Telephony going the Internet way is the title of this series of blog posts. In this concluding post on this topic, let us revisit the reasons for this title. First, it is about the changing underlying technology. With technologies like VoIP, we are increasingly using IP networks for transporting voice the same way the Internet uses these networks for moving data. More importantly, we see the same kind of security threats emerging for telephony that have been around for a while on the Internet/web channel (impersonation, social engineering etc.).
We have had more experience with securing the web channel and one thing experts will tell you is that it is an arms race. We come up with certain defenses and cyber criminals find a way around them. A multi-layered approach, that relies on multiple complementary defensive techniques has become the mainstay of Internet security. For example, you deploy your firewall and intrusion detection system and still have your anti-virus. It is quite likely that we will see the same kind of strategy evolve for protecting the phone channel in the coming year.
Phone fingerprints and voice biometrics can offer a multi-layered solutions because they can reinforce each other. Phone fingerprint relies on source and channel features that are more difficult to manipulate by an adversary. On the other hand, voice biometrics can provide improved accuracy when good quality audio from the call source is available. As the threat landscape shifts, we need to focus on combining features both techniques have to offer to get an effective authentication solution for the phone channel.
Also, there will be other kinds of evidence that will be helpful in raising the security bar. For example phone number reputation (like IP address and DNS reputation in the web world) could provide additional intelligence to determine the phone fingerprint or speaker features that would be most effective. As sophistication of attacks on the telephony channel increases in the future, organizations that opt for multi-layered solutions will be in a better position to securely authenticate requests coming into their call centers.
There is little debate in the community that we will need stronger authentication for requests coming into a call center. Speech research has yielded results and can be put to work to authenticate the caller at the other end of a conversation. We need to combine them with a variety of other techniques, including phone fingerprints, to plug the vulnerabilities that can be exploited to reduce the effectiveness of voice biometrics. Furthermore, the solutions we will develop will need to integrate easily with complex infrastructure that already exists in the call center environment.
And beyond the call center, some of these techniques will be useful to improve security for end-users. This is currently a need and, as the call center becomes better protected and attackers shift to even more attacks against consumers, it will be a requirement. Fortunately, this will contribute to a “virtuous circle”, with all participants in the phone channel sharing information and protection.
In summary, it is critical that we start with a security mindset as we work to deal with the challenge of securing the telephony channel. Solutions providers who ignore the fact that threats over the phone channel will continue to grow in sophistication the same way as the web channel, will find their products fare poorly in real world settings. At Pindrop, we started with a security mindset and we are building our phone fingerprint based solutions to work alongside voice biometrics to proactively address the threats that will come over this channel.