TransUnion
10/19/2023
Podcast
In this episode of the TransUnion Fraudcast, call center fraud expert Lance Hood joins Jason to discuss why the call center is increasingly the target for enterprising fraudsters, and what can be done to protect it without ballooning operational costs and frustrating legitimate callers.
Jason Lord:
Welcome to the TransUnion Fraudcast, your essential go-to for the absolute linkages between the day’s emerging fraud and authentication topics, trends, tropes and travails delivered with all the straight talk and none of the false positives.
I'm your host, Jason Lord, VP of Global Fraud Solutions, and I'm positively vibrating with excitement for today's discussion.
Regular listeners of the Fraudcast know that each episode we narrow in on a specific subtopic within the fraud authentication universe, bringing on a special guest to help us dive in while keeping it high level enough that you don't need a PhD in data analysis to understand the topic –– because let's face it, many of us are multitasking as we listen to this!
This week we'll be talking about the call center.
Datos Insights, formerly Aite-Novarica, says that over 60% of fraud starts in the call center, with pre-crime research, with the fraudsters poking around the system for vulnerabilities and socially engineering the call center agents to obtain the PII that they can later use for account takeover and other forms of fraud.
And it makes sense why fraudsters target the call center.
Those are staffed by human beings who are trained to be as helpful as possible, not to be fraud professionals, and so they can be easy targets for social engineering.
And as for callers, they can often feel like they're winding through a corn maze on IVR systems to find a live agent. You add on top of that long hold times and repetitive and time-wasting knowledge-based authentication questions…when they finally do reach an agent, also getting transferred because the agent wasn't willing to or able to assist… It's no wonder why consumers are increasingly frustrated with the contact center experience.
So what's a call center to do?
How do they protect against fraud while not ballooning operational costs and frustrating callers who are already more than likely at a heightened emotional state before they ever reach the agent?
Here to discuss the topic with me is a long-time expert in call center fraud, Lance Hood, Senior Director, Omnichannel Solutions at TransUnion.
Lance joined TrustID and helped establish the company as the market leader in pre-answer call center authentication before it was acquired by Neustar, and subsequently by TransUnion.
Lance, welcome to the Fraudcast.
Lance Hood:
It's a pleasure to be here.
Jason Lord:
Lance, let's start with this: Is the call center relevant anymore?
We keep hearing about how millennials and Generation Z are ruining every consumable good.
Are they making the call center irrelevant as well?
Lance Hood:
Very unlikely.
I think that the answer to that question really lies in understanding the role of the call center and where it fits within the overall customer service journey that is offered from a company to its consumers. And how call centers really distinguish themselves is the ability to address complex problems, the things that you can't address with an FAQ or a chat session.
And those problems are never going to go away.
And while we look at Gen Z and millennials and think they have less utilization of call centers, part of that is just because of where they are in their life journey.
As they grow older, they're going to find that they have more complex products that they buy that need more, kind of, complex issues and resolution of complex issues.
And similarly, investing in more sophisticated financial investments.
All of these are things that are going to cause those Gen X and millennials to call in to call centers, just as prior generations have done.
So call center is definitely not going away, despite the forecast of its demise for many decades now. They’re still here, and they're still critically important.
Jason Lord:
You know one thing you said in there that I think is maybe worth double clicking on is the reason people tend to call into the call centers is not because they have an easy question to answer, but because they have a hard question to answer.
Is that fair to say?
Lance Hood:
I think that that really is fair to say now.
It's probably true of some older generations.
You know, when you're a baby boomer, for example, that there is a preference for call centers as the way to get their questions resolved.
But I think it’s the complexity of issues is really what will sustain the call center over time.
Jason Lord:
The reason I bring it up is because a lot of the conversation around the call center is customer experience and I think we can start by talking about KBA, or knowledge-based authentication.
Everyone who pays attention to any kind of thought leadership around the call center, one of the very first things we hear is KBA is ruining the customer experience.
Let's start there.
What about KBA is detrimental to the overall customer experience?
Lance Hood:
I think that there's a couple of challenges with it.
Number one: Over time, the fraudsters have gotten the answers to many of the questions that are typically part of a knowledge-based authentication process, which means that a lot of call centers have responded by asking even more questions, and burning up even more time and causing more frustration.
