In the wake of the Equifax breach, a big question for credit unions is: how do we verify telephone callers? Social Security Numbers are not a secure option any more, since the majority of U.S. adults have had their numbers stolen in the past few years. In fact, so many data breaches have occurred that we probably need to assume that address history, purchase history, credit report and other personal data are all effectively public information.
“Knowledge-based authentication” is the process of verifying a person’s identify based on something they know, such as personal information or a shared code word. In order to be effective, knowledge-based authentication needs to be based on a shared secret. Once upon a time, it might have been reasonable to assume that only you (and a few trusted parties) would know your Social Security Number. Now, that is no longer a reasonable assumption.
What can you do to verify members’ identities remotely? One option is a shared code word (or better, a code phrase). However, there are two issues with that: first, you need to get them set up in the system ahead of time, so this doesn’t work for new callers. Second, you need to be prepared in the event that callers have forgotten their secret passphrase— and that process usually falls back on knowledge-based authentication, which as we know has fundamental problems now.
Fortunately, better long-term solutions have emerged. One very promising tool is called “phoneprinting.” Developed by a company called Pindrop, phoneprinting analyzes the audio from a caller’s phone, along with call metadata such as the geolocation, call type and Caller ID. Using this information, Pindrop gives each call a score that indicates the risk of fraud. The company also maintains a database of fraudulent call characteristics, and checks each call to see if there is a match in the existing database of fraudulent records.
This technique can be combined with voice biometrics to provide an effective alternative to knowledge-based authentication. To use voice biometrics, you sample a caller’s voice on their first call, or formally enroll them by asking them to repeat a few simple phrases. From that point on, your caller authentication system analyzes each caller’s voice and matches them to a voiceprint on file. There is no need to pepper callers with security trivia questions. Voice biometric providers may also keep a database with voiceprints of known fraudulent callers, so that scammers are immediately identified and weeded out when they call.
“Between voice biometrics, passive voice biometrics, and phone printing, our clients are having a lot of success in stopping call center fraud,” says Avivah Litan, fraud expert at Gartner.
While knowledge-based authentication is on its way out, new advances in technology have produced alternatives that are more effective and easier for your members. After all, they never liked answering security questions, anyway! Voice biometrics, phone-printing and similar technologies are the way of the future.
— written by Sherri Davidoff, Founder/CEO of LMG