


On track to save company nearly $10M in fraud losses
The Challenge
This retailer is one of the world’s largest brick-and-mortar organizations with one of the fastest growing and most dynamic e-commerce organizations. With a large portion of the U.S. population living in close proximity to its stores, the retailer is primed to combine physical locations with e-commerce business to offer a level of convenience never before seen. The retailer has also continued to pursue ways to bring technology into retail to offer customers a seamless shopping experience across its stores and e-commerce websites.
The rise and prevalence of social engineering in the e-commerce and retail industry was a major concern. LexisNexis® Risk Solutions study1 found that U.S. e-commerce merchants have been hit with the highest fraud costs, with nearly half(47%) related to replacing/redistributing lost goods2. Pindrop® Voice Intelligence and Security Report, 2023 also reinforced this threat. The report states that retail has a fraud rate of 1 in 99 calls, which is seven times higher than the next highest industry (banking) at 1 in 749 calls. Retail is vulnerable to various fraud risks, including return fraud, e-commerce fraud, and debit/ credit card fraud.
The Solution
Utilizing the Negative VoiceID solution at this retailer, Pindrop has identified several prolific and repeat fraudsters who were using multiple caller IDs to attack the call center. For example, a fraudster “Salao Khan” made 5 separate phone calls from 5 different ANIs within 3 weeks using 4 different names. “Salao Khan” was trying to socially engineer the agent into processing fraudulent returns for missing items. By matching this fraudster’s voiceID across the phone calls, Pindrop produced a Negative VoiceID which allowed the retailer to stop the fraudster from succeeding with the transaction and further investigate the velocity of accounts that the fraudster had already nested (see table on next page for additional examples.
In just the first few weeks of utilizing the new feature, Pindrop has identified 86 distinct
fraudsters that have placed 8,906 calls from 6,049 unique devices ANIs, putting the retailer in a position to close 1000’s of accounts and prevent a significant amount of fraud losses associated with the orders placed by these accounts3.
For e-commerce companies, an astonishing 14% of returns have been found to be fraudulent4. Estimates from the National Retailers Federation reveal that e-commerce return fraud may cost US retailers $23 billion annually5. The retailer was specifically concerned about this trend of bad actors extracting fraudulent concessions (refunds, replacements, adjustments, promos, gift cards) by deploying social engineering tactics in the call centers.
Pindrop detected 22% more fraud than any other vendor
To solve this problem of returns fraud and refund abuse, the retailer decided to test the leading fraud detection and authentication solutions.
The retailer shortlisted three vendors To evaluate the vendors, the retailer sent audio files of previous customer contacts (including confirmed fraudulent contacts) and asked the vendors to provide risk scores for each contact along with additional risk signals such as voice clustering, ANI reputation, calling patterns, and carrier type.
The Pindrop solution was able to detect 22% more fraud than the closest comparable solution (Vendor B), with a false positive rate that was 58% lower than that of Vendor B. After fully implementing the solution, the Pindrop solution further reduced the false positive rate to less than 5%.
Based on the evaluation of these results, Pindrop’s willingness to work closely with the fraud team and Pindrop’s exceptional team, the retailer chose Pindrop as its vendor to help stop concessions abuse and fraud in the contact center.




The situation before Pindrop
The retailer faced a growing volume of fraud in the contact center. 1 in every 60 calls that came into the contact center were fraudulent. Many of the fraudsters utilized a “Concessions Abuse as a Service” model that targets large e-commerce merchants with robust customer service who are more willing to risk a financial loss in exchange for customer satisfaction. The fraudsters were targeting this particular retailer due to its large e-commerce volume and customer-friendly practices and were going after accounts that closely resembled those of loyal customers. As a result, the retailer faced the challenge of losing millions of dollars and putting the brand at risk.
How does Pindrop do it?
To help the retailer solve this fraud problem, Pindrop utilizes a multi-factor platform that
includes the voice, device, behavior, and several data risk models of the caller that produce a risk score on every call in real-time. Producing a multi-factor risk score in real-time to the retailer allows them to route calls from the IVR to a group of specific contact center agents that they want to service that call. The agents have all the tooling and trained skills necessary to review all of the account information needed to accurately disposition the calls as fraudulent.
In addition to the multi-factor risk platform, Pindrop developed and operationalized a new feature called “Negative VoiceID” to identify when a single fraud voice is attacking multiple times over a given period of time. Pindrop Protect continues to utilize voice analysis and matching, comparing the voice features of the current caller to a set of negative voice profiles trained based on confirmed fraud cases which influences the risk score associated with the current call. However, the Negative Voice ID match is a risk factor that is useful for identifying a fraudster when tactics are used to change or mask the calling device, location, or phone number, but the same fraudster is speaking.
Using the core Pindrop Protect multifactor platform, along with the Negative VoiceID feature, the retailer is on track to save >$10 million in fraud losses8 and an additional $1 million in chargeback processing in just the first year of utilizing the Pindrop solution.
What’s next
The retailer wants to use Negative VoiceID not just to identify and investigate fraud incidents but to also block these accounts from being opened and utilized for fraud. In addition to identifying these fraudulent accounts and the volumes of fraudulent returns that are processed, the retailer also plans to block these calls from making it to any customer care agents so as to eliminate or significantly reduce the call center agent handle time.
The retailer is planning to expand Protect and the Negative VoiceID feature to other lines of business and geographical locations to protect their business from these prolific fraudsters and to enhance genuine customer experience which will allow the retailer to achieve their targeted goal of reducing fraud losses by 3x.
Sources Cited
1. https://risk.lexisnexis.com/insights-resources/research/us-ca-true-cost-of-fraud-study
2. https://orbograph.com/lexisnexis-report-cost-of-fraud-is-on-the-rise-since-the-pandemic-set-in/
3. Pindrop analysis of fraud calls at large US retailers for 4 weeks in 2023
4. ECR Community Buy Online, Return in Store, The Challenges and Opportunities of Product Returns in a Multichannel Environment, 2019
5. National Retailers Federation survey on cost of retail returns, 2022
6. Results from a pilot study conducted by top US retailer comparing Pindrop’s fraud detection rates against two other vendors
7. Pindrop Voice Intelligence and Security Report, 2023
8. Forecasted annualized savings based on Pindrop’s fraud detection rate applied to total call volume and average industry fraud losses
Using Pindrop® Protect and Pindrop® Passport, Michigan State University Federal Credit Union, an 86 year old organization with 7.7B in assets, and a Five9 customer, reduced average Member Authentication Time by 50% (from 90 seconds to 45 seconds) in 90 days. Pindrop® solutions streamlined the call handling process, enabling agents to quickly authenticate callers, reducing the time spent on each call and providing a superior fraud case investigation system that helped improve case management efficiency.
Michigan State University Federal Credit Union (MSUFCU), a forward thinking, member-first and technology oriented organization, wanted to modernize their member authentication process as part of a broader organizational transformation to focus on member experience. Additionally, they wanted to stay ahead of the fraud trends by adopting an industry-leading fraud and deepfake detection solution. Our Pindrop® Passport solution helped MSUFCU improve customer satisfaction and NPS scores, as well as improve agent productivity by reducing member authentication time by +50% (from an average of 90 seconds to 45 seconds in the first three months of implementation). For +40% of the calls with a full profile match of callers, MSUFCU was able to reduce authentication time by 78 seconds, down to an efficient 12 seconds. Pindrop® Protect provided MSUFCU an efficient way to manage fraud alerts, and to increase case management efficiency by providing data and insights on fraud cases.
About the Credit Union
MSUFCU was established in 1937 to provide a safe place where members could borrow and save money. For the past 86 years, MSUFCU has built strong relationships with its members. The credit union serves important life goals of its members, such as helping them purchase their first car, home, or saving for their children’s education.
As a member-owned and governed financial cooperative with $7.7B in assets, +360k members, and 1,300 employees across 32 locations, MSUFCU is driven to provide superior experience and financial security to its members. They recently undertook a digital transformation initiative to convert their member service technology stack -including the phone channel- to the Cloud to better serve their members. MSUFCU reached out to Pindrop for help with modernizing their member identity verification process as part of transformation, and to help ensure safety of their members from the rising threat of external fraud.
Challenges
Member Experience
As MSUFCU was in the early stages of their implementation with Five9, they quickly identified member experience as an opportunity for improvement. Members, as well as employees, felt that there was an opportunity to make the authentication process run more smoothly. For example, Members felt that they were being asked too many questions to prove their identity, while the employees (agents) felt that this high friction process adversely impacted their relationship with Members, making it difficult to offer them new products and services. Beyond this friction, contact center employees felt that they were being asked to identify red flags and risks in those member interactions – a task for which they were not fully equipped.
Proactive Fraud Detection
The credit union also identified contact center fraud detection as an area where they needed new and better technology to strengthen their organization’s overall security posture. Contact centers are under threat from potential fraudsters with + 60% increase in fraud attacks between 2021-23. Credit Unions in particular have seen a sharper increase in fraud with +71% increase during the same period. MSUFCU was aware of these threats, and wanted to enhance protection for their contact centers. Account reconnaissance was also an area of concern. The MSUFCU fraud team wanted to increase their fraud detection and case investigation efficiency to deal with fraud alerts more efficiently. Lastly, the credit union wanted to empower call center agents with automated processes, including tools and technology to identify at-risk interactions without impacting their ability to serve trusted members.
Goals
MSUFCU had three goals as they sought a new solution:
- Improve member experience via frictionless, real-time authentication
- Reduce voice and cross-channel fraud without adding friction to member experience and burdening employees with additional work
- Reduce costs by increasing operational efficiencies
With these goals in mind, MSUFCU wanted to prepare for a state of fraud detection and member authentication that helped them evolve for the future; proactively detecting and mitigating fraud activity vs reacting to events on a passive, case-by-case basis, and ensuring that their fraud defense was ready for future threats like deepfakes. They also sought a solution that enabled expanded self service options for members in the future.
Before Pindrop® Solutions
MSUFCU started modernizing their technology infrastructure by migrating to the Five9 Cloud Contact Center. As part of this migration, an important question was how to modernize the member authentication experience alongside this transformation.
In the current process, agents verified members by asking common security questions like the members’ name or account number, or asked them to repeat security phrases. The agents also had the flexibility to ask members about recent transactions or “out of wallet” questions, which are questions outside of the usual identification points like account numbers or SSNs that are meant to be known only to the intended users. However, agents struggled to ask good questions that gave confidence in the member’s identity, and the members themselves were unhappy about being asked so many questions. The current authentication process was not only hurting member satisfaction, but also affecting agent productivity. With a declining tenure of the average call center staff, there was a growing cost to train new staff. Every additional minute spent by the agents on the phone due to longer authentication time was further adding to this cost.
Call Duration Increased by 40%
The total average call duration at the credit union had increased to 8:30 minutes,up from 6 minutes four years ago. Of that, 90 seconds was typically spent on member authentication. The lack of visibility in the Interactive Voice Response (IVR) and Intelligent Virtual Assistant (IVA) was also costing MSUFCU the opportunity to increase self-service and reduce agent handled calls.
Fraud Risk Continued to Grow
Despite increasing handle times, the security team was concerned about the growing risk of fraud, both in the contact center and at the organizational level. For example, MSUFCU teams had observed instances of fraudsters performing reconnaissance in the self-service channels, like asking general questions about the credit union’s processes. The team found that fraudsters had gathered considerable information about the fraud department team, as well as how the credit union functioned.
Deepfakes were also top of mind for MSUFCU as they prepared for a future, ‘fraud-ready’ state. According to Pindrop customer data , +200k synthetic calls out of 21M agent handled calls analyzed were found in just 30 days of tracking, which demonstrated a growing problem. Not to mention, with the rise of generative artificial intelligence and advanced text-to-speech systems, synthetic audio has become more realistic, cost effective, and scalable1.
Such a high level of synthetic call activity poses a significant risk of fraud to contact centers and teams. MSUFCU wanted a solution at the forefront of combatting the threat of deepfakes.
Why Pindrop
Pindrop is leading the charge on deepfake fraud
MSUFCU chose Pindrop because of its single platform for both fraud detection and authentication, as well as its leadership in deepfake detection. “Pindrop just seemed to be more forward-thinking than the other vendors we looked at. For example, their work surrounding deepfakes was considerable, and it seemed like they were leading the charge more so than the competition”. – Colleen Pitmon, VP of Call Center, MSUFCU
Passive, Multi-Factor Authentication
Another factor that helped seal the deal for MSUFCU was Pindrop’s passive, multi-factor authentication solution, Passport. During their cloud transformation, MSUFCU wanted to adopt and leverage voice analysis to improve their authentication process without having to require their members to enroll or authenticate by saying “my voice is my password.” After evaluating other vendors, MSUFCU chose Pindrop for its frictionless, passive authentication system, which aligned to their forward-looking fraud strategy.
The credit union also found Pindrop’s seamless implementation, advisory, and project management expertise to be a strong differentiator. For example, MSUFCU wanted a partner who could fit into their agent desktop user interface (UI) experience, and Pindrop’s agent desktop integration with the credit union’s cloud provider was exactly what they were looking for. According to the MSUFCU, Pindrop was incredibly knowledgeable in shaping and building the workflows they needed. “We really appreciated the knowledge, expertise and guidance that the [Pindrop] team brought to every interaction. Their team was phenomenal in meeting every deadline.” – Colleen Pitmon, VP of Call Center, MSUFCU
The Right Partner to Help Reduce Expensive, Manual Authentication
MSUFCU found Pindrop to be the right partner to help with the evolution of their member authentication processes. After streamlining the agent-led authentication process, the credit union plans to encourage members to utilize more self-service options through their Five9 IVA. MSUFCU sees a lot of potential in conversational AI technologies to drive an increase in member self-service, and they plan to use Pindrop authentication to confidently service more transactions in the IVA.
Why did the credit union go with Pindrop?
- Technology and industry leadership in deepfake detection solutions
- Passive, frictionless authentication technology
- Strong operational, project management and industry expertise
What ROA did Pindrop® Solutions deliver?
“On the very first day, one of our agents shared that the calls ‘felt so much better.”
– Colleen Pitmon, VP of Call Center, MSUFCU
Since deploying Pindrop’s fully integrated authentication and fraud detection solution, the credit union has significantly reduced the average handle time, provided a better platform for fraud call handling and investigation and helped improve the member experience and satisfaction scores.
