As you may have seen via the BBC recently, lax security within a contact centre environment can lead not only to customer accounts being compromised, but also to significant fines from regulatory organisations.
The increasing sophistication of fraudsters means it’s no longer acceptable, or even feasible, to rely solely on knowledge-based authentication (KBA). When it comes to identity verification, answers to questions about your date of birth and your mother’s maiden name just don’t cut it anymore. Of course, the problem with using less common knowledge is that people often forget, leading to around three out of 10 manual (call-taker-led) identity checks being suspect.
Answering so-called ‘secret questions’ once seemed almost inquisition-like, in the sense that you could only imagine giving up those details under torture. Torquemada’s ghost might give you nightmares, but far more frightening is the ease with which personal details can be quarried online, through the plethora of social media sites where your data is just there for the taking.
Excuse me for extending the metaphor but fraudsters don’t need to find the mother lode as it’s easy enough for them to go panning for gold (i.e., your personal data). And if that isn’t bad enough, social engineering means what’s not available on Facebook can be gained easily through what might seem to be an innocent conversation with a stranger, on-line or in person.
I’m not saying that PIN and passwords are the root of all evil, but they might be. Many of the security issues seen today originate with compromised passwords. There are countless statistics to back up that assertion, which should provide even more cause for concern in relation to KBA. If you don’t believe me, just look at the annual report on the most commonly used passwords. The top 5 include such classics as “123456”, “qwerty” and the ever-present “password”. I’m not sure what’s worse, that people use these passwords or that they happily share their passwords with a researcher.
The problem with complex passwords is that they are easily forgotten. In fact, they are almost impossible to remember – unless you’re Solomon Shereshevsky. If you do have a memorable password, it’s more likely to be compromised, because you’re likely to be using it across multiple sites and services.
The United States National Institute for Standards and Technology (NIST) has produced new guidelines for the use of passwords (you can find that here), but its advice goes beyond memorised secrets* to suggest that multi-factor authentication (MFA) becomes an integral part of service providers’ log-in policies.
MFA requires users to present at least two credentials to authenticate: something they know (like a password), something they have (like a token) and something they are (like a fingerprint or voiceprint).
Now, that’s all very well if you’re transacting on-line or in person at say, a credit union branch in the United States. However, tokens and fingerprints are of little use when communicating remotely over the phone. That’s where voice biometrics (voiceprints) comes into its own, because it can be used in two ways, which makes it extremely versatile – and multi-factor.
Callers can authenticate themselves by, for example, speaking a passphrase over the phone and having their voice verified by comparison with a saved voiceprint. Users can also be asked to repeat a random digit sequence (effectively a token), which can be prompted on the phone or sent via SMS, thus creating an additional factor which can then be verified by a combination of voice biometrics and speech recognition.
A voice biometrics approach not only removes the burden on customers to remember passwords, but also leads to reduced verification times and increased rates of successful verification. Three in 10 equates to an error rate of 30%. If a voice biometrics-based solution offers a mere 90% accuracy (state-of-the-art systems will offer in excess of 99%), the error rate is reduced to one in 10 and the business is three times more secure.
If you are thinking of introducing voice biometrics for identity verification in your business, and would like to discuss your requirements, contact one of our consultants today.
*[A Memorised Secret authenticator — commonly referred to as a password or, if numeric, a PIN — is a secret value intended to be chosen and memorised by the user. Memorised secrets need to be of sufficient complexity and secrecy so that it would be impractical for an attacker to guess or otherwise discover the correct secret value. A memorised secret is something you know.]