And secondarily, asking more difficult questions –– and the problem is at some point the people can't answer those questions.
And so then you move on to even more questions.
And ironically, it's often the fraudsters that have the data from the dark web, or have scanned all the social networking sites that can answer those more difficult questions better than an actual consumer can.
So it's a technique that actually puts accounts at risk, as well as generating a tremendous amount of frustration from the consumer.
Jason Lord:
I'm only speaking for myself, but I know whenever I'm put on the spot and asked a very simple question, like, what color was my house growing up? For whatever reason, my mind goes completely blank and I cannot remember it.
And then I start thinking, am I the fraudster here –– or what's going on?
So I very much empathize with what you're saying.
So KBA is known to be vulnerable and known to be a bad customer experience.
Why do call centers keep coming back to it?
Lance Hood:
I think there's two reasons.
One is it's easy.
It's been around for a long time.
It's been really the technique that's been most commonly used, probably for the last 20 years, so it's just sort of the entrenched, easy thing to do.
And the second reason is that investments in protecting accounts and improving authentication have largely gone into the digital channels.
And so digital channels have been hardened a lot over the last 10 years, to make them better protect against account takeover fraud.
But that investment just hasn't gone as much proportionally into the call center.
And the scary thing about that is that with the hardening of those digital channels, what do fraudsters do? They go to the point of easiest access, the most vulnerable part, and that is already the call center. And without some additional investment to harden call centers as well, that's where even more of the fraudsters are going to be finding their success in the years to come.
Jason Lord:
It makes sense if you're a fraudster and you're looking for that PII, and you know that call centers have great vulnerabilities.
You can answer their KBA questions.
The context of our agents are going to be helpful probably, in allowing you to access the PII.
It makes sense why contact centers are where protesters are going.
So if KBA isn't the answer, what is the answer to protecting call centers?
Lance Hood:
I think we need to look at the other two categories of authentication.
If we just keep it really simple, there is knowledge-based authentication which, in the call center, about you know 70% of call centers only use KBA still, despite the weaknesses we've already talked about…and then there's inherence, which is, which is something that's physically or behaviorally about you in the context of the call center.
That's voice biometrics. And the last category of authentication is ownership or device factor authentication.
Which in the context of a call center is really the phone that someone is using to dial in to the call center.
And I think where we'll see in the future is more and more use of inherent, as well as device-based, authentication because these deliver very strong what we call authentication tokens, much stronger, much more difficult for fraudsters to get access to and to mimic in order to access accounts in appropriately.
So I think that's what we're going to see in the future is more inherence and more ownership authentication.
Jason Lord:
Now I did promise listeners that we weren't going to be too technical. So I feel like we do need to explain what inherence and device-based authentication is.
So do you want to talk a little bit about what that means?
Lance Hood:
Well, again inherence is something that is really either physically or behaviorally about you.
So you can think of a face scan. You can think of your fingerprints.
You can think of, in a call your actual print of your voice and the characteristics of your voice that form a unique pattern –– and then ownership or device-based authentication is really something that's physical, that a person is in possession of.
You can think of it most easily as the key to your house.
If you have the right key and it opens the lock, you get access to the house, the house being an example of a resource and obviously that's been around for a very, very long time.
Other examples of that would be a credit card.
If you present that physical credit card that you own, you can buy products at Home Depot and a variety of other places.
And really emerging as a unique type of ownership factor, authentication is a phone, a mobile phone, because we're almost everyone has one, almost everyone is in possession of those.
They're very hard for a fraudster to get them and most importantly, if it is taken from you for some reason, most of them are locked and people tend to notice their phone is missing fairly quickly, which really narrows the time that a phone could be used for fraud.
Jason Lord:
That makes sense.
So if we can use either something inherent to the person, like their voice for instance, and the call center, or we can use something that is unique to them, like the phone that they're calling from, you're going to be you'll have a much more reliable signal on whether that person is who they claim to be. Is that right?
Lance Hood:
That's exactly right, because ultimately this is all about which of these authentication factors are predictive of identity.
If you have a phone that you own, or you can present your voice, that tends to be much more predictive of your identity than today's standard, which is that I can answer some personal questions, which is really just no longer predictive of identity at all.
Jason Lord:
So customer experience and fraud prevention are often portrayed as being at odds with one another, not just in the call center, but across the spectrum.