Launched in August, 2024
After deploying Pindrop® Protect and Pindrop® Passport, MSUFCU experienced significant benefits in member authentication, service satisfaction and fraud detection. MSUFCU’s members are no longer required to answer lengthy questions. Pindrop solutions reduced the average member authentication time by 50%, from 90 seconds to 45 seconds. For 40% of the calls that had a full profile match of the callers, Pindrop helped reduce authentication time from 90 seconds to 12 seconds (an 86.67% reduction). Even without a profile match, MSUFCU was able to reduce Average Handle Time (AHT) by 38 seconds using risk based authentication from Pindrop. This reduction helped contribute to a surge in member satisfaction, Net Promoter Scores and Effort (How easy members find it to accomplish what they need) scores. The overall satisfaction rating grew from 4.47 to 4.56 (from August 2024 to September 2024, two months after implementing the Pindrop solution), the NPS rose from 55 to 63 during the same period and the effort score grew from 4.13 to 4.26. These scores have been sustained in the following months also with NPS reaching to 65. The improved authentication has not only helped MSUFCU improve member satisfaction, but has also contributed to reducing an estimated $561,600 in annualized operational costs by lowering average call handle time.
Additionally, the credit union’s agent experience improved. By leveraging low-risk signals from Pindrop solutions, the credit union was able to remove 20 seconds in average handle time from the authentication process within 4 hours of going live, which helped open up time for agents to focus on their core activity of helping members. “An agent said on the very first day that the calls felt so much better and then that helped them to offer more products and services to members, which is a huge thing, both for what our members need and for the organization”. – Collen Pitmon, VP of Call Center, MSUFCU
Since the deployment of Pindrop Protect, the credit union has experienced improved visibility in fraud activity, and a superior workflow in managing their fraud investigations. With the help of Protect, MSUFCU discovered the fraud rate in their contact center was 1 in 1,900 calls (vs industry average of 1 in 976 calls). Previously the credit union received fraud alerts from the call center, but they had limited access to data to understand the nuances of the fraud, which hindered their investigation efficiency. The Pindrop fraud detection platform provided a great user experience -with configuration flexibility and drop down menus – for the fraud investigation team to manage cases and navigate a fraud call. “The data is all right there. Overall, the biggest win for us is just the efficiency gains in terms of navigating our investigations.” – Jamie Smathers, VP of Fraud Prevention, MSUFCU
With the deployment of Pindrop Passport, MSUFCU authenticated 49,907 calls in October, 2024, of which 19,129 calls were authenticated with a full profile match rate of 88.41% and 30,778 calls were authenticated with Low Risk Policies, for an overall authentication rate of 92.99%. Within just a one week period, Pindrop Protect alerted MSUFCU on inbound fraud calls, protecting accounts with over $500k in total funds at risk.
Sources Cited
1. https://www.pindrop.com/blog/Introducing-Pindrop-Pulse-Inspect
Pindrop® Passport saves millions in average handling time savings
The Challenge
Huge Insurance Co., one of the largest insurance companies in the U.S. was experiencing unnecessarily high average handle times, causing serious slowdowns in customer resolutions.
To make matters worse, failed attempts at protecting customer data drove service agents, analysts, and leadership at the organization to distrust did not completely trust their existing processes for validation and identification. Huge Insurance Co needed a solution that could speed up time to resolution, reduce average handle times, and restore confidence in its ability to protect customer data.
The Solution
Understanding the advantage multifactor authentication provides your contact center is paramount when addressing today’s challenges. Verification of identity curbs fraud costs and can facilitate time saving and consumer-focused benefits for organizations of any size, and passive multifactor authentication is the best and most effective way.
We’ve compiled data from a well-known yet anonymized Pindrop customer to illustrate
how Pindrop Passport made an impact on their consumer experience and improved operational efficiency. Because of the nature of our business we have shielded our client names, reach out if you want to learn more about this case and its outcome.
Huge Insurance Co. seeking help in 3 main areas:
- Huge Insurance Co.’s reliance on KBAs not only agitated customers but caused operational inefficiencies as a result of the time-consuming inquiries forced during every incoming call.
- Customer service agents began to distrust their outdated authentication procedures and were forced to become detectives with only KBAs as tools to discern genuine callers.
- Every incoming caller was asked a minimum of four knowledge-based authentication questions, causing unnecessarily high average handle and hold times.
Benefits of Pindrop
- Pindrop® Passport requires no human interaction
- Passive Authentication empowers agents
- Reduction in AHT leads to cost savings
“Pindrop has helped us tremendously
improving the
user experience for our callers and is a critical part of our caller authentication
ecosystem.”
FRAUD OPERATIONS HEAD
Pindrop helped save $864K + authenticated 88% of calls
By authenticating 88% of eligible calls for Huge Insurance Co. passively and before being connected to an agent, it restored trust among staff and customers within their contact center. In addition, after implementing Pindrop Passport for (length of time) Huge Insurance Co. saved $864,000. Passport nearly eliminated KBAs, strengthened frontline defense, and reduced costs for this customer.
How we do it
Passport uses proprietary multifactor authentication processes, leveraging thousands of factors for the identification of incoming callers.
Calls Per year
in Cost Savings
Saved Per Call
Trailblazing the customer experience and protection in insurance
The Challenge – Insurance
Prior to 2015, account takeover (ATO) fraud prevention was not something the Company was directly focused on. Fraud investigations were focused on more “traditional” insurance fraud, such as application misrepresentation and false claims.
However, in 2015, the Company and several others in the insurance industry experienced a significant contact center based ATO “whaling” attack by fraudsters. “Whaling”, which is “phishing” with a higher profile of targets, entailed impersonating multiple, high profile clients of the Company, including members of the Company’s Board of Directors.
This event was an eye opener and made the Company realize that fraud prevention needed to become a central focus. At that point, authentication methods were unsophisticated, often just consisting of asking callers for basic personal information such as date of birth and social security number, customer service representatives were not trained on how to detect fraud red flags and there were virtually no fraud controls or technologies implemented. This environment coupled with the continuously evolving tactics of fraudsters were making the Company more and more prone to breaches.
The Solution – Positive Impact with Pindrop
As a response to this increasing risk, a small fraud team was established in 2015, initially focusing on call center activity as the Company didn’t have a strong online capability yet at that time. One of the first actions that the Company’s newly formed Fraud Team took was to scan the market for potential technology solutions. Pindrop was introduced to the Company through a partner and following a successful trial period, the formal relationship began in late 2016 with Pindrop’s anti-fraud solution. Rolling out Pindrop’s anti-fraud solution was the first move to protect customers that was not manual.
The initial goal of the effort was to stop as much fraud as possible. The immediate results were great; the return on investment was significant and some serious fraud attempts were stopped. In 2017 alone, Pindrop’s anti-fraud solution detected over 250 fraudulent calls, an increase of almost 400% from prior year, and more than $40 million in customer account value was protected from fraudsters.
Improving the customer experience while gathering new data
Since December 2019, the Company has realized significant benefits from Enhanced Authentication, including:
- Operational cost savings of $1.2 million, more than double our initial goal of $500 thousand
- $38 million in customer assets protected from fraudulent attempts
- $1.6 million in fraudulent disbursement attempts stopped
With Pindrop as a key partner, the Company set out to implement a brand new authentication technology ecosystem, dubbed “Enhanced Authentication” or “EA”. The main goals were improving security to stop fraudsters while simultaneously enhancing the experience for legitimate customers by reducing friction and reducing or eliminating the time CSRs had to spend manually authenticating callers.
The three key features of the effort were identity proofing utilizing a phone ownership verification service and both threat detection and multi-factor authentication utilizing Pindrop’s authentication solution. The Company’s longer-term strategy also included enhancing digital capabilities and enabling more self-service opportunities in the interactive voice response (IVR).
Even in just the pilot stage of this Enhanced Authentication effort, the Company was able to achieve an average authentication rate of over 80% for enrolled callers. It also helped the Company gather intelligence about the activity occurring in the IVR that they previously had no visibility into.
Targeting the optimal customers experience
In 2015, the Company relied solely on traditional knowledge-based authentication based on questions generated from a wider base of personal information. Pindrop’s data shows that fraudsters tend to pass such questions with success more than half of the time whereas the true person forgets the correct answers 20-40% of the time. Furthermore, instances such as not knowing your policy number meant no service were leading to a terrible customer experience.
Starting in 2016, the Company developed and began implementing a more holistic fraud prevention, identity proofing and authentication strategy. When it came time to select vendors to support that strategy, the success of the anti-fraud solution already in place and the mutual trust between the Company and Pindrop led to the relationship extending into the authentication space – formally live in 2019.
Future outlook
The Company’s next goals with Enhanced Authentication include improving efficacy by increasing the percentage of their customers who claim an ID to the same level as its peers in the banking industry, and deploying Enhanced Authentication to both additional call centers and additional personas. The Pindrop relationship has been a key contributor to the great benefits the Company has realized thus far and those benefits are only expected to increase as the Company deploys and enhances EA further.
The Company’s long-term vision entails creating full profiles for every customer and building relationships based on that profile, allowing the Company to target the optimal customer experience based on customer preferences with an omni-channel focus, including the digital channels while providing best-in-class security.
How did Pindrop help the company?
Pindrop has been an integral part of the Company’s pioneering efforts in the insurance industry at a point in time when technology was not widely used to assess risk or identity proof and authenticate customers. More importantly, Pindrop has enabled the Company to prevent millions of dollars in fraud, provide industry-leading security, and optimize the customer experience.
1. IVR Adapted Technologies Identify Fraudsters Real-Time Pindrop Protect provides multiple layers of security and protection for the call center. Protect combines 5 technology engines into one platform which analyze risk across time and accounts to determine if an incoming caller exhibits anomalies that indicate high-risk or suspicious behavior, activities, fraud or fraudulent reconnaissance.
2. Passive, Multi-factor Authentication Pindrop Passport eliminates or significantly reduces traditional authentication methods and the unwanted customer friction they bring, replacing them with a multi-factor authentication solution. Passport improves overall customer experience and hardens the call center to attacks. Authentication, utilizing the Deep Voice(TM) Biometrics, happens in the background, reducing call handle times, saving operational costs, and increasing agent efficiency.
Saving 8.5 Million minutes in handle time and cutting ATO losses by account in half
The Challenge
Before Pindrop, FNBO had nothing in place to detect phone fraud through the IVR (interactive voice response) or even into the call. Their approach was reactive rather than proactive. They used traditional authentication, including “out-of-wallet” questions. Pindrop’s data shows that fraudsters tend to pass such questions with success more than half of the time, whereas the actual person forgets the correct answers 20-40% of the time.
FNBO relied heavily on one-time passwords (OTPs), even with genuine customers. The OTPs were hurting the customer experience and adding two minutes to the average handle time (AHT) while still getting beaten by fraudsters.
The Solution
Within the first year of the Pindrop relationship, FNBO experienced significant results: 4,000- 5,000 fraudulent calls a month bypass the call center agents and go directly to the fraud team. That relieved significant pressure on the Agents as they no longer needed to be fraud experts.
The OTP usage decreased by 75%, and overall, AHT decreased by 30 seconds. Considering their annual volume of 17 Million calls, that meant a reduction of 8.5 Million Minutes in total handle time.
Even though FNBO did not consider having an ATO problem before working with Pindrop, their ATO recognition rate increased by 59%. Their total ATO losses decreased by 16%, and the average ATO loss by account decreased by 47%.
Creating a personalized + secure customer experience
FNBO plans to create a more personalized experience for their customers who call the contact center utilizing Pindrop’s passive authentication solution for maximum identity assurance with minimal customer effort.
Another priority is expanding customer options by adding “voice” in their IVR to expand self-service options for their customers with the help of Pindrop to provide security and identity for another improved customer experience.


IVR Adapted Technologies
Identify fraudsters in real-time


Passive multi-factor authentication


Flawless IVR Call Risk Model
IVR adapted technologies identify fraudsters in real-time
For the IVR, Pindrop Protect uses multifactor analytics developed specifically for the IVR environment and runs in every call background. Protect combines 5 technology engines into one platform, which analyzes risk across time and accounts to determine if an incoming caller exhibits anomalies that indicate high-risk or suspicious behavior, activities, fraud or fraudulent reconnaissance.
“Pindrop performed 34% better for us than what we projected in fraud loss cuts.”
STEVE FURLONG, DIRECTOR OF
FRAUD MANAGEMENT
Passive, multi-factor authentication
Pindrop Passport eliminates or significantly reduces traditional authentication methods and the unwanted customer friction they bring, replacing them with a multi-factor authentication solution. Passport improves overall customer experience and hardens the call center to attacks.
Authentication happens in the background, reducing call handle times, saving operational costs, and increasing agent efficiency.
What’s next
FNBO plans to improve account monitoring by leveraging Pindrop as a central investigation tool verifying suspected ATO and fraudulent applications through any other systems leveraging account risk.
As FNBO expands its business lines, it intends to use Pindrop for call risk and account risk intelligence on phone lines in addition to their toll-free numbers.
About FNBO
First National Bank Omaha (FNBO) is a subsidiary of First National of Nebraska. It is the largest privately held bank subsidiary in the United States. First National of Nebraska has grown to nearly 5,000 employees with locations in seven states and $24 billion in assets. First National Bank of Omaha has been ranked “Highest in Customer Satisfaction with Retail Banking in the Midwest” by J.D. Power, named a MONEY Best Bank in the Midwest, and rated one of Forbes Best Banks in America.



Combined with Protect, Fraud Loss Avoidance and Passport Authentication—CommunityAmerica Credit Union’s benefits are in high-cost savings!
The Challenge
CommunityAmerica Credit Union is a beloved and trusted local credit union, that provides products and services to their extended Kansas City family. Their commitment to this family, to serve them, support them, and protect their finances has made CommunityAmerica Credit Union an attractive and trusted institution for everyday people in Kansas City.
CommunityAmerica Credit Union’s member focus has driven them to search for ways to continue to simplify member service and support; to improve data protection for the members they consider extended family. That focus and genuine care have now transformed into tangible advanced technologies that are delivering improvements across the organization. CommunityAmerica Credit Union is delivering frictionless, brand strengthening, member service and comprehensive, flexible, and predictive consumer data protection with Pindrop.
