How Call Center Fraud Leads to Account Takeover Fraud - Part 2
This blog post is part two of a two-part series that highlights how call center fraud targeting financial institutions can be a stepping-stone toward ATO fraud, a much more serious problem for FIs. Please be sure to check out part one here.
The first post of this series highlights the increasing losses organizations are incurring due to Account Takeovers (ATOs) that are facilitated by call center fraud and why ATO fraud is difficult to detect in general. This second post of the series highlights what financial institutions are currently doing to prevent ATO fraud via the call center and what’s missing.
A Multi-Layered Approach
Many financial institutions are taking a multi-layered approach to try to prevent ATO fraud via the call center. A multi-layered approach often includes knowledge-based authentication (KBA), device intelligence, and phone number information. Some organizations are starting to include voice biometrics in their approach as well.
Call center representatives (CSRs) at most financial institutions use knowledge-based authentication (KBA) questions to confirm the caller’s identity. Questions such as “mother’s maiden name?” and “favorite pet’s name?”- Most of the information needed to answer these KBA questions can be found on social media accounts or via social engineering. KBA questions need to be improved and based on data that isn’t so readily available. For example, favorite pet, favorite band, and college attended are things that fraudsters can find pretty quickly. Even the last four digits of a person’s social security number are not hard for a scammer to obtain.
Once a fraudster has found all the information they need about an account holder, they can target the customer call center to take over the account. And fraudsters can scam CSRs easily when they have the right information. KBA as a fraud prevention method is not effective; too much of the information is available online or can be scammed out of people easily through phishing schemes and phone call scams. When a fraudster makes the call, they usually have all the information they need to beat the KBA questions asked by CSRs.
Device Intelligence and Phone Number Information
Approximately 95% of Americans own a cell phone, and about 77% own a smartphone, according to a recent Pew Research survey. Mobile phone technologies allow organizations to implement security measures based on device ID- identifying devices based on a variety of attributes such as IP address, browser version, and operating system. These attributes are used to “fingerprint” the device. The digital fingerprint on file can then be used to verify customers when they call the customer service center or use a mobile financial app. Many bank call centers rely on device fingerprinting, geolocation, and phone number information to identify a customer at the beginning of a call. These methods of identification are not enough as fraudsters are finding innovative ways to bypass these identity checks.
Fraudsters are using increasingly sophisticated technologies and techniques to spoof phone location, phone number, and other device ID characteristics. Among the technologies fraudsters are using are malware, bots, and remote access Trojans (RATs). These technologies allow fraudsters to discover and collect sensitive information such as credentials (passwords and pins), date of birth, home address, and email addresses. These technologies also allow a fraudster to mimic a device ID- generate the same characteristics and sensitive information as the original device. In the case of a RAT, the fraudster isn’t imitating the ID characteristics of the original device; the fraudster is using the actual device of the fraud victim.
In recent years, many banks have started to use biometrics solutions such as voice, retinal, and fingerprint ID. While voice biometrics can help prevent fraud via the call center, there are some disadvantages to using a voice-based solution for fraud prevention. A voice biometrics solution analyzes the voice of the caller and compares it to the voiceprint on file based on numerous characteristics. This method of comparison leads to several more disadvantages to using a voice-based solution: voice pattern changes and false positives.
Natural voice pattern changes are a factor to consider when using a voice biometrics system for identification. As time goes by, the voice pattern of a customer will likely change. A recent two-year study by Pindrop about voice aging found that the expected error rate for positively identifying a speaker increased as the survey participants aged.
What if a customer has the flu? Illness, stress, and emotional state can all lead to changes in a person’s voice. Background noise is also a problem. A noisy background could cause problems for the system leading to false positives. Most voice biometrics solutions tend to have a high false positive (FP) rate. A False positive means that the organization must take additional steps to validate the caller’s identity which could be time-consuming and costly.
Another Layer Is Needed
Although banks are already using a multi-layered approach, fraudsters are still able to bypass many of the security measures meant to prevent ATO fraud via the phone call channel. Banks should consider adding another advanced analytics layer to their approach.
Most financial institutions have massive volumes of historical data along with real-time data that could be analyzed and leveraged to prevent many types of fraud. When it comes to call center fraud, fraudsters often follow the same patterns before reaching the CSRs e.g. calling a specific customer service number, choosing certain menu options, and pressing specific numbers. Fraudsters often use scripts and say specific things to scam CSRs.
With an additional layer powered by unsupervised machine learning, financial institutions could analyze all their unstructured data- data that could provide insights into call patterns and behavior that could help prevent ATO fraud via the phone call channel.