1 / 39

Webinar Hi, This Is Your Fraudster Calling! The 10 Commandments Of Telephone Fraud Management

Webinar Hi, This Is Your Fraudster Calling! The 10 Commandments Of Telephone Fraud Management. Andras Cser, Principal Analyst. March 30, 2012. Call in at 10:55 a.m. Eastern time. Call center authentication is a balance of user friendliness and security.

dinahd
Download Presentation

Webinar Hi, This Is Your Fraudster Calling! The 10 Commandments Of Telephone Fraud Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WebinarHi, This Is Your Fraudster Calling!The 10 Commandments Of Telephone Fraud Management Andras Cser, Principal Analyst March 30, 2012. Call in at 10:55 a.m. Eastern time

  2. Call center authentication is a balance of user friendliness and security.

  3. Call centers are part of a cross-channel fraud management strategy. Do not allow vanilla/full enrollment. Use a 3-factor authentication for IVR authentication. Implement a 3-tier process for authentication (IVR, CSR, and fraud analyst). Use a color-coded IVR authentication exit process. Use adaptive/risk-based authentication, and make scores visible to CSRs. Do not allow high-risk transactions over the phone. Record all calls and alert CSRs for known fraudster voices, keywords, and patterns. Train and empower CSRs, but don’t let them help clients. Keep in mind that customers expect more security even at the cost of ease-of-use. Executive summary10 commandments of call center authentication

  4. Agenda

  5. Identity proofing and vetting Fraud management today Fraud management is the systematic mitigation of fraud and the reduction of the costs associated with it Adaptive and risk-based authentication Enterprise fraud management Identity resolution

  6. All channels Web, phone, branch, point of sale (credit/debit, PIN/signature), ATM, employee All transaction types Account origination, payments, wire, ACH, checks/deposits, account management, applications All lines of business Retail banking, loans, mortgages, commercial banking, investment banking All geographies Lack of centralized, high-level view of: Organizational challenges around fraud management

  7. Lying about service levels to get upgraded treatment Posing as someone calling on behalf of a business (impersonation of a legitimate customer) Attempting to add unauthorized options/services/products to the account Cards: counterfeit, skimming, CNP, account takeover DDA: false, online banking fraud, account takeover, ID theft Delegates trying to access people’s accounts Penny stocks (buy penny stock, flood market with information,price goes up, sell stock, price plummets) Call center fraud types

  8. “Vishing” (voice phishing): conferencing in legitimate account holder in a scam Slowly extracting more and more information about an account in the course of multiple calls Fraudulently signing up for online banking Caller ID and ANI spoofing Internal employee (CSR) fraud Insider CSR works with fraudster. Fraudulent temp. agency Call center fraud types

  9. ACH: fraudulent payment Wire: fraudulent payment Employee fraud: adds few accounts to the salary payroll process CSR will manage both calls and fraud (unlike retail), especially for large accounts. Dedicated team for large accounts Skills for CSR and fraud are more comprehensive than in retail Commercial banking specific

  10. Agenda

  11. Some banks interviewed do not allow phone enrollment at all. Some banks interviewed allow starting of “virgin” enrollment on the phone but require mailing in documents. Some banks interviewed allow adding services/products to an existing relationship only, but don’t allow establishing a new relationship. Some banks allow adding new services online only. All of them require paperwork to be filled out and sent back with registration at some point; no pure phone-only enrollment. User vetting and verification happens in person, OR user needs to fax photocopy of government issued ID. Some allow web and in-person enrollment only. Some use out-of-wallet questions at online enrollment time. Call center enrollment

  12. Delegated administrator/super user enrolls authorized user. Delegated administrators are not enrolled on the phone, only in person. FI calls delegated administrators periodically (quarterly) to ensure they still work at the client organization. Delegated administrator’s responsibilities are contractually set. Train the fraud management system to leave new users alone, and don’t raise risk scores for the first 2-3 phone contacts. Voiceprint enrollment happens implicitly (first 5-9 calls are enrollment without the customer knowing it; subsequent calls are true authentication). Enrollment steps

  13. Mail out telephone PIN in snail mail. Make user use their online password transcribed via the phone keypad. This reduces password complexity (good for end users online) . . . . . . and password entropy (bad for security). Enrollment

  14. Tax ID number, account number List of people that can represent the company on their behalf More rigorous, longer process Moving away from passwords because there are too many passwords Commercial banking specific

  15. Agenda

  16. Call center authentication general steps

  17. ANI Caller ID Account/contract number Social Security Number Identification by IVR One of the following:

  18. General rule of thumb: 3 of the following(Never less, and hopefully not more, as more factors cost more.) PIN DOB Credit card number Password transliterated Social Security Number Account/contract number Increasingly seeing voiceprint authentication planned One-time password (OTP) from credit card form factor token Authentication by IVR