The Solution
Like many financial organizations, CommunityAmerica Credit Union recognizes the high risk that fraud can present within the call center. As call volume spiked due to rapid changes in member service caused by health concerns and mandated shutdowns, CommunityAmerica Credit Union sought out solutions to their evolving security challenges. From the prevention of unauthorized access, account takeover, and the mitigation of fraud loss and associated costs across channels; to the instant verification of member identity which manifests downstream as faster resolution speeds, improved member effort scores, and operational savings – CommunityAmerica Credit Union is delivering frictionless, brand strengthening, service to their membership with comprehensive, flexible, and predictive fraud technology with Pindrop.
Our partnership + challenges
Pindrop solutions verify members passively before connecting to agents, predict fraud 60 days before it occurs, identifies at-risk accounts to thwart organized fraud rings, and enables fraud teams to stop fraud loss in real-time, reducing fraud-related costs, and improving efficiency through false-positive rates below 1%.
Through this partnership, CommunityAmerica Credit Union reduced and prevented fraud losses, improved membership service metrics, and strengthened brand trust with their KC family by preventing fraudulent activity across channels and removing roadblocks to quick, personalized, and secure issue resolution.
Pindrop Protect quickly surfaced fraud patterns and volumes that were highly actionable. The user interface is so easy to use, the bank’s fraud analysts can see the details about each call and what factor was influencing the highest risk scores. With the insights from the phone channel that Pindrop Protect provides, the analyst can immediately block transactions and requests from occurring in other channels such as in-app and wire transfers as well as IVR services. In less than one year, the bank measured its ability to prevent fraud attacks on over $56M in assets with Pindrop.
Protect leverages multiple factors to analyze thousands of data points using 5 unique technology engines:
- Device – PhonePrinting: Analyzes over 1,300 characteristics of a call’s full audio to determine risk and catch first-time fraud
- Voice – Deep Voice: Next-gen voice identification, optimized for noisy conditions, speaker aging, & multi-voice enrollment
- Metadata – Network Analysis: Analyzes ANI risk/velocity, account and carrier risk, smart white/blacklisting, phone number reputation
- Connections – Trace Technology: Graph analysis of relationships between activities, accounts, and calls across time.
- Behavior – Heuristic Analysis: Non-monetary transactions, robotic dialing, key press habits
How Pindrop helped
CommunityAmerica Credit Union began with the initial implementation of Pindrop®
Protect, to address fraud attempts on member accounts. Following this initial deployment, to improve their members’ experience and address operational costs, CommunityAmerica Credit Union adopted Pindrop Passport to validate their member’s
identity over the phone.
Passport passively works in the background to verify members’ identity without requiring
genuine members to jump through hoops. Passport uses proprietary multi-factor risk-
based authentication processes, leveraging factors including call risk, behavior, device,
and voice for the identification of incoming callers. To mitigate fraudulent activity
targeted at CommunityAmerica Credit Union and improve operational costs and member experience, CommunityAmerica Credit Union leverages data points gleaned from 5 technologies working together on the Pindrop platform—that power two separate solutions for caller authentication and verification and the other for fraud detection and mitigation.
Passive, multi-factor caller authentication + verification
As Members continue to be passively enrolled and authenticated with Passport; CommunityAmerica Credit Union is on a trajectory to save ~$400K in call center operationalization costs in 2020 enabling better value for members.
The results:
- CommunityAmerica Credit Union prevented over $570,000 in fraud exposure within months – without sacrificing CES or adding further friction into the process.
- 115 seconds got removed from total call times.
- KBAs were reduced to 2 and when all KBAs, 4 in total, were removed for callers.
- CommunityAmerica Credit Union saw reductions in average hold time across 98% of its calls, greatly reducing operations costs associated with the additional time that was once used for asking questions and extending members’ experiences unnecessarily.
Combined with Protect, Fraud Loss Avoidance + Passport Authentication—CommunityAmerica Credit Union’s total benefit is a 4X return on investment (ROI) with the partnership with Pindrop
What’s next
1. IVR Adapted Technologies to Provide 100% Coverage
This expansion of anti-fraud capabilities into the IVR will enable CommunityAmerica Credit Union to predict what accounts will be “at-risk” 60 days before a fraudster attempts to make a withdrawal.
2. Further Optimization Leveraging Automated APIs
By automating APIs, CommunityAmerica Credit Union can focus on making sure 80% of incoming calls have identity claims.
3. Graphic Algorithm for Fraud Detection
CommunityAmerica Credit Union will soon be able to leverage the analysis of relationships between activities, accounts, and calls across time.
5 Insights in 15 Minutes: 2023 Authentication Trends
After significant research from 2022 data, our experts have predicted 5 compelling authentication trends looking into 2023 and beyond. Whether you’re considering optimizing customer experience, are concerned with recent deepfake news, or wondering how the rise of voice assistants will affect customer security, this webinar will touch on how consolidated market research shows the top trends to be mindful of as you consider your authentication strategy.
Part 1: The Power of Customer Authentication
This series explores topics on customer authentication best practices, industry performance rates, as well as review and analyze options for customers to enable personalized service, to increase security to boost self-service rates, to full authentication and advanced identity assurance methods for safeguarding sensitive accounts.
Pindrop Protect & Passport: Discover the Power of Multifactor Authentication
Join this webinar to learn more about the balancing act of security and customer experience. PIndrop Protect + Passport provides a single platform for passive, multi-factor authentication and anti-fraud at every point of every call.
Authentication 102: Securing Authentication
This second installment in our Authentication series will explore key concepts around securing authentication, a deep dive into the topic of fraud versus authentication and examine how they are different, how they complement each other, and how they can be leveraged together to strengthen the contact center.
Join this session for key takeaways around: Best practices in leveraging risk as part of a policy-based multifactor authentication strategy, using risk as part of your enrollment and authentication strategy, the differences between authentication and authorization.
The Legacy Letdown: Why Industry Leaders Are Moving to Pindrop
In today’s rapidly evolving threat landscape, call centers face unprecedented challenges from sophisticated fraudsters and evolving deepfake technologies. Tradtional authentication methods and standalone voice biometrics are no longer enough, with estimated losses exceeding $7B1 in (U.S.) financial institution contact centers alone. The urgency for robust, innovative solutions has never been greater.
Enter Pindrop: a game-changing solution that’s redefining call center security.
Uncover why industry leaders and Pindrop customers like M&T Bank are choosing Pindrop® solutions over conventional options. For example, M&T Bank will share their journey on how they use Pindrop’s technology to stay ahead of fraudsters in their call center, while maintaining strong customer experience and trust. Discover how the Pindrop platform’s unique multi-factor approach, combining advanced device intelligence, voice biometric analysis and proprietary risk models, can achieve what traditional methods often can’t: an authentication rate of 90%.
The Challenges
Reducing:
- Abandon rates
- Hold times
- Time for authentication
- Voice and cross-channel fraud
- Agent stress
- Costs
Improving:
- Member experience
- Agent experience
The Solution
- Abandon rates dropped from 25-30% to just 5-10%
- Average hold times improved by 80%
- Average handle times reduced by 13% or approximately 45 seconds
- No need to replace 3 FTE (lost due to natural attrition)
- Members reported increase in prompt service satisfaction
- Agent stress levels improved – they can finally breathe in between calls!
So much accomplished in such little time
By implementing Pindrop’s Caller Authentication and Anti-fraud products in their call center, Affinity Plus saw pre-enrollment value for their customers based on low-risk calls directly after implementation. Spending extra time on the design and plan for the rollout helped tremendously with adoption, delivering outstanding results. And they didn’t have to do it alone—Pindrop’s experts played a significant role in the implementation process. According to Jenny Neubeck, Director of Remote Services, “Pindrop provided additional insights into fraud cases showcasing how the system worked. That assistance and education gave us confidence in the system. We took Pindrop’s best practices and then adjusted them based on Affinity Plus’ needs.”
authentication rate
seconds reduction in average handle time
drop in abandon rates
improved average hold times
Hold times decreased, and member base went up with a better experience
The biggest improvement from the Pindrop relationship came in the area they cared about the most: Member experience. Within just 3 months, about 56% of their member base was already enrolled, allowing for a more frictionless identity and authentication process.
“Prior to working with Pindrop, we had no visibility but now we can recognize and categorize different types of fraud—not only via the phone channel but also mobile deposit and online banking—and identify trends.”
Erinn O’Keefe, Fraud Analyst, Affinity Plus
Using low risk and profile match authentication, they have achieved an 82% authentication rate on total agent calls; The average hold times improved by 80%, decreasing to less than 1 minute; The abandon rates dropped from 25-30% to only 5-10%. They also experienced a 45 second reduction in average handle time (AHT) year over year since implementing Pindrop Caller Authentication.
As a result of Affinity Plus increasing their efficiency, agent workdays are far less hectic and less stressful, they can finally breathe! Agents are given more time to focus on their career development plus other member communication channels can be supported, such as the chat and texting channels. Affinity Plus utilizes Net Promoter Score (NPS) to measure their member satisfaction. As a result of the Pindrop relationship, that score was bolstered. Specifically, the “prompt service” component showed the biggest improvement.
Continuous Growth
The next step for Affinity Plus is frontloading their phone system with a conversational bot. They feel very comfortable doing so because with Pindrop, they have reliable authentication technology in place. They are also planning to expand self-service in their interactive voice response (IVR) system, allowing the conversational bot to enable payments, transfer funds, provide balances, etc. on behalf of the securely authenticated member.
About Affinity Plus
Affinity Plus Federal Credit Union is a non-for-profit member-owned cooperative that puts people first above profits. For Affinity Plus, “people” includes both members and employees. They strive to improve the lives of their members through meaningful banking, exceptional experiences, and trusted relationships. Affinity Plus is also one of the largest credit unions in Minnesota, with 30 locations, 240,000 members and nearly $4B in assets.
Advanced voice authentication and fraud detection in your Five9 contact center
In close partnership with Five9, we’re committed to helping our customers quickly and easily authenticate inbound calls, drive automation in the IVA, and detect fraud. Today, Pindrop and Five9 enable our customers to achieve those goals by providing multiple, pre-built integration points. Keep reading for more on our voice authentication solution, fraud detection software, and our customers’ success stories.
How it works: The Five9 + Pindrop® integration details
In any partner integration, Pindrop® Technologies capture a copy of an inbound call and run a thorough analysis. The Pindrop solution’s analysis of an inbound call is predicated upon a deep, carrier-style integration where the solution ingests the call audio, metadata, keystroke presses, and other signaling. This allows our technology to perform a true, multifactor analysis of the inbound caller’s voice, device, behavior, network, risk, and liveness—all of which helps you determine if the caller is a genuine consumer or a fraudster.
Call capture architecture: Five9 + Pindrop
The diagram below showcases the powerful architecture behind the Five9 + Pindrop technology integration.
View more details in the Five9 data sheet.
Key elements of the Five9 + Pindrop integration
1. Self-service option for real-time call routing
With this integration, Five9 administrators can route calls to the Pindrop solution in real-time. Instead of creating a ticket with a carrier and waiting for that request to be processed, Five9 admins can set up real-time call routing in their Numbers Inventory—a change that takes immediate effect.
2. Pre-built tasks for simple implementation
Pindrop and Five9’s IVA team also collaborated closely to produce multiple, pre-built tasks for the Studio7 library. This enables no-code, drag-and-drop API invocation for Pindrop and Five9 customers to make the process of implementing or changing functionality in the Five9 IVA faster and easier.
3. Easy-to-use agent UI
A first of its kind for Pindrop, we constructed a pre-built agent user interface, delivered through the Five9 agent desktop as a connector, as a means of easily implementing Pindrop intelligence and policy-driven instructions to Five9 agents in a clear, intuitive way.
The result of this is a thorough, end-to-end integration which allows Five9 and Pindrop customers to quickly and easily implement our mutually beneficial solutions with limited resource requirements from their own teams.
4. Supportive resources for self-guided implementation
To make the process even easier, we also co-authored a detailed user guide which provides clear, step-by-step instructions to guide a contact center administrator through the process of implementing Pindrop solutions in their Five9 environment.
Real-world success
As of late 2024, Pindrop and Five9 mutually support 15 customers across the Financial Services and Healthcare industries, with many more coming soon. Some of the largest banks, credit unions, insurance companies, and healthcare providers in North America rely on our integration points to service their customers and stop fraud. On January 15th, come hear directly from the Vice President of Michigan State University Federal Credit Union’s Call Center, Colleen Pitmon, about how much success they’ve had with their combined Five9 and Pindrop deployment. Registration details here.
Ongoing collaboration and future development
Not content to rest upon what’s already been built, the Five9 and Pindrop product teams maintain a close, working relationship to monitor our existing integration points as well as build new ones that will service future use cases. Our Five9 agent UI has already undergone improvements, including an agent feedback button, SSO login support, and more. The online task library in Studio 7 will continue to grow as demand increases for additional, pre-built resources. And recently, our teams have begun to collaborate to solve for outbound voice authentication, a feature request from many of our customers.
Have a call center challenge that you’d like to see Pindrop technologies and Five9 solve together? We’d like to hear about it. Request a demo today.
The power of Pindrop® Solutions in Genesys Cloud CX
It’s time to protect your business with technological solutions designed to help detect fraud, authenticate callers, and spot deepfakes.
Genesys Cloud CX™ empowers over 8,000 organizations with over 1.5 million agents across more than 100 countries to enhance loyalty and business outcomes by delivering exceptional experiences for both customers and employees. Genesys customers can leverage Pindrop® Technologies to combine audio, voice, metadata analysis and deep learning AI with a proprietary fraud risk database—enabling friction-free authentication and fraud detection across the phone channel.
As a Premium App Partner in the Genesys AppFoundryⓇ, we’ve dedicated extensive development resources to ensure that Genesys CloudTM customers can seamlessly and easily integrate our advanced voice security solutions. With our new AudioHook integration for Genesys Cloud VoiceTM, alongside the option to use PindropⓇ Solutions with Bring Your Own Carrier (BYOC), we provide flexible, cutting-edge security solutions tailored to diverse business needs. This integration opens a vast global market, enabling Genesys customers to leverage PindropⓇ Solutions to help secure and streamline their contact center operations.
