Skip to main content

TransUnion Fraudcast Ep 6: Voice Biometrics and the Call Center

Episode 6

In this episode of the TransUnion Fraudcast, call center expert Lance Hood joins Jason to discuss the benefits and vulnerabilities (including AI) of voice biometrics, and its optimal role within a multilayered authentication strategy.

Jason Lord:
Welcome to the TransUnion Fraudcast your essential go-to for the absolute linkages between the days emerging, fraud and authentication topics, trends, tropes and travails delivered with all the straight talk and none of the false positives.

I'm your host Jason Lord, VP of Global Fraud Solutions.

Fans of the Fraudcast know that each episode we narrow in on a specific subtopic within the fraud and authentication universe, bringing on a special guest to help us dive in while keeping it high level enough that you don't need a PhD in data analysis to understand the topic –– because we've all either got kids to feed or Netflix to binge.

Voice biometrics, also known as voice verification or voice ID, is a technology using a person's voice as a unique identifying biological characteristic to authenticate. In theory it is fast, frictionless and associated with only a single individual.

There's no need to remember a password or PIN, or to answer multiple knowledge-based questions and it's been marketed as highly secure, as a person's voice supposedly can't be stolen or found on the dark web.

However, AI has proven voice biometrics not nearly as impenetrable as once thought. A form of artificial intelligence called Deepfake Voice can be applied to mimic a person's voice to commit fraud, and the danger is significant enough that the FTC is loudly sounding a warning that fraudsters are exploiting commercially available AI voice-cloning tools for family emergency scams.

A journalist from Vice recently replicated his own voice in a sound file on his computer to repeat the phrases needed to successfully gain full access to his bank account.

So what does this mean for call centers looking to keep themselves safe from fraud?

Here to discuss the topic with me is an expert in all things Call Center, Lance Hood, who is responsible for Omnichannel Solutions at TransUnion.

Prior to working with TransUnion, Lance helped to establish the company trusted as the market leader for a pre-answer call center authentication.

Lance, welcome back to the Fraudcast. Let's dive in.

How do voice biometrics work, and how widespread are they within the call center?


Lance Hood:
Well, the basic concept behind any biometric is that you can take something that is physically or behaviorally about someone and turn it into a digital representation, and then when someone returns and wants to authenticate themselves, that they can provide a new digital representation that matches that stored reference representation, then they can use that as a form of authentication.

So in the construct of the call center, the biometric is your voice and there are aspects of each person's voice, hundreds of different attributes, in the sound that can be digitized and stored as a reference.

And so that's the common technique that is used, and then if you come back to a call center and you speak a particular phrase –– or often, you don't even need a phrase, you just need to speak enough sound that a digital representation can be obtained from your voice, and you can match that and therefore authenticate.

And this technology has been fairly attractive to a lot of call centers, particularly those that need strong authentication such as in the financial services industry or, I would say, the last five years or so, as a way of supplementing or overcoming the weaknesses in knowledge-based authentication, which is essentially asking people a whole bunch of questions that hopefully they're supposed to be the only ones that can answer.

But as we know with data hacks and with social networking sites pumping out everyone's personal information, that's no longer the case.

So for the last five years, there's been a good adoption trend of voice biometrics within multiple different market segments, but particularly financial services where you're protecting important information or you're protecting money.


Jason Lord:

So based on the sound of it, it's not much different than something we might have seen in the movies in an in a Mission Impossible film or James Bond film.


Lance Hood:
That's exactly right.

And if you think about those, they're mimicking not only voices, in many cases, they're wearing disguises, essentially trying to beat a facial-recognition type of service as well. And that's definitely how these services work.

Some kind of a computing system is going to look at or listen to that biometric and convert it into a digital representation.

And if the mimicked voice in this case is close enough, then it can actually get a match and complete an authentication process and deliver what's really regarded in industry is a very strong authentication token.


Jason Lord:
So I want to get back to the fraud element of it in just a second, but talking more about the solution itself… How long does it take to listen to, let's say, Lance Hood's voice before it learns enough about your voice that it can be a reliable indicator of authentication?


Lance Hood:
I think whether you're answering that question from the fraudster’s perspective –– they're going to listen to your voice in order to start to replicate it –– or it's really registering a voice from authentication perspective, the amount of time has been coming down.

Five years ago, it took, you know, a fairly long phrase in order to get enough net audio in order to create that digital representation.

That's now regarded by a lot of the vendors in the industry as they only need three or four seconds of audio in order to create a digital representation of a voice sufficient for authentication.

Problem is, the same kind of trends have been happening from a fraudster perspective.

They don't need that much voice anymore in order to be able to replicate it, both from the standpoint of trying to confuse a human, or trying to authenticate into a call center.

So it may be as little as three or four seconds is sufficient to be able to create that voice file.