Do you view it that way?
Do you think that inevitably it's a zero-sum game? If you improve one, the other one needs to degrade?
Lance Hood:
It doesn't have to be a zero-sum game.
Now with knowledge-based authentication it pretty much is. The more questions you ask and the more difficult questions you ask in order to get more identity prediction, there's certainly a compromise in the customer experience.
But newer technologies, for example using your phone and verifying you’re calling from that phone, don't necessarily have that trade-off.
That's a technology that if you're using and verifying someone is calling from a phone number that's on their account, can actually be done invisibly, and it can be done before a call actually connects to a call center.
So in that respect, it's improving the level of identity prediction, the quality of authentication, but from a consumer perspective, it's automating the authentication process and taking care of it at the instant they start to engage with the call center.
So in that respect, it's an improvement in customer experience.
It's also an improvement in fraud protection and frankly, by not paying agents to ask all those questions it actually saves the cost of a call center as well.
So it's sort of a trifecta benefit.
Jason Lord:
Now you said instantly –– are you insinuating that this is happening before the caller ever reaches the agent or the IVR?
Lance Hood:
That's exactly right.
We think of it really as pre-answer, because as soon as a phone call connects into a call center, it's possible to examine inside the phone network where that call is originating from, and is, and confirmed that it's actually originating from the phone that's associated with the phone number that's tied to that phone number and confirm that's a legitimate call.
And that it's really not, you know, spoofed or virtualized or fact or manipulated in any way and all of that can be done very, very quickly at the instant that the call is connecting into the call center.
Jason Lord:
Well, that makes sense too, because if you're wanting to stop a fraudster from either probing the IVR to try to find weaknesses in the system or to reach an agent to elicit PII to later use for fraud, you want to stop them at the front door before they get to either of those locations.
Lance Hood:
That's exactly right. And at the same time you want to stop the bad guys at the front door, probably by erecting more challenging authentication processes and potentially even routing them to a destination that's specifically tuned for a high-risk caller.
You want to also let your trusted callers in and give them a really, really good experience.
And so knowing that information as to who's trusted and who's risky right away allows you to move callers down the appropriate pathway within the IVR.
But it's also possible then to alert an agent as to which callers are trusted and which ones are risky, and to have different processes and steps for authentication and different permissions that are available to callers based on that, and that again can be presented to an agent immediately as they engage, just like you can tune your IVR based on the trust of the callers.
Jason Lord:
One, of course, the great majority of callers are trustable callers, right, so I imagine reducing friction against them is not only a better customer experience, but must have enormous operational cost benefits.
Lance Hood:
Yes. And what the studies that we've done with some of our customers indicate there's really two big drivers of operational value.
One is certainly reducing the amount of time spent on knowledge-based authentication, which surprisingly, when you do studies on this and stem over between 30 seconds and a minute for many organizations and so reducing the number of questions, simplifying the questions down to something that can be asked and answered in 10 seconds rather than a minute generates a significant reduction in average handle time, and consequently a lot of operational savings.
The other thing that we've noticed is that owning the authentication process, in the IVR, and making it simpler for trusted callers, there is typically around a 10% reduction in the number of callers that will transfer from the IVR to an agent, so if anticipation is easier in the IVR, people can solve their problem in the IVR, that's an agent call that just disappears. And when you start looking at IDR retention rates and you can reduce those transfers to agents, that generates a tremendous amount of savings as well.
Jason Lord:
I can imagine. So you've been looking at the call center space for a long time now and you must have observed patterns of behavior that separate safe callers from risky callers.
What does a risky call look like?
Lance Hood:
Well, fraudsters typically are motivated by two things.
One, they want to steal something, whether that's data or it's actually money out of an account.
And the second thing is they don't want to get caught.
Because they don't want to get caught, they will completely, regardless of the crime, they want to be anonymous and untraceable.
Just as an example of that, if you rob a bank, you wear a mask and you change the license plate on your getaway car.
Why? You want to be anonymous. And you want to be untraceable, and it turns out that when committing fraud through a call center, the same principles hold for criminals: They want to be anonymous and untraceable.
That means they will make phone calls in ways that do that, whereas normal people won’t.
So examples of some of those things: They may spoof the phone number they're calling from.
Sometimes that's the target, a specific victim by falsifying the number and matching the number to the victim’s account.