Deepfakes are a rising fraud threat for contact centers. That’s why it’s imperative to deploy a comprehensive solution that can detect fraud at various points in the contact center experience, authenticate callers, and analyze audio for synthetic voice. Pindrop Solutions offer this–all within your existing Genesys Cloud environment.
Our offerings
If you already use Genesys Cloud to manage your contact center experience, you can add Pindrop Solutions with ease. Here’s an overview of our solutions:
PindropⓇ PulseTM Technology
Fortify trust and integrity between you and your customers with our industry-leading deepfake detection technology. Independently tested with a 96.4% accuracy rate, according to an NPR study on audio deepfake detection.
PindropⓇ Passport
Legacy authentication systems are time-consuming for your agents and customers. With cutting-edge multi-factor authentication that can passively authenticate in the IVR or at the agent, you can fortify your contact center with more effective, seamless safety measures.
Why Pindrop?
Pindrop Solutions are industry-leading voice security tools with proven results. From fraud detection to spotting deepfakes to authenticating callers, our technology is helping stop fraudsters in their tracks.
With our partnership with Genesys, you can implement these tools seamlessly–bringing important, thorough call analysis to your agents’ screens.
To learn more about our product integration and solutions, request a demo with a member of our team.
“Advanced” call center authentication methods have been around for over a decade, with some early leaders in voice biometrics launching offerings 20 years ago. And yet, at a time when $17.7B is spent on authentication per year, 93% is spent on legacy tools like knowledge-based authentication (KBAs) and one-time passwords (OTPs). While many call centers have implemented stronger options like voice biometrics and deepfake detection, requirements for high-net speech make those methods available on only a fraction of your calls, and most calls still fall back to outdated authentication methods. Some of these legacy security leaders are now winding down sales of their outdated solutions. That’s why a truly modern authentication strategy is needed–one that uses multiple authentication methods to build confidence in your caller’s identity, providing coverage that won’t require falling back to dated options for validating callers.
Want to hear from speakers at M&T and Pindrop about the letdown of legacy authentication solutions? Watch the webinar today.
Why legacy authentication methods are dangerous to your call center
Legacy authentication methods like KBAs and OTPs are second nature today, making them an easy sell to callers who appreciate the tangible, familiar “security” of this high friction process. Callers often understand these legacy authentication methods because they put the security process in plain sight, despite the effort it takes to complete them. However, it’s important to remember that these were originally designed as supplementary authentication techniques, not primary techniques. They were meant to be one part of a multi-factor authentication system that includes something you know, something you have, and something you are. Despite this, KBAs and OTPs have become overused in call centers, often serving as a main form of authentication. They’re frequently used as a fallback when stronger authentication methods aren’t available, affecting more callers than expected. What many consumers don’t realize–and what call center managers should be aware of–is that both methods carry significant security risks when used as the primary means of verifying a caller’s identity.
The problem with KBAs
The simple pin to knock down is KBAs. With a 78% YoY increase in data breaches in 2023, we can safely assume that most personal information is accessible to fraudsters. In a controlled study featured in our 2023 Voice Intelligence and Security Report, Pindrop and a national contact center found that over a thirty-day period fraudsters passed KBAs 80% of the time, while genuine customers only passed KBA’s 46% of the time3.
The problem with OTPs
OTPs maintain a veneer of legitimacy, but are increasingly a target for fraudulent activity. In fact, aspiring fraudsters can now purchase tools to harvest* OTPs via advertisements on Telegram for as little as $100.4 Fraudsters are using this information to provide correct responses to OTP. When a human is actively involved in the authentication process, there is risk for fraudulent activity.
Now is the time to remove KBAs and OTPs once and for all from the call center, which will require reconsidering your end-to-end authentication process.
How a Pindrop customer approached modernizing their contact center
M&T Bank (M&T), a Pindrop customer, was an early mover to the modern cloud-based contact center environment. Strong self-service options and modern contact center functionality have been a priority for M&T. When thinking about how to keep their contact center authentication and fraud detection ahead of the latest fraud trends, they switched from their existing authentication solution to PindropⓇ Technologies.
Recently, SVP, Director Enterprise Fraud Policy and Governance at M&T Bank, Aaron Steinitz shared the drivers behind this decision during a webinar with Pindrop:
- Empowering call center agents: Provide agents with advanced technology and real-time analytics to make informed decisions without forcing them to be fraud experts
- Deepfake threat preparedness: Recognize the imminent threat of deepfakes and invest in future-proofing solutions to combat emerging scams
- Holistic authentication approach: Balance customer trust with actual security measures, educate customers on new processes, and make risk-based decisions using data from voice channels to strengthen overall security
Building a future-proof authentication strategy
Contact center leaders may be inclined or pressured to react to the latest threats, like deepfakes, without laying a proper foundation of strong authentication practices. While we are supportive of deepfake detection in authentication (as demonstrated by our Pindrop® Pulse™ technology and Pindrop® Pulse™ Inspect solution), there is greater risk associated with leaving legacy methods like KBAs and OTPs for any portion of your calls.
For example, our customer M&T considered the following when considering modern authentication practices in their call center:
- Implement true device authentication: OTPs posture as device authentication, but with the rate of fraudster interception, they no longer provide a strong indication of device ownership. Look for passive, strong device authentication, like our Phoneprinting® Technology capability, which uses signals coming from the device itself, helping to ensure you’re getting the right device match.
- Fortify voice authentication: Voice is well-known, and despite threats from increasingly prevalent deepfake technologies, is still one of the strongest methods for authenticating an individual. Voice vulnerabilities can be reduced when it’s paired with liveness detection and made part of a multi-factor authentication approach.
- Integrate passive authentication factors: Fraudsters are well-trained in social engineering, so any active caller involvement is a risk, even when it’s done by the right person. Passive authentication factors (those that require no specific action to be done) take the human out of the loop entirely, and provide stronger authentication on a larger percentage of calls, reducing the need for fall-back methods.
Ready to learn how you can eliminate KBAs and OTPs for good? Listen to our recent webinar: The Legacy Letdown: Why Industry Leaders Are Moving to Pindrop.
*harvest: a technique that involves intercepting OTPs to gain access to sensitive accounts and data.
1Contact Center Babel, The 2024 US Contact Center Decision-Makers’ Guide
2Federal Trade Commission, Consumer Sentinel Network Databook, 2024
3Pindrop Voice Intelligence and Security Report, Let the Right One In, 2022
4 Example advertisement on Telegram channel “Spoof SS7″ with over 1,250 subscribers








Explore real-world implementation strategies from M&T Bank’s success story
Understand how to replace Knowledge Based Authentication (KBAs) and One Time Passwords (OTPs) with strong forms of authentication
Discover the critical role of device intelligence in modern fraud prevention
Gain insights into operationalizing advanced authentication methods to reduce reliance on legacy systems
Learn how the Pindrop solution’s multi-factor approach enhances authentication and enrollment rates
Don’t leave your call center vulnerable with outdated authentication methods. Join us to explore why leaving your front door open with legacy authentication is too dangerous in today’s digital age, and how Pindrop’s innovative solution can transform your security posture, enhance your customer experience, and help you stay ahead of these evolving threats.
Meet the Expert


Vijay Balasubramaniyan
CEO and Co-Founder


Aaron Steinitz
SVP, Director Enterprise Fraud Policy & Governance, M&T Bank


Bryce McWhorter
VP, Authentication & Integrations, Pindrop
Replay attacks pose a significant threat to a system’s security. They operate maliciously or fraudulently by repeating or delaying user communication. Their simplicity is their strength, allowing them to intercept sensitive data, steal session keys, or impersonate a legitimate user by exploiting valid sessions even after the original session ends. This can lead to severe consequences such as unauthorized access, information theft, or financial loss, underscoring the urgent need for effective countermeasures.
Organizations can bolster their security and support robust authentication processes by harnessing advanced biometric analysis, integrating AI, and, most importantly, leveraging the power of voice authentication. This technology is crucial in mitigating replay attacks and provides a seamless user verification method.
What is a Replay Attack?
A replay attack is a network attack in which an attacker captures a valid network transmission and retransmits it later. The main objective is to trick the system into accepting the retransmission of the data as legitimate. Common symptoms indicating that a system may be under a replay attack include unusual, repeated requests for authentication, suspicious patterns of network traffic, and incoming requests that exactly match previously recorded data patterns.
Clients using Point-to-Point Protocol (PPP) to authenticate and sign on are susceptible to replay attacks when using Password Authentication Protocol (PAP) to validate their identity. However, replay attacks can also include the use of voice.
6 Different Types of Replay Attacks
Online banking is an area with a simple example of replay attacks. They can occur by capturing a transaction message with an encrypted digital token or signature. Then, the process is repeated to transfer funds without the user’s consent. Replay attacks involve successfully intercepting a user’s data.
Another example of a replay attack could be when a company staff member asks for a financial transfer by sending an encrypted message to the financial administrator. An attacker eavesdrops on this message, captures it, and can now resend it. A replay attack could also involve unauthorized users capturing and replaying credit card information to make fraudulent purchases on behalf of individuals without them authorizing the transaction. With the correct information, an attacker can retransmit a user’s login details to gain unauthorized access to their online accounts, making them tricky and challenging to catch in real-time.
Here are several types and examples of replay attacks to be aware of:
- Basic Replay Attack
This is where an attacker intercepts a legitimate message and retransmits it to the original recipient or another entity. Chainlink gives a simple example of replay attacks that can be seen in online banking. When a user initiates a transaction, such as transferring funds to another user, the transaction’s validity is often authenticated using a digital token or signature. - Replay Attack with Modified Data
Like a basic replay attack, the attacker modifies certain parts of the captured message before resending it. Modern cars use keyless entry systems where the key fob communicates wirelessly with the vehicle. When a user presses the unlock button on the key fob, it sends a signal to the car, unlocking the doors. In 2019, researchers demonstrated a practical replay attack on Tesla Model S vehicles. They captured and modified the communication between the key fob and the car, which allowed them to unlock the car and start its engine without the owner’s key fob. This attack exploited vulnerabilities in the car’s keyless entry system by capturing the key fob’s signal and replaying it with slight modifications to bypass security protocols. - Delayed Replay Attack
This is when an attacker delays the retransmission of the intercepted message, potentially causing confusion or incorrect system behavior. An example could be replay attacks in stock trading, which can be used to manipulate market data. An attacker might intercept valid buy or sell orders and retransmit them to execute fraudulent trades. This can create false market signals, leading to stock price manipulation. Implementing unique transaction identifiers and timestamps can help mitigate these risks by ensuring each transaction is valid only once and within a specific time frame. - Pre-play Attack
In a pre-play attack, an attacker predicts a legitimate message before sending and sends their version first. In authentication protocols, an attacker sends a guessed correct token before the legitimate user does. Pre-play attacks are particularly concerning for contactless payments, which rely on quick and convenient transactions without requiring a PIN or signature for low-value purchases. These attacks exploit some contactless payment systems’ lack of robust verification methods. For example, attackers can modify transaction data between the card and the payment terminal, making it possible to approve fraudulent transactions without proper authorization. - Reflection Attack
The attacker sends a request to a server that causes the server to send the response back to itself or a different server in a loop, often exhausting resources. Using a service request that the server responds to by querying another server creates a loop that congests network resources. In 2022, a notable example of a reflection attack involved the TP240PhoneHome reflection/amplification DDoS attack vector. This attack exploited vulnerabilities in the TP-240 DVR service, allowing attackers to generate an amplification ratio of up to 2,200,288,816:1. This means that a single spoofed request could generate an immense amount of traffic, potentially resulting in up to 2.5 TB of attack traffic from a single command. This attack affected various sectors, including broadband ISPs and financial institutions, causing significant disruption. - Duplicate Attack
The attacker duplicates a message multiple times to flood the target system. For example, they send multiple copies of a payment request, which can cause numerous transactions. A notable example of a “duplicate attack” in recent news involves a political maneuver during the 2024 Washington governor’s race. This incident featured two individuals named Robert Ferguson, who filed to run against the current Attorney General, Bob Ferguson, creating confusion among voters. This move allegedly intended to mislead voters and split the vote to prevent the real Bob Ferguson from advancing in the primary election. This tactic was denounced as an attack on the electoral system and democracy. Eventually, both duplicate candidates withdrew their names from the ballot after legal pressure and public scrutiny.
How to Mitigate a Replay Attack?
Mitigating replay attacks involves using cryptographic techniques, protocols, and secure practices. The most effective countermeasures include employing encryption protocols with unique session keys and implementing time stamps or sequence numbers in messages.
The Importance of Voice Authentication in Mitigating Replay Attacks
Today, voice authentication in contact centers is critical to confirming valid customers, improving customer experience, and safeguarding customer accounts. However, efficient customer authentication can be tricky and requires an optimized IVR experience to identify and mitigate the risks of replay attacks. Here are four advantages of voice authentication that can add to a powerful defense against replay attacks and enhance overall cybersecurity.
- Strong Authentication
Voice authentication integrated within call centers supports security remotely and helps call center operations identify callers based on personalized information. - User Convenience
The PindropⓇ voice authentication technology allows entities to verify their customers through natural conversation, eliminating the need to answer multiple security questions or enter PINs. This streamlines the authentication process, making it quicker and more convenient for customers. - Replay Attack Prevention
Various layers help ensure that replay attacks can’t get through call centers. Controlling the number of requests per user (i.e., not allowing repeat messages), allowing for mutual authentication (a security process in which both parties in a communication verify each other’s identity), implementing private security keys, session tokens, challenge-response protocols, timestamps, and a nonce (a unique value used only once) can all help. - Enhanced Multi-Factor Authentication (MFA)
Voice can be combined with other authentication methods (like passwords or facial recognition) to create a more secure multi-factor authentication process. Each person’s voice has unique characteristics, such as pitch, tone, and speaking style, making it difficult to replicate or forge. Pindrop’s 2024 Voice Intelligence and Security Report covers how to navigate the evolving threats in voice security and equip your business with robust tools to combat fraudsters and authenticate your customers effectively.
Pindrop® Solutions That Can Help Detect Replay Attacks
Pindrop’s innovative Deep Voice®technologies offer tailored solutions to help combat replay attacks.