If you think about it, many of us have customized greetings on our mobile phones.

If you call and we're not available, you're going to get a customized greeting.

Well, that's enough net audio right there for the fraudsters to start with.

So we need to all rethink a little bit of how easily we make our voices available to someone that's trying to replicate them.


Jason Lord:
I haven't considered that, but just thinking about it, you could probably find a video of me online somewhere giving a speech and use that as a way to AI create my voice for this kind of authentication.


Lance Hood:
Yeah, absolutely. And if you've got that kind of audio that's, you know, many minutes long, that's only going to enhance the ability to deepfake and replicate that.

Jason Lord:
I didn't realize this podcast was such a liability, now I understand!

So before we get to the fraud element of it, I just let's just talk good faith. So, somebody's logging into their account and this voice biometric relies on a voice print.

Now, I have to imagine not everyone has given consent to have their voice used. Is that baked into every time I call in the call center, or is that something that I have to opt into?


Lance Hood:
Well, I think you've raised a really good point here is that yes, you need to provide consent.

That's not actually that time consuming.

And as we talked about, also, we don't need that much audio anymore to establish that reference voiceprint and make you eligible to use that in future calls into a call centers and authentication service.

The challenge is that an organization has to be really sure they're not registering a fraudster’s voice into someone's file and because of that, the burden of registering isn't providing consent –– or even providing the voice. It's making sure that you are who you claim to be before that voice is stored.

So typically, in order to enroll in a voice biometric system, you're going to go through a very rigorous knowledge-based authentication process, one with a lot of questions and a lot of very difficult questions that frankly people get frustrated with.

Or you're going to go through a process that you asked to enroll in the phone call, but then you were asked to hang up and go into a web session, log into the website in a different channel and then complete the registration process there.

And I've actually been through this a couple of times with some of the companies that I work with and the problem is I forgot my password, I couldn't get into the website and I said, oh, I'll come back and finish that up later. The next time I wanted to call and I finally got my password, the whole registration process had expired.

And this hints that the friction and difficulty with a lot of voice biometric systems is that enrollment is difficult and as a result, the enrollment rates tend to be pretty low as well.


Jason Lord:
When you say low, what number are we talking?


Lance Hood:
So I've seen all a lot of organizations, if they over a four- or five-year period get to 40% enrollment that's pretty good. But keep in mind even after you enroll, there's no real value delivered until the next time you call, because you have to enroll first, and then you call.

So it can take a long time before the benefit of voice biometrics, as a way of enhancing authentication and simplifying the authentication experiences, is realized by callers.


Jason Lord:
And on the one hand, it makes sense why they would want to leave a system like this not in the hands of a potential fraudster who could game it, to pretend to be Lance Hood. So you need to put up barriers in the place of it.

On the other hand, I'm thinking of somebody who just wants to check their bank account and is now has to go through this very stringent process to just access something that used to be very simple for them.

So I can imagine that that becomes, in the minds of any financial institution or any organization, a true barrier for entry in terms of customer experience.


Lance Hood:
Absolutely. And I think that's why it's important to look at different types of authenticators and there's a balance between those that have no enrollment at all, for example.

If you're looking at the way a phone call is made, and inspecting that phone call, for example, a lot of that can be just done pre-answer.

It can be completed entirely before there's any engagement with that caller, and in that kind of case that's a good example of we can establish trust and of all they're looking for is to check their account balance, there's no reason to force that person to enroll in a voice biometrics system.


Jason Lord:
Well, it’s sounding more and more the same conversation we're having around KBA, which is KBA, sort of like…a lock on your door.

We're not saying don't put a lock on your door, but if that's the only thing that you have on your bank, that's probably an issue, right?

So I'm guessing voice biometrics has a place and time, maybe not as the primary means of authentication.

So in your mind, where is the right place for voice biometrics?


Lance Hood:
Yeah, I think that's right.
And if we just look back a few years, you classically would talk about best practice and authentication is using multiple factors.

Again, the factors being knowledge, asking questions, biometrics, something about you physically or behaviorally, and then finally device or ownership factor authentication; possession of something…in the in the case of a call center, it's obviously your phone.

And historically, you'd see this presented as a Venn diagram and the more overlaps you’ve got, the better off you were.

But it kind of implied in that view of things is that each one of these authentication approaches, the three different approaches, are sort of equally valuable.

And so it doesn't matter which order or sequence or priority is given to each one, you just want as many overlaps as you can get.

I think with the issues you've brought up with knowledge-factor authentication and now this sort of contest going on between the fraudsters using deepfake AI to try to beat the authentication vendors using their own AI, there are some questions about that.

On the other hand, device-based authentication in the call center is stronger than ever.

Phones, particularly mobile phones, are just this beautiful method of authentication. Everyone knows when they've lost their phone. You lose that, you know it very quickly.

