March 25, 2019
The Madness of March | Will Your Authentication Solution Stand Up?
Each year in the spring, the NCAA holds a basketball…
Each year in the spring, the NCAA holds a basketball tournament which is divided into brackets, and ultimately brings together two teams to compete in the National Championship – ending with a winner. Early on, viewers were invited to fill out a bracket of their own, in attempts to correctly predict the outcome of the tournament in its entirety.
In the spirit of this madness, we’re presenting a different kind of tournament, one that puts a fraudster head to head with your authentication solution. Can you predict the winner?
This fraudster is known to distract the call center agent by using recordings of a crying baby as background noise. Is this caller a distressed stay-at-home mom, or is she up to something more sinister?
Passwords and PINs
To unlock an account, the call center agent requires a password or a PIN – a seemingly simple, straightforward request. Will the agent be able to stand their ground and get the right password to verify the account before handing over information?
The perceived stress of this caller manipulates the agent with elements of sympathy, allowing Mommy Dearest to avoid authentication processes. Mommy Dearest is an expert in social engineering, using the distraction from background noise and a sob story of not understanding why she wasn’t added to the account in question. Passwords and PINs have no standing against this fraudster, as the call center agent quickly buckles, allowing Mommy Dearest to access information without the required password and PIN.
This fraudster is known to hold 15 hour long marathon sessions, using bots to guess birthdays to verify thousands of account numbers in the call center IVR. This will allow them to access account balances – and what they do with that information, is all up to them.
To combat the manipulation and trickery presented by fraudsters, the call center agent probes a series of knowledge based authentication questions, like “What is your mother’s maiden name?” These questions intend to ensure that a fraudster isn’t trying to access an account that doesn’t belong to them. Will the agent be able to verify the caller correctly, or will Mr. Roboto present stolen information?
Knowledge based authentication questions are no match for Mr. Roboto – after the marathon IVR session, the fraudster would have the answers to the KBAs and would have no problem accessing accounts. This proves that just because you know the answer to ‘what is your mother’s maiden name,’ doesn’t mean you are the person you say you are. This leaves Mr. Roboto with everything they need to take over your account, which can easily move into omnichannel fraud or identity takeover.
This fraudster has a split personality – one fraudster acting as both husband and wife. They are able to call in to add an “authorized” user to the account without having to authenticate first. They utilize voice morphing to match the gender of the target victim – will they be able to skate through a voice bio test without a problem? Or will voice bio stop them in their tracks?
Known to reduce call time, voice biometric technology is on the rise for authenticating customers. Voice biometrics can occur passively, or once the customer is enrolled, which will ultimately ease friction in the customer experience. Will the technology be able to stand up to the trickery of this fraudster?
With the assistance of voice morphing and social engineering, Mr. and Mrs. Smith navigated around voice biometrics. This fraudster covered their mistakes by claiming their spouses’ involvement on an account for not having all of the correct information, and used voice morphing technology to play both roles of wife and husband to keep the ruse going with a call center agent. Social engineering allowed this fraudster to avoid voice biometrics and gain access to the account.
No matter which authentication method you were rooting for, there is one common denominator: they all lost. Fraudsters are constantly evolving with changes in technology and methods like passwords and PINs, knowledge based authentication questions, and voice biometrics don’t stand up. Passwords, PINs, and KBAs, to state it simply, are out of date – and belong in the age of computer interface, which is being replaced with the latest smartphone and voice technology. Even though as we move into the age of natural communication being the way to dictate technology, voice biometrics are not foolproof – and should not be used as the only authentication solution.
Learn more about authenticating your customers securely here.