A recent example of a replay attack is the September 2023 data breach at MGM Resorts International. In this specific scenario, the cybercriminals employed Vishing (voice phishing) to manipulate MGM Resorts International’s IT team into resetting Okta single sign-on passwords. Pindrop solutions offer a multi-factor platform that helps protect against a broad spectrum of attacks, including Vishing. Specifically for Vishing, Pindrop offers solutions like spoofing detection based on phone number, voice authentication, and liveness detection.
These features can be instrumental in rejecting impostors’ voices, detecting repeat fraudsters, or identifying indicators of manipulations in the victim’s voice, such as deepfake or replay attacks. Two top 20 banks saw 20x ROI by leveraging Pindrop solutions to reduce fraud and improve customer experience and operation costs.
Contact centers are under significant pressure to manage calls efficiently, especially as volumes begin to rise. Customer authentication is obviously a big priority and is critical to ensuring the security of the contact center.
As a result, most call centers have to tread a fine line between managing the overall call experience, streamlining authentication processes, and making sure that average handling times remain competitive.
But, customer authentication is handled very differently if you’re using an IVR (interactive voice response) system as compared to working with live or virtual agents. But before we go further, let’s talk about what customer authentication and identification really is.
What is Customer Authentication?
Traditionally, customer authentication in call centers has involved asking the customer to provide personal information, such as their full name, date of birth, address, or answers to security questions based on personal history (like a mother’s maiden name).
However, this method can be time-consuming and is not foolproof, as such information can potentially be accessed or guessed by others. To address these challenges, many call centers are turning to more advanced and secure methods of authentication.
Technological advancements have led to the development of more sophisticated authentication tools. These include biometric verification methods, such as voice biometrics, where a customer’s unique voiceprint is used to verify their identity.
This method is not only more secure but also enhances customer experience by speeding up the authentication process. These are primarily employed in sensitive industries, such as banking, retail, healthcare, or telecommunications.
Other tools like two-factor authentication (2FA), where a customer is required to provide two different types of information for verification, and knowledge-based authentication (KBA) systems, which ask questions that only the genuine customer would know, are also widely used.
What is Customer Verification?
It’s important to understand that customer verification is different from authentication. Customer verification involves confirming specific details or information provided by the customer. For example, verifying a transaction, a change in service, or the accuracy of account information.
Verification serves as a double-check to ensure that the actions being taken or the information being provided is correct and authorized by the customer.
How customers are authenticated in IVR systems vs. authentication by agents
Interactive Voice Response (IVR) systems provide an automated way of authenticating customers before they are connected to a live agent. In IVR-based authentication, customers interact with a computerized system that guides them through a series of steps to verify their identity.
This process is typically initiated by the customer entering a personal identification number (PIN), account number, or other identifying information using the phone keypad or through voice commands.
The IVR system may also integrate more advanced authentication methods. For example, voice biometrics can be used to authenticate customers based on the unique characteristics of their voice. This method is not only secure but also user-friendly, as it requires minimal effort from the customer.
The IVR might also use two-factor authentication (2FA), where after entering a PIN or account number, the customer receives a code via SMS or email, which they must then enter into the IVR. IVR-based authentication is efficient as it reduces call handling times and frees up agents from performing routine authentication tasks.
However, it’s crucial that the IVR system is user-friendly and offers an option to quickly connect with a live agent if the customer has trouble with the automated process.
Modern IVR systems even use passive authentication methods, where they use voice biometrics to automatically authenticate a customer.
Authentication with a live agent
Agents typically begin the call by asking the customer to provide specific information to verify their identity.
This may include the customer’s name, date of birth, address, account number, or answers to predetermined security questions. In scenarios where more stringent security measures are required, agents might use knowledge-based authentication (KBA).
KBA involves asking questions that are supposedly known only to the customer, like previous transaction details or personal history questions. Agents may also use customer interaction history to ask questions related to previous service requests or account changes.
The human element in live agent authentication allows for more flexibility and problem-solving capabilities. If a customer struggles to remember a specific piece of information, the agent can use alternative questions or methods to authenticate them.
However, this method can be more time-consuming and is dependent on the skill and training of the agent to effectively and securely authenticate the customer.
Types of customer authentication
There are two main types of customer authentication methods in use today: Active and passive authentication.
Active Authentication
Active authentication involves the customer’s direct participation in the verification process. This method requires the customer to actively provide information or perform an action to prove their identity. A classic example of active authentication is the use of passwords or PINs.
This is time-consuming and takes longer, as the agent has to carefully verify the information before proceeding with the call.
Passive Authentication
Passive authentication, in contrast, verifies a customer’s identity without their active participation or often even their awareness.
This type of authentication happens in the background during a customer interaction and is designed to be non-intrusive. An example of passive authentication is voice biometrics used in contact centers.
When a customer calls in, the voice biometrics system analyzes their voice patterns (like pitch, tone, and speaking style) and compares them to a stored voiceprint. If the voice patterns match, the customer is authenticated without having to actively provide any specific information.
Pindrop makes it easy for contact centers to deploy passive voice authentication with the help of advanced voice biometrics.
Pindrop’s system passively authenticates customers by analyzing their unique voice characteristics during a phone call. This technology works in the background, seamlessly verifying a customer’s identity as they naturally speak with an agent.
The benefits of using biometric authentication
One of the most significant advantages of biometric authentication is its enhanced security. Biometric data is unique to each individual and extremely difficult to replicate or steal, unlike traditional authentication factors like passwords or security tokens, which can be forgotten, lost, guessed, or stolen.
For instance, voice biometrics in a contact center setting is based on the unique vocal characteristics of the user, making it a robust security measure against impersonation or fraud.
This level of security is particularly beneficial in industries where safeguarding sensitive information is paramount. Another key benefit is the convenience and speed it offers.
Biometric authentication typically requires a single action, like speaking or scanning a fingerprint, making the process much quicker and more user-friendly than traditional MFA methods, which often involve remembering and inputting passwords or codes.
This ease of use not only improves the customer experience but also enhances efficiency in scenarios like customer service calls, where quicker authentication can lead to reduced call times and increased overall throughput of customer queries.
More importantly, voice biometric systems are constantly learning and evolving, making them incredibly smart and reliant, especially in contact centers that receive a higher volume of calls.
How voice biometrics protects against call spoofing
One of the key strengths of voice biometrics in countering call spoofing lies in its immunity to manipulation of external identifiers like phone numbers.
Unlike Automatic Number Identification (ANI) validation, which relies on the phone number being transmitted correctly and can be spoofed, voice biometrics validates the caller based on their voiceprint – a unique identifier that cannot be easily altered or imitated.
This means that even if a fraudster successfully spoofs a phone number, they cannot mimic the voiceprint of the legitimate customer, making voice biometrics a powerful tool against identity theft and fraud.
In many contact centers however, voice biometric identification is used in tandem with ANI validation and matching. Think of it as adding another layer of security to ensure that the call originates from the customer’s account.
Even if a caller passes the ANI validation, they must still pass the voice biometric check. The system analyzes various aspects of the caller’s voice and compares them to a stored voiceprint. If the voiceprint doesn’t match, the call can be flagged for further investigation, even if the ANI was validated.
Customer Authentication: How Pindrop can help
Instead of just relying on standard authentication techniques, using Pindrop helps contact centers not only improve the speed of verification but also makes it more reliable.
Each individual’s voiceprint is as unique as a fingerprint, making it an extremely reliable form of authentication. When a customer calls in, the Pindrop system compares their voice against a stored voiceprint to verify their identity.
This process is highly secure and effectively minimizes the risk of fraudsters impersonating customers, as replicating someone’s voiceprint is exceedingly difficult.
With Pindrop, as soon as the customer speaks, their identity is verified passively and unobtrusively in the background.
This streamlined process leads to quicker call resolutions, enhancing customer satisfaction and enabling agents to focus more on addressing the customer’s needs rather than spending time on lengthy authentication procedures.
Pindrop is particularly effective in protecting against call spoofing and telephony fraud. By relying on voice biometrics, Pindrop ensures that even if a fraudster manages to spoof a caller ID, they cannot bypass the voice authentication.
And more importantly, Pindrop gives call center agents valuable insights and analytics based on voice interactions. This data can be used to improve customer service strategies, tailor services to individual needs, and better understand customer behaviors and preferences.
We recently hosted a webinar with boost.ai and Desert Financial Credit Union (DFCU) to discuss better securing call centers in today’s rapidly changing environment. The authentication process can be clunky and time-consuming due to long handle times and excessive security questions. Our integration with boost.ai equips organizations with passive authentication, taking just 3-5 seconds of a caller’s net speech to quickly and safely authenticate genuine customers while keeping bad actors out, thus enabling call center agents to provide a more seamless process.
Since August 2022, Pindrop and boost.ai have partnered to provide seamless experiences in organizations’ contact centers by leveraging Pindrop’s anti-fraud and authentication solutions and boost.ai’s AI-powered chat and voice bots.
For six months, Desert Financial Credit Union has been utilizing the integration between Pindrop and boost.ai to arm their call center with Pindrop® Passport for passive, secure authentication as well as implementing boost.ai’s AI-powered voice bots. We’ll share some of their findings since the implementation below. Here are the speakers we pulled in to host a webinar. We wanted to share our top questions about this great new technology on the market.
![]() ![]() |
David Tevendale Partner Alliances Lead Pindrop |
![]() ![]() |
Hailey Crundwell Sales Leader Pindrop |
|||
![]() ![]() |
Sara Candelaria Assistant Vice President Desert Financial Credit Union |
![]() ![]() |
Chase Tarkenton SVP & General Manager, NA Boost.ai |
Question 1—How has Desert Financial Credit Union improved its caller experience while modernizing and expanding its authentication approach?
DFCU’s contact center is split between the sales center and service center, and together, they accept upwards of 600,000 calls annually. They did not have a voice-enabled IVR, making its human-centered but outdated and in need of automation and reporting. Fraud detection and mitigation also heavily fell on the agent’s leg. With 450,000 members and growing, the credit union needed a solution to infuse advanced fraud detection with a better customer experience. Within six months, Sara Candelaria, DFCU’s Assistant Vice President, provided success metrics around the Pindrop & boost.ai implementation:
- Dee, DFCU’s AI-powered automated voice bot, addresses about 10% of the credit union’s overall call volume and successfully enrolled 6,000 members in voice biometrics in the six-month timeframe.
- Of the 6,000 enrolled members, 2,700 have called back into the call center and were serviced without an agent or security questions.
- Dee handles about 30% of inbound calls without sending them to an agent, saving 1,100 hours of manual agent work.
Question 2—What are the top trends around contact center authentication for financial institutions?
According to Hailey Crundwell, one of Pindrop’s panel speakers, it boils down to three major themes:
- Enabling and increasing self-service – Self-service in the call center allows for IVR containment. Pindrop helps by passively authenticating the customer sooner in the call cycle without them needing to answer Knowledge-Based Association questions (KBAs) or key-in numbers.
- Delighting the customer with a positive call experience – Being able to self-service, if a customer chooses, reduces the length of the call time for the customer and helps them quickly and safely get what they need. If a caller prefers to speak with an agent, the agent no longer needs to ask qualifying questions so they can focus on relationship-building.
- Building and protecting a solid brand – According to Warren Buffett, “It takes twenty years to build a reputation and five minutes to ruin it.” From an authentication standpoint, customers want a quick calling experience and to feel like their data and funds are protected and safe with their bank or credit union. In the past several years, the amount of fraudulent calls and transactions has grown, and consumers want to know that their bank is doing everything possible to protect them.
Another excellent example of AI helping the customer experience is Dee, DFCU’s automated voice bot. She can quickly serve and automate customers’ needs by transferring money between accounts, executing account transactions, pulling account balances, and providing FAQ knowledge, totaling about 4,000 unique conversations that can be had with members without any agent interaction.
Question 3—How can we expect AI to help the customer experience in the future?
“Folks are capturing so much data on their customers today that with generative AI being infused into some of the tools that you’re using, it gives you the ability to have the hyper-personalized experience that we all crave,” says Chase Tarkenton, SVP & General Manager at boost.ai. From the customer side of the house, every call shouldn’t feel like the caller has to start fresh. For example, the call center agent or automated voice/chatbot should know the customer’s name as they call in.
Another trend Chase discussed was the democratization of what used to be complex technology that required data science teams. Organizations no longer have to build everything on their own.
Question 4 – How can a small-to-medium-sized bank or credit union implement Pindrop’s security measures and boost.ai’s AI-powered voice or chatbots?
For many financial institutions with lots of stack for customers, it can be difficult to know where to start implementing better technologies to automate systems and processes. “We don’t have a team of 300 people working on this initiative like big banks. We have a team of two people, but we started with one person in charge of this entire initiative,” says Sara. Assigning a point person who is invested in success markers can make the journey to better AI-powered processes possible and scalable.
It’s also about finding a solution that provides support and partnership. Pindrop and boost.ai are both solutions and companies that offer support along the journey to securing call centers in the future. Start the conversation with a tech provider to see how they can help with the implementation process. “We’re flexible about what your tech stack looks like, what you’re trying to achieve, and what factors make the most sense for your goals, no matter the size or scale,” says Chase. For an organization starting with this initiative, find someone in your business who is excited about this topic. Start with boost.ai’s Academy to learn about virtual agents, and check out Pindrop’s authentication page for more education.
What Passive Authentication in Call Centers Will Look Like Going Forward
As Chase mentioned toward the end of the webinar, omnichannel solutions are a big trend that could change the ability to answer simple customer questions and create more future pathways that don’t involve agents. Authentication can be a great place to boost caller and agent experience. Voice biometrics and authentication have come a long way, and financial institutions like Desert Financial Credit Union are seeing the benefits of leveraging this technology.
If you’d like to learn more about implementing Pindrop and boost.ai in your call center, click here to talk to a rep today.
About Desert Financial Credit Union:
Desert Financial was founded in 1939 in Arizona by fifteen educators. Those fifteen educators grouped with just $78.75 in their pockets because they wanted to make a difference. They’re founded on a mission to have fun and celebrate their clients’ success. “I worked for Desert Financial for seventeen years and have seen us grow tremendously. During that time, we’ve always stayed true to our mission. The member experience is at the heart of everything we do, every decision we make, every vendor that we onboard, every change, every branch that we open,” says Sara. There is a genuine desire to do good for the community, and they are tremendously committed to their member’s financial well-being.
