Fighting external fraud has become like whack-a-mole; with the online channel increasingly secure, organized crime has taken to exploiting the weaknesses in the call center as they evolve their multi-channel business model. The mallet that accompanies the carnival game might be easier to wield, but the biggest banks are looking at PINs, voice biometrics, automated KBA, and enterprise fraud detection to combat shape-shifting fraudsters.
"Call center authentication is the biggest pain point to me right now," says Stan Swalbenest, remote channel risk director in consumer risk management at JPMorgan Chase. "When I look at my portfolio, the biggest risks I see are social engineering-through the call center, through the branch."
JPMorgan Chase certainly isn't alone. Call center fraud is increasingly sophisticated, with reps vulnerable not just to advanced social engineering but also technology tricks, like ANI spoofing, which allows a fraudsters to make it appear as if they're calling from the consumer's phone number. "We are seeing increased call center fraud across the globe, particularly Western Europe and here," says Amir Orad, evp of at Actimize, which sells enterprise fraud detection products. "It's almost that the weakest link in the remote channel is the phone."
Hardening the weakest link typically involves one of two approaches: adding another layer of risk-based authentication in the call center, or installing enterprise-wide fraud monitoring so that events in each silo can correlated to catch those indicative of the early signs of cross-channel fraud. Gartner Research has long recommended that its clients take a three-pronged approach: strong authentication, transaction monitoring, and out-of-band transaction confirmation. "There are some good solutions out there, but banks are slow to implement," says Avivah Litan, vp and Gartner distinguished analyst.
The Financial Services Technology Consortium is evaluating the technology readiness and business cases behind a variety of biometrics, as well as the utility of an industry-wide database that would house the voice-prints of known bad guys. There are two approaches to using voice biometrics in the call center: whitelisting and blacklisting. The whitelisting approach involves taking a voice print of each customer saying specific words during an enrollment process, and then asking the customer to repeat the phrase during the authentication process. Blacklisting involves creating voice prints of fraud perpetrators after a crime has been committed, and storing those in a company, or even industry-wide database. High-risk transactions can be matched against the blacklist.
Less sexy than a bad-guy database is the automation of out-of-wallet authentication questions through a call center's IVR, an option deployed by Experian at a Top 5 U.S. bank, with no dramatic difference in performance.
