routed into a Trusted Caller Flow for faster service and are offered higher-value self-serve options in an IVR. Call center agents can be shielded from social engineering attacks so they can focus on problem-solving. Only unauthenticated callers will be candidates for the fraud department.
Fraudsters hate it. Customers love it.
Watch on-demand: Why Fraudsters Love Your Contact Center's Authentication, and Customers Hate It
There are no related Events
Hear from the FIDO Alliance and its stakeholders to get a deep-dive into the topic of passwordless authentication. Hear how major merchants and online service providers are actively collaborating on making web logins more secure and usable for all consumers. We will discuss challenges with legacy approaches; the move away from passwords; and new technologies that are emerging to support this. We will look at this in the context of consumer preferences and regulations.
This session will delve into the real impact of identity-based attacks, drawing from ITRC's work providing assistance to victims of identity compromise, and ITRC’s published research reports. It will cover insights on the latest data breaches that fuel identity fraud, and attack trends across ecommerce, social media, online dating, etc. The session will explore how bad actors circumvent multi-factor authentication to gain access to accounts and conduct malicious scams.
Hear from authentication experts on theimpact of strong Customer Authentication mandates on key merchant KPIs, such as fraud rates and authorization rates. Expert advice on lowering challenge rates while remaining compliant and understanding good user behavior.
There are no related Surveys
With the upcoming 3DS1 decommission planned in Oct’22, it’s important for merchants to plan their authentication strategy to not just process EMV 3DS transactions but optimize the entire payment experience.
To find out, join Gautam Pande – Director, Product Management, Identity Solutions at Mastercard to provide key considerations ahead of the 3DS1 Decommission & share updates of the Identity Check platform to enable seamless digital commerce
- Find out what to expect after the decommission date
- Be able to understand key changes in EMV 3DS 2.2
- Understand Mastercard’s Smart Authentication Platform
- Preview the Identity Check Express and the customer journey
This webinar examines four key SCA principles for the sector as well as payment flows where SCA applies, then discusses options for indirect bookings/indirect sales. After sharing a brief overview of the Secure Corporate Payment exemption, tips and resources are provided to help merchants, travel agents, acquirers, and issuers. A brief Q&A period concludes the broadcast.
Better fraud prevention, all around.
Many organizations rely on two-factor authentication (2FA) using one‑time passcodes (OTPs) sent by Short Message Service (SMS) to authenticate banking and ecommerce transactions. 2FA performed this way can be fast and easy, but SMS wasn’t designed to be a security tool.
Learn how your organization can leverage voice biometrics to protect customers and your brand by building the highest levels of protection, trust and loyalty.
In Nethone's Frictionless white paper, you will learn:
- How to reduce checkout friction to maximise your revenue?
- How to manage UX friction associated with PSD2/SCA?
- How to prepare for Transaction Risk Analysis (TRA)
- How to keep your customers happy
- How to achieve all this while effectively combating payment fraud
At SEON Technologies we have released new information on the collection countries that are most and least at risk of cyberattacks. We have also taken a close look at the most common types of cybercrime occurring in the US.
Dubbed the Global Cybercrime Report, the report explains how several countries are the safest in the world from fraud and other cybercrime. and why others are not. Our methodology for this research was based on how companies and public infrastructure are all being fairly well protected through both legislation and technology at their disposal.