About boost.ai:
In 2016, boost.ai founders were presented with an exciting problem to solve for a financial banking institution. “They asked how do we create deeper relationships with our clients through technology, but we can’t compromise on compliance, and we have a predictable outcome every time,” says Chase. They also wanted to create a platform that ensured that the virtual agent’s voice you implemented represented a company’s brand voice.
Now, they have 500 customers using the platform, and over one hundred financial institutions are part of that. Conversational AI is centered on leveraging technology to get the outcomes right for your business. Forty percent of existing clients used some form of AI but needed to achieve the desired results. Global companies today rely on financial institutions to grow and scale, so having the right technology in place to mitigate fraud from occurring and stunting that growth can make all the difference.
Voice authentication solutions are becoming increasingly popular in contact centers around the country. While they are generally used for security purposes, voice authentication systems can help contact centers cut costs considerably in the long run. In the following paragraphs, we’ll explain how contact centers can save significantly on operational expenditures.
How do Voice Authentication Systems Work?
Voice authentication systems in contact centers work by verifying the identity of a caller based on their unique voice characteristics. Initially, during the enrollment phase, a caller’s voice is recorded to create a voiceprint.
This involves the caller speaking specific phrases, which are analyzed for various characteristics like pitch and tone, and then converted into a digital voiceprint.
During subsequent calls, the system enters the verification phase, comparing the caller’s live voice sample with the stored voiceprint.
This involves analyzing various voice features to determine a match. If the live sample closely matches the stored voiceprint within a predefined threshold, the system authenticates the caller. In cases of uncertainty, additional security measures may be initiated.
The technology behind these systems often involves artificial intelligence and machine learning, which help refine the algorithms over time for better accuracy. However, these systems also raise concerns about privacy and data protection.
Contact centers using voice authentication must adhere to strict data protection laws and ensure the security and confidentiality of the voiceprints they store.
How Do Contact Centers Save Money with Voice Authentication Solutions
Voice authentication systems offer significant cost savings and productivity enhancements for contact centers, impacting various aspects of their operations.
Reduction in Average Handling Time (AHT)
One of the primary ways voice authentication systems save costs is by reducing the Average Handling Time (AHT) of calls. Traditionally, agents spend a significant portion of each call verifying the caller’s identity through security questions or PINs.
Voice authentication streamlines this process, identifying customers within seconds. This efficiency not only shortens call durations but also allows agents to focus more on resolving customer queries, enhancing overall productivity.
Improved First Call Resolution (FCR)
By quickly verifying a caller’s identity, voice authentication systems contribute to a higher first-call resolution rate. Agents have more time to understand and resolve customer issues in a single call, which is a key metric in assessing the effectiveness and efficiency of a contact center.
Higher FCR rates are associated with increased customer satisfaction and reduced costs associated with follow-up calls.
Reduction in Fraud-Related Costs
Voice authentication enhances security, reducing the risk of fraud which can be costly for contact centers.
By accurately verifying the identity of callers, these systems minimize the potential of fraudulent activities, saving costs that would otherwise be spent on fraud detection, investigation, and rectification.
Lower Training Costs
Training agents for stringent manual verification processes can be resource-intensive. Voice authentication systems simplify the process, requiring less intensive training on security protocols. This can lead to significant savings in training and development budgets.
Decreased Turnover and Improved Employee Satisfaction
Handling repetitive tasks like manual verification can be monotonous for agents, leading to higher turnover rates. By automating this part of the process, voice authentication systems can improve job satisfaction, indirectly reducing recruitment and training costs associated with high employee turnover.
Reduced Dependence on Physical Infrastructure
As voice authentication reduces the need for extensive manual verification, it allows more flexibility regarding remote work options. This can lead to reduced costs in physical infrastructure and associated overheads.
How to Choose a Voice Authentication Solution
Choosing a voice authentication solution for your contact center involves considering several key factors to ensure you select a system that aligns well with your specific needs and objectives.
The first step is to evaluate the accuracy of the system. A good voice authentication solution should have high accuracy in voice recognition to ensure reliable customer identification and minimize both false rejections and false accepts. Look for systems that use advanced algorithms and machine learning to adapt and improve over time.
Your next step is to consider just how easy the system is to integrate. Your chosen solution should seamlessly integrate with your existing contact center infrastructure and CRM systems.
This minimizes disruption during implementation and ensures that your agents can continue to provide high-quality service without significant changes to their workflow.
Security is another critical factor. The solution should comply with relevant data protection and privacy regulations. Ensure that it has robust security measures in place to safeguard sensitive customer data, particularly voiceprints, which are unique to each individual.
Lastly, you’ll want to consider the overall customer experience. The system should be user-friendly, not only for your agents but also for your customers. It should facilitate a smooth and efficient authentication process, contributing positively to overall customer satisfaction.
Cut Contact Center Costs with Pindrop
Used by some of the biggest names in the industry, Pindrop helps contact centers not only save on operational costs but also offers flexibility and scalability. Take the first step in building customer trust and improving contact center security with Pindrop. Request a demo today!
Modern contact centers rely on both active and passive voice authentication to mitigate fraud risk and improve productivity. However, it’s important to understand that the underlying technologies between the two are vastly different.
In this article, we will discuss both active and passive authentication, explain how they work, and compare the two to determine which one you should choose for your contact center in 2025.
What is Active Authentication?
Active voice authentication (AVA) is an advanced biometric technology that utilizes unique voice characteristics for identity verification, providing a seamless and secure method of authenticating individuals.
This technology capitalizes on the fact that every individual’s voice is distinct, with unique features such as pitch, tone, modulation, and accent. AVA systems analyze these features using sophisticated algorithms and machine learning techniques to create a voiceprint, a digital model of an individual’s voice that serves as a biometric identifier.
Technically, active voice authentication systems utilize several key features: voice capture, feature extraction, and pattern matching. Initially, the user’s voice is captured through a recording device, typically a microphone.
This raw audio data is then processed to extract relevant features. This feature extraction involves analyzing various aspects of the voice signal, such as frequency content, temporal characteristics, and dynamic range.
Advanced signal processing techniques like Fourier transforms and Mel-frequency cepstral coefficients (MFCCs) are commonly employed in this phase to accurately capture the nuances of the voice. Also, it’s important to mention that all of this happens in real time!
Once the voice features are extracted, they are compared against a stored voiceprint in the authentication database using pattern-matching algorithms.
These algorithms, often leveraging deep learning techniques, are designed to account for minor variations in voice due to factors such as emotional state, health, or background noise, ensuring robust and accurate authentication.
The system’s decision to authenticate a user is based on the degree of similarity between the live voice sample and the stored voiceprint.
What is Passive Voice Authentication?
As you can probably tell, passive voice authentication (PVA) works in a slightly different manner. This is a sophisticated, non-intrusive method for verifying an individual’s identity based on their voice.
Unlike active voice authentication, which requires direct interaction from the user, PVA operates discreetly in the background, authenticating users during natural speech without the need for specific voice commands or phrases. This approach makes PVA an ideal solution for continuous authentication in various settings, enhancing both security and user experience.
Passive voice authentication works in the background, relying on ambient voice capture, feature extraction, and continuous pattern analysis. During ambient voice capture, the system unobtrusively records a user’s speech in a natural setting, often using strategically placed microphones or during regular phone conversations.
The challenge here is to accurately capture voice data amidst potential background noise and varying acoustic environments.
Once the voice is captured, certain features are extracted from it. This step involves isolating and analyzing distinct characteristics of the voice, such as timbre, intonation, and speech rhythm.
Techniques like Gaussian Mixture Models (GMMs) and Deep Neural Networks (DNNs) are employed to process these features and effectively differentiate between individual voices. Given the passive nature of the system, the algorithms must be particularly adept at handling unstructured and spontaneous speech, extracting relevant features from casual conversation.
The crux of passive voice authentication lies in its continuous pattern analysis, where the extracted voice features are constantly compared against a pre-established voiceprint in the system’s database.
Utilizing advanced machine learning algorithms, the system evaluates the probability that the voice in question matches the voiceprint associated with the user’s identity. This ongoing analysis allows for real-time authentication, flagging any discrepancies that might indicate fraudulent activity.
Active vs. Passive Voice Authentication – A Quick Overview
Here’s a brief table comparing the differences between the two:
Aspect |
Active Voice Authentication (AVA) |
Passive Voice Authentication (PVA) |
Interaction Requirement | Requires direct user interaction (e.g., speaking a passphrase) | Operates in the background without direct user input |
User Experience | The user must actively participate in the authentication process | Non-intrusive authenticates during natural speech |
Typical Use Cases | Secure access to devices, systems, or facilities; voice-activated services | Contact centers for security monitoring |
Speech Type | Structured, specific commands or phrases | Unstructured, natural conversation |
Environmental Adaptation | Relies on clear, consistent voice quality | Must adapt to varied acoustic environments and background noises |
Authentication Method | One-time verification at the point of access | Continuous, real-time monitoring and verification |
Security | High, with distinct voice commands enhancing security | High, with continuous monitoring providing ongoing security |
Voiceprint Storage | Stores a specific voiceprint based on known commands | Stores a more dynamic voiceprint to account for natural speech variations |
Adaptability | Less adaptable to variations in voice | More adaptable to changes in voice and speech patterns |
Why is Passive Voice a Better Choice in Contact Centers?
Passive voice authentication is generally a better choice in contact centers for several reasons. For starters, passive voice authentication provides a non-disruptive experience, seamlessly operating in the background to authenticate callers during their natural speech patterns.
This feature is crucial in contact center environments where maintaining a smooth, customer-friendly interaction is essential. Unlike AVA, which requires specific voice commands or phrases for authentication, PVA doesn’t interrupt the conversation flow, allowing for a more natural and engaging customer experience.
Another major advantage of passive voice biometrics in the contact center is its ability to offer continuous authentication.
Passive voice authentication technology, such as Pindrop’s, runs in the background and offers real-time monitoring to ensure that the person on the line remains the authenticated caller throughout the entire interaction.
This ongoing verification is particularly important in contact centers to safeguard against fraud, making it much harder for an imposter to hijack a call partway through.
More importantly, passive voice biometrics saves a great deal of time and improves overall customer satisfaction. The seamless and unobtrusive nature of passive authentication is often preferred by customers who dislike undergoing repeated authentication processes, especially when they might call multiple times for ongoing issues.
Improve Your Contact Center’s Security Today
Pindrop’s passive voice authentication technology is used by some of the largest financial institutions in the country. If you’d like to see it in action and learn more about how it can benefit your business, request a demo today!








Discover the power of multifactor authentication & fraud detection for contact centers.
Pindrop’s integrated platform establishes a risk foundation across the platform and enables end-to-end integration from pre-ring to disconnect. Featuring five technologies on one platform, Pindrop’s authentication and fraud detection products offer holistic scoring.
Featuring Scott Engels, Director of Global Sales Engineering for Pindrop this webinar gives a high-level overview of the application of Pindrop products in call centers and offers a live look at these solutions.
Improve customer experiences
Enable automatic authentication for trusted callers
Risk mitigation and protection against fraudster attacks
Reduce call handling times
Reduce operational costs, fraud losses, and customer churn
Your expert panel


Scott Engels
Director, Global Presales Engineering, Pindrop
While emerging AI technologies bring increasing challenges in detecting bad actors, and concern from your consumers, the reality is that most of your callers are good callers. The customer experience for legitimate callers should not be punished as a side effect of efforts to find the fraudsters in the haystack. That’s why we keep innovating Pindrop’s Authentication features to provide a range of high confidence multi-factor authentication signals over the length of a call. Immediately available validation like ANI Validation lets you route calls based on risk right from the beginning, reducing friction for low risk callers and increasing friction for higher risk ones. This method is proven with almost 90% of Passport customers, and results in reduced friction on over 90% of calls on average. Now, there’s a solution to leverage audio alone to expedite call handling with Audio-Based ANI Validation.
The Pindrop team has been beating our drum on, and proving, the benefits of ANI Validation for a long time. We’ve invested in our ability to offer this critical component of device validation via in-house development, integration with key partners like Verizon, and acquisition of device verification pioneer NextCaller. And now there’s more! In our quest to constantly continually innovate authentication within our scalable cloud-based solutions, we’re excited to announce a new feature that expands access to this powerful authentication signal by relying on something every call has – audio.
With Audio-Based ANI Validation, you’re able to:
- Validate caller ANIs and spoofing risk through call audio
- Achieve more advanced security by offering multi-factor ANI Validation when carrier data and call audio are present
- Integrate seamlessly with other authentication feedback to provide one single score and tiered authentication policies housed in one unified platform
With this new feature, up to 84% of calls can be verified using audio alone. Call validation increases to as high as a 92% verification rate when combined with existing ANI Validation methods. In 2024, our team is on track to expand this to four validation factors targeting a 95%+ verification rate — taking the work off of your call centers and not frustrating your callers throughout the process.
How does Audio-Based ANI Validation work?
Audio-based ANI Validation allows Pindrop’s Passport solution to determine whether a call is spoofed with access to just seconds of call audio. This new spoof detection method provides an alternative to methods requiring call metadata, which many customers struggle to acquire consistently from their telephony carrier, or the third party integrations many of our competitors rely on.
The Pindrop research team discovered, defined, and then built this new detection method no one else offers. It greatly expands the number of customers able to receive this scoring, including our international customer base.
“The Authentication Research team’s goal this year was to expand the availability of our Authentication platform, including foundational ANI validation, to new customers, markets, and geographies. We quickly realized the need for a new technology not limited by metadata that few customers have. I am so proud that my team could think beyond what is standard in the market today and innovate this audio-based method, which leverages a fundamental component of the call that is always available, everywhere. In 2024, we’re delighted that every Pindrop customer will have access to the value that ANI validation provides.” – Kailash Patil, Director of Research
With Pindrop, we’ve made an easier way to verify callers with the data you have, all housed in one unified network. Set up a call today to learn about this latest technology and how it can drive faster authentication for better customer and agent experience.
