Voice Biometrics as a Fraud Fighter

Could Emerging Technology Play New Role in Call Centers?
Voice Biometrics as a Fraud Fighter

More financial institutions are considering voice biometrics as a way to fight call center fraud. That's because other forms of authentication are proving ineffective at a time when socially engineered attacks against call centers are on the rise.

See Also: Ransomware: The Look at Future Trends

Several fraud and security executives told BankInfoSecurity that they're considering voice biometrics as a new way to tackle call center fraud. But some still question whether voice biometrics is ready for prime time, citing potential problems with "false positive" identifications of potential fraudsters.

The biometric technology analyzes voice characteristics, such as dialect, speaking style and pitch. By collecting and archiving voice characteristics of customers, banks, in theory, could authenticate customers' identities when they call in.

Call center fraud has been escalating. U.S. banks have reported upticks in call-center schemes that rely on social-engineering tricks. The attack: Convince customer service representatives to share or change account details.

Julie McNelley, a fraud analyst with Aite, a financial-services consultancy, says the trend has been evident since late 2011.

"In October 2011, I published a piece about where financial institutions were feeling the most pain, and one of the responses to that was the call center," she says. (See How to Stop Call Center Fraud.)

Call Center Soft Spots

Call centers are easy targets. Conning call center staff into sharing sensitive details or changing phone numbers or passwords is easier, in many cases, than getting around layers of technology used to protect online transactions.

An executive at one top-tier institution, who asked not to be named, tells BankInfoSecurity that institution is reviewing voice biometrics as an alternative to other authentication methods that rely on security questions. Answers to common security questions have proven too easy for fraudsters to provide, based on information they socially engineer out of call-center staff or accountholders themselves.

It's the human element that makes socially engineered schemes waged against call centers so fruitful. Banking institutions have worked to address some of those vulnerabilities by focusing more attention on fraud-prevention training for call center representatives and by adopting out-of-band verification for phoned-in transactions.

"It could be a very good way for the call centers to reach FFIEC compliance," the executive says.

As banks and credit unions make investments in stronger authentication for the online channel, they are improving authentication for other channels as well. Call centers are not specifically mentioned in the FFIEC's updated Authentication Guidance, but banks are folding stronger authentication and transaction verification into their plans for call centers as they make investments to conform.

"When you lock the online channel and other channels, like mobile, the bad guys go to the call center," one banker says. "So we have to lock that down, too."

That's why layered security is so critical.

"The call center is an area that needs to be addressed," says George Tubin, a former fraud analyst for TowerGroup who now works for online security provider Trusteer. "But it goes back to cross-channel fraud."

Weighing Authentication Options

Some authentication techniques, including knowledge-based authentication, are proving ineffective, says Gartner fraud analyst Avivah Litan.

"The KBA processes don't work well anymore," Litan says. "One large financial-services company told me they got a 15 percent to 20 percent failure rate with external challenge questions."

Financial institutions, however, have found KBA improves when call-center representatives ask more questions about accounts, such as balances and when recent online bill-payments were scheduled, rather than so-called "stronger" security questions about the first car the accountholder owned or the address of her last residence.

Voice biometrics may prove to be another viable layer of protection. But expense is a consideration.

"There's a lot of inertia when it comes to spending money on call center fraud, even though it's picking up, a lot," Litan says. "Most banks want easy integration with legacy systems."

Cost comparisons of voice biometrics solutions aimed at call-center fraud are hard to find. The industry does not yet have a benchmark because biometrics services aimed at fraud prevention are relatively new. But vendors suggest the cost is comparable to other fraud-prevention and authentication technologies on the market. Most of those solutions, however, are aimed at curbing online fraud.

A New Approach

Victrio, one of several vendors that offer voice biometrics technologies, takes a bit different approach. Rather than authenticating registered customers and members, Victrio alerts institutions when voices linked to previous fraud incidents call in.

Tony Rajakumar, who founded Victrio in 2008, says Victrio's product relies on a database of biometric voice prints that screens calls in real-time.

Since going to market about a year ago, Rajakumar says Victrio has built a global database that includes tens of thousands of voice prints provided by several of its large banking institution customers in the United States and the United Kingdom.

Using that database, Victrio is able to identify or flag a suspicious call based on comparative voice analysis.

Victrio's technology can be launched in two ways. Banks can participate in the global fraud database, or they can take a more siloed approach -- only comparing data on calls that come directly to their call centers.

Rajakumar says these institutions are using Victrio's solution to thwart call-center attacks, but he declined to provide the names of those institutions or how many of them were actually using the voice print technology.

"There is a good mass of fraud events there, and we are seeing overlap between fraud events at one entity turning up at another," he says. "Sometimes, we see the same (fraudulent) call hit one institution and then another before the second institution even reports it."

Rajakumar says most fraudsters are repeat offenders. When a fraud call is identified, there's a 70 percent to 80 percent chance that caller has defrauded before.

"That's a pretty startling number that many people in the industry did not believe," he says. "Now that we have enough data to show them that many of the fraud losses are from the same pool of people, they are really stunned."

One top-tier institution tells BankInfoSecurity that it's considering the Victrio technology because it appears to be easier to manage. Because the technology does not require banks to enroll customers and store their biometric information, it takes a lot of customer privacy concerns out of the equation, such linking a voice print with an accountholder's name and Social Security number.

Customers are often reluctant to voluntarily enroll in programs that require them to provide biometric details. The fewer customers enrolled, the less effective the solution. By removing customer participation, the process is simplified, and the efficacy rate is improved.

One bank that launched Victrio's biometrics technology for fraud detection through its call center experienced a 75 percent reduction in phone fraud within two quarters, Rajakumar says.

Ready for Prime Time?

Although a number of companies have offered various versions of voice biometric technology for several years, banks have historically been reluctant to go too far down the biometrics path because of concerns about false positives.

"At some point in our lives, biometrics is going to be used," Trusteer's Tubin says. "I just don't know that it's there yet."

False positives can create extra work, Tubin notes. "If you mistakenly I.D. something or someone as being fraudulent and you keep having to call your customers back to verify a transaction or authenticate a user, it can be costly and create more headaches than actually reducing fraud," he says.

But Rajakumar says newer voice biometrics systems have far fewer false positives than earlier generations.

McNelley acknowledges financial institutions' opinions about voice biometrics have been mixed, but says the newer voice biometric systems are showing promise.

"The early feedback I'm hearing is that this results in better detection rates and fewer false positives," McNelley says. "Many of the (early) voice biometrics experiments were conducted with technologies developed as part of CRM platforms, which did not necessarily develop the technology with fraud prevention as the core driver."


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network