Though financial companies have been fortifying the security of their online banking systems, many have neglected their telephone systems.
As a result, voice banking systems have become "the major channel vulnerability" in the financial industry, according to a report published last week by Javelin Strategy and Research.
And with improved security now in place to protect Internet transactions at many companies, banks face the risk that fraudsters will seek out new vulnerabilities, such as call center and interactive voice-response systems, vendors and observers say.
Though consumers are actively concerned about the threat of identity theft on the Internet, they show little concern about giving personal information over the phone, "almost the mirror image of consumer perceptions regarding the online channel," said Bruce Cundiff, a research analyst at Javelin, of Pleasanton, Calif.
"With the phone channel, consumers feel very safe, and they're willing to part with very sensitive data," he said.
Though little fraud is initiated through banks' phone systems now, Mr. Cundiff said the threat is growing. "Based on data that fraudsters can easily get their hands on, it's certainly possible."
The American Bankers Association, a Washington trade group that does biennial studies of financial fraud, does not track telephone fraud. Doug Johnson, a senior policy adviser in the ABA's government relations division, said his group has "not seen a level of fraud in the telephone channel at this point that would warrant a level of concern."
However, he said, in recent weeks the ABA has heard of criminals calling consumers, impersonating ABA employees, and trying to trick them into disclosing personal data. Mr. Johnson said this scam was used before the Internet was widely used for banking; the criminals "are having to go back to the old tools because we've tightened down on the Internet," he said.
Banks that have invested in online authentication are now trying to apply the same technologies to their call centers and IVR systems, he said. An important issue is improving security without interfering with customer service. "The last thing they want to do is to create additional encumbrances on their communications channels while they're trying to harden them," Mr. Johnson said.
Intervoice Inc., a maker of call center and interactive voice systems, announced this week that it is working with EMC Corp.'s RSA Security unit to apply RSA's "adaptive authentication" for the Internet to its telephone banking systems. Ken Goldberg, Intervoice's senior vice president of corporate development and strategy, said the Dallas company has seen "a surge of interest in the last three to six months" from banks seeking to strengthen security on the telephone.
In January, Verid Inc., a Fort Lauderdale, Fla., maker of knowledge-based authentication systems, introduced a real-time monitoring system called "IdentityEvent" to observe patterns of activity in different remote channels. It could notice, for instance, that a customer was examining account details online before contacting a call center to transfer funds.
Kevin Watson, Verid's chief executive, said the idea is to catch "social engineering" fraud that avoids triggering online security measures by using the information on the phone. "Someone was doing a lot of research on this individual 15 minutes ago. That looks suspicious to us," he said.
The Federal Financial Institutions Examination Council, which called on banks in 2005 to improve online security, has said the same guidelines apply to voice systems. In a document published last August, the council wrote, "While the guidance focuses on Internet banking systems, its principles apply to all forms of electronic banking, including telephone banking."
Of six financial companies asked to comment for this article, none would make an executive available to speak. One, Wachovia Corp., sent an e-mail statement. "We make it a policy to limit our discussions about how we authenticate customers, be it calling on the phone or logging into an account on a computer, to prevent fraudsters from having a more-informed approach to their crimes," spokesman Matthew Wadley wrote.
The Javelin report said banks could use a variety of approaches to boost security on their voice systems, including "challenge questions," about such things as previous homes or jobs; biometric voice prints; and risk scoring.
The study particularly criticized companies that ask customers to supply their Social Security numbers. In a survey of 23 large U.S. financial companies, Javelin found that 26% ask for customers' Social Security numbers as an authentication method at the call center, a finding that the report called "alarming." (Another 13% ask for the last four or six digits of the government ID number.)
"We think it's a horrible practice," Mr. Cundiff said. Because the number is unchangeable, it makes a poor substitute for a secret password, and because it is widely used on a variety of official records, it is relatively easy for criminals to obtain, he said.
This opens the door to fraud by someone who has obtained the number illicitly, he said, and "if financial institutions universally request that nine-digit Social, consumers are going to have a higher level of comfort in giving it out" when requested. "Until that information is worthless to fraudsters, it's going to be a coveted piece of information."