An increasing number of contact centers and organizations that offer support are now relying on voice authentication software to reduce their cyber threat surface. Fraud is rife amongst contact centers, with bad actors relying on numerous techniques to try and fool agents. Companies that don’t use voice authentication software are exposed to many types of attacks. One of these is a replay attack, also known as a playback attack.
What Is a Replay Attack?
Simply put, a replay attack is a cybersecurity threat where an attacker intercepts and records legitimate information to use maliciously at a later time.
The purpose of retransmitting this data is to reproduce the effects of the original, authorized transmission without the genuine sender’s intent or knowledge.
Broadly speaking, replay attacks have two phases: the capture phase and the replay phase. During the capture phase, the attacker eavesdrops on the network to capture information that they can reuse later on.
This might be something as simple as recording a person’s voice. Next, you have the replay phase, where the attacker uses the collected information to try and gain access to the victim’s accounts.
How Replay Attacks Work – An Example
Imagine a contact center that provides phone-based customer support for a banking institution. Customers call in to perform various transactions such as checking balances, transferring money, or changing account details.
To authenticate the customer, the contact center’s automated system might ask for the customer’s account number followed by a voice-based PIN.
Now, let’s assume that a customer calls to to transfer a sum of money, and provides the necessary voice-based PIN. However, a malicious actor manages to intercept the PIN and record the voice transmission and the customer’s account number.
That malicious actor can now replay the customer’s recorded voice to provide the account details and the voice-based PIN, thus gaining access to the system and being capable of making unauthorized transactions.
How Voice Authentication Mitigates the Risks Posed by Replay Attacks
Voice authentication, commonly referred to as voice biometrics, has emerged as a robust solution to enhance security measures, especially in contexts like contact centers, mobile applications, and smart devices.
Voice biometrics software analyzes unique characteristics of an individual’s voice to confirm their identity, offering a dynamic method of authentication beyond traditional static passwords or PINs.
Voice authentication systems analyze hundreds of voice characteristics, such as pitch, tone, cadence, and even the shape and size of one’s vocal tract. These attributes make each person’s voice unique, much like a fingerprint.
Voice authentication is extremely effective against the risks posed by replay attacks. Firstly, advanced voice authentication systems can detect the difference between a live voice and a recorded one.
They accomplish this through biometric liveness detection, where the system analyzes numerous vectors to determine if the voice is coming from an actual person or just being played back.
Importantly, voice biometrics evaluates a voiceprint in great detail, based not on what’s said, but the way it’s said. Even if an attacker perfectly replicates the content of a user’s response, matching the unique vocal nuances of the original speaker is exceedingly challenging.
This means that merely replaying someone’s voice, even if the content matches the authentication challenge, would not guarantee successful impersonation.
Additionally, voice authentication can be combined with other authentication factors, such as something the user knows (passwords) or something the user has (a physical token or a smartphone).
This multi-factor authentication approach further complicates the attacker’s efforts. Even if they possess a voice recording, without the additional factors, they cannot gain unauthorized access.
How Replay Attacks Harm Contact Centers
Contact centers serve as pivotal communication hubs between organizations and their customers, facilitating a wide range of services from technical support to financial transactions.
As such, the integrity and security of these centers are paramount. As you can probably tell, successful replay attacks can cause serious harm to not just the contact center, but any affiliated organizations.
Fraudulent Activity
The most obvious impact for contact centers is the fraudulent activity that occurs in case of a successful replay attack. Fraudulent transactions, stealing sensitive information, and data breaches are just some of the effects of a successful replay attack.
This can result in significant fiscal losses for the organization, and can also result in customer data being leaked, which exposes the organization to a litany of lawsuits.
Negatively Affects Operational Efficiency
Replay attacks place a considerable operational burden on contact centers. There is an immediate need for a comprehensive security review and potential service interruptions post-breach.
The call center might also have to make substantial investments in upgraded security infrastructure, retrain staff on newer security protocols, and address any compensation claims from affected customers.
These challenges not only impose financial costs but also divert essential resources from primary operational activities.
Legal Implications
Because replay attacks often result in confidential information being leaked, they can give rise to serious legal implications.
Many jurisdictions have stringent data protection and privacy regulations that mandate organizations, including contact centers, to ensure the confidentiality, integrity, and availability of customer data.
Such breaches can lead to legal penalties, fines, or even lawsuits from affected individuals. Additionally, regulatory bodies might subject the center to increased scrutiny, possibly demanding regular audits or imposing stricter compliance measures.
Reputational Damage
As you can imagine, a successful replay attack is likely to damage the reputation of not just the contact center, but the bank or any other entity that’s using its services.
If customers feel that their money or personal information isn’t secure, they are likely to take their business elsewhere.
Negative publicity caused by a replay attack, especially if it hits the news, can spread like wildfire, resulting in a massive PR storm. A recent example of this includes the MGM data breach.
The fallout from damaged reputation is not just immediate; regaining lost trust can be a lengthy, uphill battle, requiring substantial time, effort, and resources.
Deepfakes – A Rising Concern
As deepfakes become increasingly popular, security centers are looking at different kinds of IVR/IVA authentication methods to reduce the risks.
As deepfake frauds become more and more common, many organizations are looking towards the future. Contact centers are already looking at evaluating their defense strategies against deepfakes, focusing on the attack vectors and fortifying their businesses against the risks posed by generative AI.
At Pindrop, we understand how deeply concerned our clients are about their current deepfake preparedness. With our upcoming deepfake detection module, clients will be able to run pilot tests and include deepfake detection as part of their security infrastructure.
Deepfakes and generative AI pose a significant threat to voice biometrics and cybersecurity in general. Pindrop’s deepfake detection module will be built into both Protect and Passport, thus helping businesses improve their response to such attacks.
Concerned About Replay Attacks? Protect Yourself with Pindrop!
Deceptive technology continues to be a growing threat, and the time for businesses to act is now. Pindrop’s proprietary technology is used by some of the country’s leading business organizations. Request a demo to learn more about how Pindrop can help protect you against bad actors and cybersecurity threats!
It’s time to say goodbye to passwords! As voice authentication continues to gather steam across numerous verticals, we can likely expect it to become the next mode of authentication, with users being able to authenticate themselves using their voice instead of a random passcode. But how does it work and what are the benefits? Let’s find out!
How Voice Authentication Works
Voice authentication, or voice biometrics as it’s commonly known, is a security measure that identifies or verifies individuals based on the unique patterns and characteristics of their voice.
This technology is rooted in the premise that every individual’s voice is distinctive due to the size and shape of their vocal cords and other physiological factors, as well as learned speaking habits and patterns.
Think of it as a fingerprint but for your voice. In fact, voice authentication is already being used in many industries, most notably banking and finance. Here’s a step-by-step on how it works.
1. Extracting Features
When a person speaks, their voice generates sound waves which are converted into digital data by a microphone.
Once captured, the voice sample is processed to extract its unique features. These features can include pitch, frequency, tone, cadence, and several other attributes. This process transforms the raw voice data into a format that can be analyzed and compared.
2. Creating the Voiceprint
This digital data is then used to create a voiceprint. It’s just a signal that serves as a digital representation of a person’s voice characteristics. It’s entirely unique, so no two voiceprints are ever the same. And, because of inherent differences, it’s very hard to emulate a person’s digital voiceprint.
3. Storage
Voiceprints are generally encrypted and stored on secure servers. The robust encryption ensures that malicious actors can’t gain access or misuse them in any way.
4. Comparing Voiceprints
Now, when a user authenticates their voiceprint, the software captures their voice sample and processes it. This new voiceprint is then compared to the stored voiceprint. Advanced algorithms measure the similarity between the two voiceprints.
5. Authentication
Once the comparison is complete, the software makes the decision. If the newly extracted voiceprint closely matches the stored voiceprint, the user is authenticated. If not, the authentication attempt fails.
The decision can be binary (accept or reject) or it can produce a similarity score. In the case of a score, if it surpasses a predefined threshold, the user is authenticated.
There are a few caveats, however. For starters, real-world environments often introduce background noises, which can impact the quality of voice samples.
Therefore, modern voice authentication systems employ noise-cancellation techniques and other algorithms to filter out extraneous sounds and improve the accuracy of voiceprint matching.
Preventing Deepfakes
One question you might have at this point is what if someone records your voice and uses that to gain access to sensitive data? In this age of disinformation, that’s a very real possibility.
In fact, there have already been breaches using deepfake audio, making voice fraud an extremely common tool in various types of fraud this year.
However, advanced voice biometrics systems like Pindrop employ an array of technologies to protect against deepfake fraud. This involves analyzing each voiceprint and detecting subtle anomalies that indicate that the voice is real during the comparison process.
As we move past legacy authentication systems, more companies are looking to shore up their defenses and move towards cloud-based solutions to improve authentication.
Why Is Voice Authentication Better than Passwords?
We have so many passwords to keep track of that it often becomes difficult to manage. Plus, losing a password is much easier than you’d think. You’d be surprised to know how many people still keep their passwords stored in a notepad!
That’s not an issue with voice authentication. With the ubiquity of voice-activated devices, from smartphones to smart speakers, users have become accustomed to interacting with technology using their voice.
By leveraging voice authentication, businesses can provide a more intuitive and frictionless access experience, reducing the need for multiple steps or cumbersome inputs.
Here are just a few reasons why voice authentication is becoming the next big thing in the world of multi-factor authentication.
Reduced Phishing Risk
Traditional passwords are vulnerable to various attacks, especially phishing and keylogging. Phishers trick users into entering their credentials on fake websites, while keyloggers record keystrokes to capture passwords.
Since voice authentication doesn’t rely on typing or entering data into potentially compromised fields, the risks associated with these types of attacks are significantly mitigated.
Difficult to Duplicate
As discussed before, we all have a unique voiceprint. From our accent to our speech patterns, there are always minor variations that can be detected and analyzed.
These make it challenging for attackers to duplicate or mimic someone’s voice accurately. Although there’s a rising concern about deepfakes and advanced voice synthesis, modern voice authentication systems incorporate liveness detection to counteract such attempts.
No More Common Passwords
Most people tend to use the same password for multiple accounts. It’s easier to remember, after all! Users often struggle with password fatigue, leading to the use of easily guessable passwords or the repetition of passwords across multiple platforms.
With voice authentication, these issues are sidestepped entirely, as there’s no password to remember or repeat.
Cost Savings
From an organizational standpoint, voice biometrics and authentication offer some fantastic benefits, primarily related to cost savings and operational efficiency gains.
Whether it’s the IT department resetting forgotten passwords or the security team dealing with breaches due to compromised credentials, the costs add up.
By adopting voice authentication, organizations can reduce these expenses, streamline their IT operations, and enhance overall security.
Faster, Seamless Authentication
Contact centers are really concerned about KPIs like average call handling times and resolution times. Nobody wants to wait several minutes just to prove their identity before they can get to the reason why they actually called.
With voice biometrics, authentication happens almost instantaneously. This rapidity not only enhances user satisfaction but also improves workflow efficiency, especially in scenarios where quick access is imperative.
It also means that a user doesn’t have to key in anything, especially if they are in a situation where they are multitasking or occupied in other things, like driving.
For contact centers, this means faster resolution times and an uptick in overall productivity, making it a win-win for both sides.
Improve Contact Center Performance with Pindrop
Pindrop’s top-of-the-line voice biometrics solution makes it easy for contact centers to prevent fraud, improve productivity, and get better CX scores. Used by some of the country’s leading banks and financial institutions, Pindrop’s Deep Voice™ biometrics engine can identify any threats related to voice alteration, ensuring each conversation is secure and risk-proof.
Amid the ever-evolving landscape of call center security, customers have long been trapped with legacy voice authentication platforms, where they established a base of voice enrollments powering secure and fast authentication decisions. The End-of-Sale of these legacy on-prem solutions, and anticipated End-of-Support, signals an urgent need for change. The urgency of this change is accentuated by the growing threat from malicious actors creating deepfakes using Artificial Intelligence that can bypass most legacy authentication engines. However transitioning to modern platforms has been hard to manage, primarily because it means leaving existing voice enrollments behind in the migration and starting any progress towards simpler authentication from scratch. That is now history. Starting today, customers can create voice and phoneprint enrollments in bulk from existing audio recordings using Passport’s new feature – “Bring Your Voice enrollments”.
The legacy platform predicament
Traditional vendors, whom you trust to provide adaptable solutions that keep your call center safe from new security threat vectors, have consistently struggled to keep pace with new technologies like deepfake detection, multi-factor authentication, etc. often resorting to integrations to fill gaps. They have also been behind the eight ball in delivering cloud-native, multi-tenant solutions and have limited experience in operating cloud services at large scale and high availability.
Now that traditional voice authentication vendors will no longer be supporting on-premise solutions, customers need to find a cloud-based solution that is proven to meet their scale and high availability requirements and offers protection against deepfakes. Historically, this has required companies to rebuild their voice authentication enrollments which takes several years and negatively impacts the customer experience. There has never been a path to move existing voice bio enrollments to a new product. Recreating new enrollments to be able to use a modern authentication platform has put these customers in a bind.
Embracing the cloud transition with confidence and ease
Pindrop has been a pioneer in facilitating the cloud transition, with over 90% of our customers successfully embracing our cloud platform. We started our cloud journey 4 years ago and today, we handle over 1 Billion calls annually in our cloud platform, operating at the largest scale in the voice authentication industry. We offer the flexibility of choosing between AWS and GCP, ensuring a seamless transition without the complexity associated with traditional on-premise authentication providers.
Traditionally, customers who migrated to a new authentication platform had to request that all of their callers re-enroll their voice on the new platform. This process could take years to complete. Enrollments were re-built one caller at a time. As a result, the customer had to suffer lower authentication rates for years. That’s all changed with the introduction of BYO Voice technology in Pindrop Passport, allowing you to create enrollments in bulk from caller audio recordings. Starting day 1, your consumers can experience a better authentication process.
As the shift to cloud infrastructure becomes inevitable, prompting a reevaluation of authentication strategies, deepfake detection, and adopting a purpose-built multifactor authentication (MFA) should be a central consideration.
Additional benefits our competitors can’t match
Finding a safe and easy transition to the cloud shouldn’t be your only focus when evaluating your inevitable cloud transition. It’s also imperative that you consider advanced features like deepfake detection and customizable MFA solutions tailored to your business needs and regulatory requirements—only Pindrop can offer.