  19. DOB Credit card number Social Security Number Account/contract number Account activity details (e.g., last deposit date and amount) Security Q&A (2 out of 5) Location-specific information If the person fails credentials check, proceed to second process (first line of address, password, maiden name, memorable dates, security Q&A). Third process: You have to prove you are who you are — fax documents. Authentication by CSR

  20. Color codes for CSR and CRM applications after customer drops out of IVR Red: Customer failed IVR authentication. → Ask 2 additional Q&A. Green: Customer passed IVR authentication. White: Customer did not attempt IVR authentication. → Ask name, address, DOB, and 2 Q&A. Missing certain security answers should carry higher-risk score increases. DOB Male caller for a female name CSRs should only get certain, varying characters of the PIN, not the whole PIN to minimize internal fraud (“Please give me the 1st, 2nd, 5th and 7th character of your PIN/verbal password.”) Best practices

  21. Bidirectionally integrate with fraud solution (Actimize, Norkom Technologies, FICO, etc.). Use adaptive authentication when possible (RSA, Entrust, Arcot/CA Technologies, Oracle OAAM). Include account activity in questions. Detect and do not allow conference calls. Best practices

  22. When sending off ACH batches, you have to pass authentication and provide an employee code. First- and second-level manager approval on ACH batches Voice recognition for treasury type banking ACH bonuses flagged as a different product code (ad hoc); these require more verification than a typical salary payment. Some use OTP 2FA in text message to registered mobile phone or SW OTP 2FA token. Commercial banking specific

  23. Something you know (password, PIN) Something you have (OTP token) Something you are (biometrics) Something you do (voice/speech, keystroke dynamics, motion recognition) Confusion as to what falls into which category drives a lot of business for vendors. What is multifactor authentication (MFA)? Two or more of the following:

  24. Risk-based authentication Security Q&A User identity Hardware token ANI/caller ID Risk score Smart card Voice Authentication context SMS/email token Past transaction history Authenticator Voiceprint Time of day

  25. Agenda

  26. This is the biggest challenge interviewees face. Many provide real-time alerting of suspicious activity to CSRs. Default authentication will let caller only do low-risk transactions. Call center authorization

  27. Some banks only allow these low-value transactions to be performed over the phone. Higher-value transactions require step-up authentication/authorization (security Q&A). Establish authorization workflow for CSRs to impersonate callers in logged session. Example: Wire transfer from US to Estonia: You have to go to the bank. High-risk transactions are not allowed over the phone. Call center authorization

  28. Agenda

  29. Not all interviewees record all calls. Leaders record all calls for quality, training, compliance, and fraud purposes. Fraudulent calls can be transferred immediately to the fraud department (notify customer before transferring). Leaders use voiceprint analysis (NICE systems). Known fraudsters Authentication Leaders plan to use mobile phone recording solutions. Call recording

  30. Many log the last time the user called. Leaders log when user last logged in on any channel (Web, mobile, ATM, etc.). Leaders unify call center logging and fraudinformation for all call centers. Some don’t do that yet, but they plan to. CSRs can make notes (color coded at some) to the customer record in the CRM. This is where they can indicate risk. Leaders use behavioral and predictive analytics based on call center logs of customer transactions. Call center logging

  31. Agenda

  32. Leaders discourage CSRs helping customers to answer security Q&A. Customers should only have two chances to answer security Q&A. Provide script to CSRs to terminate calls gracefully without guilt. Leaders must empower CSRs and let them use common sense and their instincts. Call center people aspects X

  33. Leaders should train customers that more security is good, and customers should expect it. Marketing says that the password reset process gets complaints from customers; fraud says that questions we ask are too easy to guess. Call center people aspects

  34. It is difficult to enroll people with security Q&A. Legitimate users forget security answers. Legitimate users forget PINs. No one reads welcome packs. Ongoing struggle internally. Facts of life

  35. Agenda

  36. Record all calls. Don’t let CSRs get the entire PIN of customers to avoid internal fraud. Use triangulation (e.g., state, town, ZIP code) and risk-based authentication in the call center. Use 2FA tokens or SMS text messages only when needed or when the client requests it. Avoid asking too specific security questions. Avoid asking questions that can be socially engineered. Recommendations

  37. Use voiceprint authentication. Use enterprise fraud management and risk-based authentication scores, and provide live feedback to CSRs. Perform access recertification and deprovisioning of CSRs automatically. Conduct background checks and monitoring of CSRs. Use voice firewall (TrustID) (validating the callers’ caller ID and ANI authenticity before calls are answered). Recommendations

  38. Call center authentication is a balance of user friendliness and security.

  39. Thank you Andras Cser +1 617.613.6365 acser@forrester.com Twitter: @acser www.forrester.com

More Related