PINDROP BLOG

ICX Card Issuer Summit Report Out – October 2019 Chicago IL

On October 1st, a group of leading professionals from the credit card issuing industry gathered at Chicago’s Fairmont hotel to participate in a full day of keynotes, workshops, and technology reviews.  The topics covered were around fraud, authentication, customer experience, contact center best practices, even white collar crime and the future of voice commerce. Pindrop, along with Discover, hosted the momentus ICX event dedicated to credit card issuers and retail partners.  This document will take a brief look into some of the topics covered during the ICX Card Issuer Summit and outline the major themes discussed throughout the event.

BANDING TOGETHER FOR THE FIGHT

One of the top reasons cited for attendance was learning best practices around fraud prevention, customer authentication, and voice security.  Nearly all attendees wanted to use the conference as an opportunity to come together to learn from each other and share examples of their successes.  Some attendees even mentioned specifically, “We all have a common enemy and the best way to fight this enemy is together”.  Enterprises that would appear to consumers as rivals, take a very different approach when facing an enemy that not only impacts them but their customers.  The ICX Summit provided an outlet to share information about authentication strategies, fraud detection techniques, and even their exploration of how these subjects impact customer attrition rates and even the bottom line.  As these companies journey down the ever-changing path to friction-free customer interaction in a fraud-free environment, they understand that their competitors aren’t their biggest concern. Bad actors, fraud rings, and outdated authentication methods are hurting them far worse than any competitor ever could.  

THE VOICE ECONOMY IS HERE

One of the first sessions was a presentation by Pindrop Co-Founder & CEO, Vijay Balasubramaniyan, on how voice impacts us as a society and why it is taking a more center stage role in our daily lives.  While voice technology has existed in some form for decades, it wasn’t until recently that technology crossed an important threshold on usability.  The sub 5% error rate, which is minimally what we consider usable in human to human conversation and rates above 5% tend to hinder conversation.  Imagine speaking with someone in another language. If you couldn’t get more than 10 out of every 25 words correct, which is a 40% error rate, a natural conversation would be very difficult and not something you would likely repeat.  However, if you only missed 1 or 2 words, which would be less than a 5% error rate, you would likely be able to converse effectively. Alongside that broken barrier, other technology advances that made devices like google home a desirable product is Text to Speech (TTS). Voice input is only one direction of the conversation.  TTS was critical in enabling these devices to find a spot in our homes. 

So now that the technology exists to make a consumer experience usable, enterprises must now consider what interactions they can offer or ultimately which interactions consumers want available for these devices.  They also must consider security and authorization. An unprotected endpoint could be a treasure trove of voice recordings or even allow bad actors to execute commands if proper authentication is not part of these interactions.  Even something as trivial as a voice command could have repercussions without proper authorization.  Imagine a child in the back seat who could use a voice command to set the speed of the car dangerously high, or unscrupulous neighbors transfer money to their own account using your Alexa while left unattended.     

TURNING BEST PRACTICES INTO HABITS

Co-Host Discover presented on implementing some solutions, and the discussion focused on the impact on the customer but also the contact center representatives (CSRs) helping them.  Many attendees, including American Express and FNBO, took a deep dive into methods of rolling out tools to CSRs and how it impacted their workflows. As Discover shared, their strategic key to success was to start small, iterate, and then deploy.  With new technology, comes new procedures in learning how best to use those resources.  Discover’s simple yet, effective strategy was to pilot their program with their most seasoned representatives first, let them evaluate and try calls using to see how they could adapt their workflows.  Once the program was fine-tuned with those influential CSRs, a larger deployment was rolled out, leveraging the CSRs involved in the pilot to help socialize the new procedures.  This also helped adoption, as it was ultimately not seen as new instructions but relief from procedures that were driving employee dissatisfaction. They were no longer repeating the same 10 questions to every customer who called in.  Now the process could be streamed line to just one or two, thanks to risk scoring the calls and providing follow instructions in real time to those reps. 

A SHIFTING PERSPECTIVE

Another consistent theme that emerged from multiple sessions was the notion of shifting the way people think about the problems they were facing.  Fraud groups are often measured by what dollar amount was stopped in fraud losses for the quarter. While this is important to measure, companies such as US Bank, shifted their thinking to beyond just the immediate impact, but started thinking more broadly about frauds impact.  Many attendees echoed a similar recent trend such as including finance departments in these analysis’ to attempt to measure what impact fraud had beyond the initial dollar loss amount like customer churn, even share of wallet.  For example, if you hear of a friend struggling to straighten out fraud charges on a card you both have, will you still use it? Will you move it to the back of your wallet? Would it change the amount of the purchases you are willing to use with that card.  Considerations like these are becoming more important, as enterprises consider the broader impacts of fraud and customer experience on their organization. While a small amount of fraud might be the cost of doing business, does it have financial impacts elsewhere?

Enterprises combating fraud and cyber attacks have to adopt the mindset “Once the equation changes, I’m going to need to adapt.” Fraudster’s have this mindset, security experts need to think in the same terms.  Once consumers start using voice as an interface to conduct any type of sensitive exchanges in either information or currency, enterprises will need to adapt quickly, else the fraudsters could maintain the upper hand in these newly developed channels.  