There's typically some additional authentication requirements to even get onto the phone and make a call, and if we can determine that's a legitimate phone call from a unique physical traceable device, we can do it quickly.

That becomes, I think, the foundation for all call centers to look at authentication. Start with verifying the legitimacy of the phone call you're receiving and then layer on top of that knowledge factor authentication and biometrics. So they both still have a role, but I think they are enhancements to a foundational layer.

I kind of think of it as not necessarily Venn diagram anymore, but just blocks with a foundation being your device-based authentication and then on top of that selectively applied knowledge factor authentication or biometrics. So all still have a role.

Jason Lord:
It feels like part of what you're saying, too, is stop thinking about these authentication methods as blockades that people have to go around and start thinking of it as an opportunity to find more greens, more safe transactions and safe callers, so –– and correct me if I’m mis-hearing you –– but it sounds like what you're saying is if you can use pre-answer risk assessment or authentication and, say for 80 to 90% of people, you're safe then you're good to go.

You don't have to do anything else, but maybe then that 10% gets funneled down into a further authentication layer, whether it be voice biometrics or KBA.

And then you further funnel people down until you're at a point where nothing that you have can successfully prove them as safe, and so then they go to a fraud analyst or a fraud specialist.

Is that the vision you have for it?


Lance Hood:
Yeah, that there really is it.

And I think if you if you think about the treatment of callers, if you start off with a trusted device, maybe you just need a light amount of knowledge-based authentication on top of that, something really simple, but still another factor that gets added into the mix.

If you look more suspicious, then maybe you're going to apply a voice biometric authentication to add to that.

So you give someone the opportunity to still get a strong authentication from that modality, even if, for example, they couldn't completely pass an inspection of their phone call and then based on those cumulative results, hopefully you're identifying more and more trusted callers who get, you know, a great experience, they get maybe greater permissions for changing account information, higher money-transfer thresholds, while those who consistently are failing these different authentication methods, the fence for them to get access to anything is going up. You're putting up higher barriers for them.

And so that way you have a better fraud identification, but at the same time you're getting a better treatment to your trusted callers and you're giving callers more opportunity to be in that trusted category.


Jason Lord:
I appreciate what you're saying, because so often we hear about the quote-unquote balance between customer experience and fraud and part of what you're saying is that if you're doing it right, if you're using pre-answer risk assessment and authentication, it's not a balance, it's in fact a better experience.

You're reducing call times. You're improving the customer experience because the majority of the callers are not getting the friction associated with voice biometrics or KBA.

They're just getting a safe caller treatment.


Lance Hood:
Yeah that's exactly right.

I kind of think of it as a trifecta of benefits, and it's by doing the assessment pre-answer and looking at how that phone call is made and identifying whether it's made in a trustworthy or very suspicious way we can improve fraud detection, we can reduce step-up authentication for trusted callers, which is a great customer experience, and we can lower average handle times because agents aren't interrogating anymore, and as a result you get the benefit of better cost efficiency, better customer experience and better fraud detection all at once.

There's not the trade off, particularly between fraud and customer experience and operating efficiency, that you often see in so many other types of technologies.

And that's also why it's so important to start with that as your foundation, you've got a win, win, win, and then you can more selectively apply some of these higher friction authentication modalities on top of that.


Jason Lord:
So I think you've already covered a lot of ground, but if you had to leave our listeners with a point of view when it comes to voice biometrics, how to consider it within the call center, what recommendation would you make?


Lance Hood:
I would recommend that voice biometrics should be an integral part of all multifactor authentication strategies and it should be leveraged in conjunction with a device-based or phone-based authentication technology.

Those two together work very complementary.

We have many, many customers that use both of them together along with knowledge factor authentication and it really is a best practice, so I would encourage continued use and adoption of voice biometrics, but I would do it paired with a device-based authenticator, a solution that really is looking at how that phone call was made.

Jason Lord:
Makes sense.

Thank you so much, Lance. This kind of performance is why we keep bringing you back.

Lance Hood:
Well, I enjoy being part of the Fraudcast.


Jason Lord:
Well, thank you all for tuning in. We hope you enjoyed the discussion and we hope you join us for an upcoming Fraudcast episode. In the meantime, stay smart and stay safe.

TransUnion Fraudcast

Your essential go-to for all the absolute linkages between the day’s emerging fraud and identity trends, tropes and travails — delivered with straight talk and none of the false positives. Hosted by Jason Lord, VP of Global Fraud Solutions. 

For questions or to suggest an episode topic, please email TruValidate@transunion.com.

The information discussed in this podcast constitutes the opinion of TransUnion, and TransUnion shall have no liability for any actions taken based upon the content of this podcast.

Do you have questions? Our team is ready to help.