But sometimes it's just to be anonymous, to be untraceable.
They'll use virtual call services.
These are services like Google Voice for example, but these are services where the calls can be made from any device anywhere in the world.
They will often use numbers that have no identity data associated with them.
They will port a number illicitly from a customer's account to their phone number, and so they use techniques like this, and most people don't.
And so by looking at all of these different factors, it's possible to really begin to see which calls are suspicious and which ones aren't.
Probably the biggest difference, though, is that criminals will not make calls from traceable devices like a mobile phone or a landline phone.
And most people actually do make their calls from those types of devices, and that becomes one of the easiest ways to distinguish trustworthy from risky.
So you have all of those factors together and you can get a really good stratification of risk.
Jason Lord:
And if somebody is behaving in the way you're describing, it doesn't necessarily make them a fraudster.
But it means that you should probably apply for the normal amount of friction that you would apply against such a caller while removing the friction against the ones that appear safe.
Is that right?
Lance Hood:
That's exactly right.
Jason Lord:
So let's come back to inherence for a second. Inherence are things that are unique to the person themselves.
Let's talk about voice biometrics now.
AI has become a really significant topic in the last year. AI can, among other things, fake document images and can also recreate voices.
Does this spell the end of voice biometrics, the result of AI becoming increasingly popular?
Lance Hood:
Well, there's a lot of debate in the industry about that, and the answer is going to depend on who you talk to.
I think where we are today is that there are some real doubts about the long-term efficacy of biometrics in general and certainly voice biometrics, which appears to be one of the easier human factors to potentially mimic.
And the way I see it today is that there's really a race going on between the vendors who are doing voice biometric authentication and their use of artificial intelligence as part of that process.
And the fraudsters’ use of artificial intelligence to beat those systems.
And then the vendors turning around and reusing artificial intelligence to beat the fraudsters’ AI. And that's the race that's going on today.
I think the point is the fraudsters don't have to win that race to undermine the value of biometric authentication in the call center.
If we have doubts about whether or not it's going to work, then it pretty much isn't as valuable as it should be, and I think that's really where we are.
I saw a Ted talk given by two gentlemen who were with an organization that really focuses on artificial intelligence for the benefit of humans, and their forecast was that voice biometrics in particular would not be useful probably by 2024.
So that's very quick and…
Jason Lord:
Yeah, as of this taping, that's less than two months away, so...
Lance Hood:
That’s right. So I think as a result of that, we really need to look at device or ownership factor authentication as the foundation for multifactor authentication strategies.
It's still appropriate to leverage some knowledge-based authentication on top of that, or to leverage some voice biometrics on top of that in the call center, but I think we really need to take advantage of the really strong authentication capabilities that phones as devices can provide in the call center.
Jason Lord:
That's really great advice.
You’ve been doing this for a very long time, you've talked to lots of different organizations, financial institutions, government agencies, retailers.
If you had to sum up your advice for these brands and agencies about how to approach the issue of call center authentication and keeping consumers safe, how would you do so?
Lance Hood:
I think rethinking the whole approach to multifactor authentication. Don't rely on just one factor, and certainly don't rely on the weakest factor of all, which is asking knowledge-based questions.
So build an authentication strategy that looks to use phones and the possession and proving the possession of a phone as that foundation, then layer on top some biometrics, layer on top some knowledge-based authentication where appropriate, in order to get a strong multifactor approach.
I think the second thing you want to do is look to identify as much as possible the phone, the callers and the phone numbers they're calling in from so that you can automate the identification experience as well as the trust assessment experience.
And there are certainly services that will help to identify callers, even if they're calling you from a number that you don't have in your customer relationship management system.
Jason Lord:
That’s great, thank you, Lance.
Thank you for tuning in, and we hope you'll join us for upcoming Fraudcast episodes.
In the meantime, stay smart and stay safe.
Your essential go-to for all the absolute linkages between the day’s emerging fraud and identity trends, tropes and travails — delivered with straight talk and none of the false positives. Hosted by Jason Lord, VP of Global Fraud Solutions.
For questions or to suggest an episode topic, please email TruValidate@transunion.com.
The information discussed in this podcast constitutes the opinion of TransUnion, and TransUnion shall have no liability for any actions taken based upon the content of this podcast.