FRAUDSTER BREAK NEW GROUND

While many attendees talked about shifting their strategies from reactive to proactive, we also learned that fraudsters are shifting their strategies as well.   As financial enterprises expand beyond card issuing, into digital payments, more products and services like retirement and mortgage, fraudsters are following suit.  As these companies face challenges around aging infrastructure, fraudsters are taking advantage and using the same tactics to get into new areas of opportunity such as defrauding retirement accounts, mortgages, car loans, etc.  Since the same method of intelligence gathering exists, such as the IVR, the call center, and stolen data from the dark web, they are able to use this same data to grow into the larger and more sizeable targets.  Connecting these different systems together and trying to make customer interaction simplified often brought the “sins of the past” of aging technology forward. The notion of expanding product lines that are exposed to built-in vulnerability, was a wakeup call to many organizations to move securing these interaction points even more urgently. 

NEW TRICKS FOR TREATS

Several new trends in fraud tactics were discussed.  From how bad actors can use the IVR most effectively for reconnaissance, to social engineering techniques that are proving effective for fraudsters.  One of the most alarming trends was how easily fraudsters are able to crack PINs and CVV2 codes using the the IVR. Since a lot of IVRs go unmonitored it has become a blind spot in the security posture of many organizations.  Fraudsters rely on the IVR to allow many attempts at entering the correct information. For example, fraudsters who obtain a customer account number might be able to use the IVR in a guess-and-check method to determine a target victim’s PIN.  Since aPIN is typically a 4digit codes there are a finite number of combinations possible. Pindrop monitoring the IVR of one Banking customer observed fraudsters guessing PIN numbers.  A fraudsters was manually entering numbers and was able to guess the right number in less than 4 days.  A 3 digital CVV2 code can be cracked inside of 2 days.  A significant number of attendees noted in several sessions that fraudsters are becoming more patient.  Taking their time to obtain the right information, understand what security procedures are in place, and knowing how and when to take the money. 

One surprisingly effective but simply tactic people are seeing involved a one time password, sent over text.  Fraudsters had a simple work around to get these codes, they call the target victim portraying the bank telling the victim they will send an OTP to their cell phones to verify identity.  At the same time, the fraudster uses another phone line to portraying the customer who is telling the bank to verify them with an OTP. Once the bank sends the text to the actual customer, they divulge the number to the fraudster masquerading as the bank, then he in turn repeats the correct code to the bank.  It’s a simple technique around a once thought secure identifier.  

Other trends included elder abuse fraud on the rise, balance transfer fraud, and flooding a victim’s email inbox to mask the real email from their card issuer reporting purchases or transfers.  Creation of synthetic identities are on the rise as well. Using multiple sources to create a fabricated identity are then used to obtain loans, pay bills, and establish a credible history to avoid raising suspicion.  Fraudsters are patiently grooming these identities to appear as real customers over time.  Until one day a fraudster decided to cash-in the identity. Apply for a car or home loan, acquire the funds and close their account allowing the fake identity to be ruined, while they walk away with a hefty sum.  Whether doing recon work in the IVR or creating a credit history for a fake person, these examples show how patient fraudsters have become. 

REGULATORS, MOUNT UP

Regulations to enforce proper security protocols are quite common in the card issuer industry.  Many face audits and compliance issues around the call center and throughout the organization. One particularly interesting issue facing the industry was the how regulators viewed risky transactions.  Card issuers are facing increasingly difficult questions around transaction types. What a regulator might consider risky, a card issuer may see a preferable solution to a more risky alternative.  Viewpoint on the amount of risk being introduced and what appropriate strong authentication controls don’t always match in the eyes of card issuers and governing bodies. 

Another area of interest centered around regulations pertaining to voice, privacy, and opting in to services.  As of now, voice printing cross the privacy boundary in many situations.  Adding to the issues is a misunderstanding of how voice printing actually works.  Hesitation around deploy voice biometrics stemming from protection of voice recordings is not well founded.  Voiceprints are often numerical interpretations of a person’s voice pattern extracted by algorithms. Some fear that voices can recreated from the storage of prints, which simply is untrue.  Even with the algorithm in hand, fraudster would find it extremely challenging if not impossible to recreate a voice from a voice print. This often get confused for an actual recording of a person’s voice print is based on.  Proper controls mandate voice recordings should never be retained, while voiceprints pose less of a real threat. Privacy around voice still remains a hot button issue for all, and more education is needed to help regulators see how the benefits of using voice prints far outweigh the risks. 

CONCLUSION

From tactical planning to strategy around voice commerce, ICX presenters and attendees created some memorable and highly interactive discussion with their peers.  The event was positively reviewed by attendees and presenters alike. Interesting sessions ranging from FBI talks to technology discussions provided an engaging and stimulating summit.  Pindrop was fortunate to bring this community together and looks forward to growing this community, delivering more thought-provoking ideas, and help to drive the discussion to help make the entire community more secure, more customer focused, and ultimately more successful.  We enjoyed hosting everyone that was able to attend this year, and we look forward to meeting those in the community that were unable to attend next year. 

In a race of information vs. misinformation, what will deep fakes and data breaches look like? Register for our webinar to learn how to defend against these types of threats