1. Prepare for the latest fraud threat: Deepfake Detection
AI-generated synthetic media, such as deepfakes, are a growing threat to enterprises. Recent University of Waterloo research showed how deepfakes could bypass most voice authentication systems with success rates of up to 99%.
In a noteworthy development, the NSA, FBI, and CISA have come together to release an information sheet on deepfakes, strongly recommending that companies implement a multi-factor authentication (MFA) strategy that includes real-time identity liveness detection.
Pindrop’s detection capabilities, trained on a proprietary dataset of 11M+ audio samples, have undergone rigorous testing and validation, culminating in an exceptional accuracy rate of up to 99.2% across a wide spectrum of attacks, as demonstrated in our response to the University of Waterloo case study.
2. Provide flexibility to your MFA options
We stand out from our competitors by developing all authentication factors in-house. This means seamless integration across our product, from the UI to policy management, reporting, and APIs. We can consolidate factors into a single score for optimized security. Our purpose-built multiple authentication factors offer a robust enhancement to voice bio, providing viable alternatives in regions with voice restrictions such as California and Texas. Even amid regulatory changes, our protection remains reliable.
In addition to importing legacy voice enrollments, we also leverage our advanced Phoneprinting™ and PIN scoring features. This means that right from the outset, new customer authentication and scoring experience surpasses what they previously encountered with other providers.
Why the time to fight deepfake fraud in the cloud is now
The evolving threat landscape in cybersecurity has become increasingly sophisticated, as exemplified by the cyber-attacks that shook the industry in September 2023 – the MGM and Retool attacks. These incidents serve as stark reminders of the critical need for fortified authentication and security measures, especially in call centers.
The MGM attack, characterized by a breach of sensitive customer data, exposed the vulnerabilities inherent in traditional authentication methods. It demonstrated that malicious actors are becoming more adept at exploiting weaknesses in security infrastructure. Importantly, it was the help desk that was targeted, highlighting that a similar attack could easily occur within a call center environment.
Similarly, the Retool attack, which aimed to compromise critical infrastructure, brought to light the looming danger of deepfake attacks on call centers. The attackers behind these incidents showcased an alarming level of sophistication and adaptability, underscoring the urgency of implementing advanced security measures.
Ready to take the first step towards a seamless cloud integration with more protection?
Despite the incredible leaps and bounds in the digital evolution, the phone channel is still very much a cornerstone for customers to interact with businesses. According to a Gartner’s Financial Services Operations report (December 2022), 46% of people surveyed still prefer to speak to someone on the phone in the service center.1
With customer preference for the phone channel remaining strong, the role of an Interactive Voice Response (IVR) or Interactive Virtual Agent (IVA) is paramount in providing a mechanism for authentication, self-service, and call routing.
Authenticating callers is a critical first step in the process as it opens the gate to a personalized experience, self-service capabilities, and customized routing opportunities. In order to accomplish this, organizations have an obligation to ensure that the authentication method employed provides confidence and trust that the caller actually is who they are claiming to be. A well-designed call flow, with thoughtful requirements around identification and authentication, can balance security with customer satisfaction, increase containment, and result in overall operational efficiencies.
The primary goal of any modern, robust, self-service IVR/IVA platform is to get the caller identified and authenticated as quickly as possible with the least amount of friction and the highest amount of trust. If the caller can quickly and easily authenticate, they are more likely to engage with the platform vs requesting assistance from an agent. Higher levels of trust and engagement also lead to expansion in the types of self-service transactions offered through the platform.
Choosing the appropriate authentication method is crucial as organizations must balance the needs of the contact center, regulatory requirements, the organization’s security requirements, and the customer experience. Authentication methods available for self-service IVR/IVA applications include: knowledge based authentication (KBA) questions, passwords, personal identification number (PIN), one time passcodes (OTP), biometrics, and multi-factor authentication (MFA).
Knowledge Based Authentication Questions
Knowledge based authentication (KBA) questions are the most commonly used mechanism in traditional IVR authentication as well as agent based authentication. Prompts for social security number, account number, member number, date of birth, or phone number might occur in order to identify and authenticate the caller.
KBAs are commonly used because the caller is very likely to know this information when calling into the contact center. Unfortunately, criminals also know this information, as it is widely available across the dark web as a result of phishing, social engineering, data breaches, etc.
Evidence of this assertion is supported in a recent study by Pindrop Labs in which the KBA security of four financial institutions was evaluated. Results found that fraudsters passed KBA at rates of 39%, 45%, 70%, and 83% across the four institutions. This high success rate of bad actors passing authentication processes demonstrates that fraudsters not only have a good understanding of the typical identity verification procedures used by financial institutions, they are also equipped to answer them with ease.2
Advantages:
- Use of KBA is a relatively low-cost and easy to implement method as it only requires the technology to validate the information provided by the caller
- Callers typically know the information and can easily provide it without much frustration or friction
Disadvantages:
- Presents a significant security risk as most of the information is easily accessible or guessed by fraudsters
- Data sources of the information on file may be inaccurate or outdated, leading to caller frustration
- Limited scale of what types of questions can be asked and answered in an automated IVR system due to limitations with or inability to perform speech recognition
- The value and use of KBA as the only form of authentication has been deprecated by the National Institute of Standards and Technology (NIST)3
Passwords
Traditional alphanumeric identifiers and passwords work well for online and mobile applications. The use of this method in a traditional IVR/IVA application is not often employed as it is difficult for voice recognition to correctly interpret a caller’s utterance due to the significant amount of phonetic overlap in sounds. Think “A”, “H” and “eight”, “B”, “V” and “D”, “P”, “C” and “T”, etc.
Although this technology has come a long way over the years, solutioning for unconstrained alphanumeric sequences remains a challenge.
Advantages:
- Most callers are familiar with creating and remembering simple passwords
- Password-based authentication is relatively low cost and easy to implement
Disadvantages:
- Secure passwords are complex, oftentimes unable to be spoken in recognizable words
- Increased frequency of data breaches forces consumers to change passwords regularly, making them difficult to remember
- Significant degree of phonetic overlap in sounds may impact speech recognition and lead to increased frustration and friction for callers when speaking their passwords character by character
- In DTMF based applications (no speech recognition), password entry via the keypad is extremely difficult, degrading the customer experience
PIN
Personal Identification Number (PIN) is a commonly used way to authenticate a caller in self-service IVR/IVAs, specifically within the financial vertical as most accounts have a credit/debit/atm card PIN established for transactional purposes. This is implemented by simply prompting the caller to say or enter their 4 or 6 digit PIN. There are both positive and negative impacts with PIN based authentication.
Advantages:
- PINs are more convenient than a traditional password
- PINs are typically short and easy to remember
- PINs can be more cost effective than using other forms of authentication
Disadvantages:
- Use of PINs pose a significant security risk as they are short and limited in strength, making them easier to guess or crack
- Use of a PIN alone (single-factor authentication) is limited and may not provide sufficient security when allowing someone to gain full access to an account
- PINs are also subject to the same data breach risks as KBA and Passwords and are often sold on the dark web as a package deal for monetization by criminals4
OTP
OTP as an authentication mechanism has existed for over 40 years – think hardware token generating random codes for entry into a computer application. Over time, this evolved to sending a soft token to the email address on file.
With the explosion of the use of mobile phones, SMS-based OTP quickly gained widespread use as it required only the phone and not the hardware token. Again, the primary use case for either an SMS-based or email-based OTP was centered around digital experiences. As businesses, particularly financial institutions, take action to modernize their IVR and self-service capabilities, it has become increasingly necessary to find more secure ways of verifying the identity of callers in order to allow them to transact.
OTP is sometimes offered as an option for callers to receive an SMS-based code and then provide it to the IVR/IVA application in order to service their call.
Advantages:
- Enhanced security as long as the OTP is only sent to registered mobile phone numbers or email addresses
- Provides a form of fraud mitigation as the OTP is only valid for a single session, making it difficult for hackers to gain unauthorized access using the same OTP
- Response to a numeric passcode is easier than providing a complex password in an IVR/IVA application
Disadvantages:
- User experience is cumbersome as the method requires users to switch between their IVR call and their mobile phone or email application in order to retrieve the passcode which could ultimately lead to low success rates and decreased caller engagement
- Security risk posed as hackers may gain access to a caller’s email or mobile device and intercept the OTP
- The total cost of ownership can be expensive, especially if the IVR/IVA handles significant call volumes, which could outweigh the cost savings of the tool overall
Biometrics
Biometrics offer a unique and secure way to authenticate individuals based on their physical or behavioral characteristics. Commonly used biometric technologies include: facial recognition, voice recognition, fingerprint recognition, iris recognition and behavioral biometrics.
The use of biometric technology in IVR/IVA platforms is gradually evolving as organizations seek ways to improve security without compromising caller experience. For the self-service telephony applications that do employ the use of biometrics, voice recognition is by far the most commonly implemented of the technologies.
In order to use voice biometric technology, a caller must first enroll. This requires the caller’s voice to be analyzed to create a voiceprint or a unique representation of their voice which is securely stored. The next time this person calls into the IVR/IVA, the system captures their voice and compares it to what was previously stored on the enrollment call. If there is a match, the caller can be considered authenticated and allowed to proceed with their transaction.
Advantages
- Voice biometrics is non-invasive and easy to use: the caller doesn’t have to remember a complex password, carry a specific device, or speak a particular language
- Decreased vulnerability by providing a layer of security that is very difficult for unauthorized users to access and steal
- Can be more cost-effective as it reduces the costs associated with other methods of authentication such as agent and OTP based authentication
- Provides significantly high accuracy with a low rate of false positives and false negatives
Disadvantages
- Not all callers may be able to use voice biometrics due to physical disabilities or medical conditions
- Not all contact centers have speech based IVR/IVA applications, relying solely on DTMF (key presses)
- Some callers may be uncomfortable with collection and storage of biometric data privacy concerns
Multi-Factor Authentication
The use of multi-factor authentication (MFA) in IVR/IVA platforms requires users to provide multiple forms of identification before they are granted access to information or services. Typical MFA strategies involve:
- Something the caller knows: this is often an account number, member ID, social security number, or PIN.
- Something the caller has: this is typically a mobile device that must be present in order for the caller to confirm their identity.
- Something the caller is: this refers to biometrics, which are typically voice based in an IVR/IVA environment.
One way this may be implemented in an IVR application is to first ask the caller to provide a piece of information (something they know), such as an account number. The next step in the process could be a mobile push or OTP to the mobile device on file for that account (something the caller has), and the final step might be to evaluate the caller’s voice as they provide their account number or OTP passcode (something the caller is). MFA can involve two or all three of the factors when authenticating a caller.
Advantages:
- By combining multiple forms of identification, MFA can provide a higher level of security than a single authentication method
- MFA typically meets most industry standards for compliance with regulatory requirements
- When designed properly, MFA can provide a more convenient and expedient authentication process
- MFA can reduce the cost per call by decreasing the average handle time associated with the call
Disadvantages:
- If not designed properly, MFA could add friction to callers which could negatively impact the customer experience
- Implementation of MFA often requires integration of additional hardware and software, which can increase the costs to service the call
Conclusion
Organizations must carefully assess the potential risks and benefits associated with each method of authentication when designing a modern day IVR/IVA authentication module. Balancing security, compliance, and cost, along with the user experience, is required in order to protect customer data, secure the call, and delight the customer.
As the fraud landscape continues to evolve, it is imperative that enterprises remain vigilant to implement authentication solutions that prevent fraud and maintain customer satisfaction and loyalty.5 Finally, it is critical that organizations invest in the overall design of the solution. Any methodology that is poorly designed can lead to lower customer satisfaction rates and increased cost.
3. https://pages.nist.gov/800-63-FAQ/ NIST Special Publication 80-63: Digital Identity Guidelines (March 3, 2022) Q-B07: Is the use of knowledge-based authentication permitted?
4. Pindrop, 2022 Voice Intelligence & Security Report, Gomez, Miguel, Dark Web Price Index 2020, Feb 2022,https://www.privacyaffairs.com/dark-web-price-index-2020/
5. Pindrop 2003 Voice Intelligence Report
A recent survey from Tech Radar revealed 60% of respondents reused passwords across multiple accounts. This, combined with passwords that are easily guessed through Brute Force attacks, can open users up to breaches across multiple accounts. But since you signed up for MFA you don’t have to worry, right? Well, no—but it certainly helps!
What is MFA?
MFA, or multifactor authentication, relies on a combination of username, password, and a second factor, typically a code, to authenticate you before accessing digital accounts. Also referred to as 2FA; if you’re in the digital world, you have used MFA before. Typically, if you are sent an SMS text or email with a code that must be entered before logging in you are using a form of MFA.
Challenges with MFA
While all digital users are encouraged to leverage MFA everywhere it’s offered, that doesn’t mean keeping Password1234 or relying on having your mother’s maiden name handy will keep your account safe. Bad actors that get a hold of your device or hijack your SIM card can intercept those SMS text messages, gaining access.
Stolen devices are not the only way bad actors get around MFA; other increasing tactics include “MFA Fatigue” where bad actors will bombard you with push notifications until you approve one. The attacker hopes you click “approve” on accident or that you eventually give in to the relentless barrage of messages.
What can you do?
Experts recommend always enabling MFA when registering online. In addition:
- Create strong passwords or let a password manager suggest one for you
- Never repeat passwords across sites
- Leverage password managers to help store and remember passwords eliminating the need to write them down
- Consider having MFA codes sent to an email that requires a separate login rather than SMS text
- Regularly change passwords
Still stuck? Use an Apple or Google password generator to get suggested strong passwords or check out Apple’s new security token feature released in OS 16.3.
If you haven’t already, review your online accounts (even those you don’t use often), strengthen those weak passwords, sign up for MFA, and—where necessary—take some extra steps to keep your accounts secure.
Passwordless Authentication
What can we look forward to with authentication? Experts expect to see more passwordless authentication methods to be made available including device, facial, retina, and voice recognition solutions in addition to MFA.
For more information on the research supporting this article, read the Authentication Landscape Whitepaper →








Users want options for convenience
Multifactor is no longer optional
OTP risks cause push to contact center
Authentication must evolve for deepfakes
Hands-free highlights need to secure voice
Your expert panel


Nicole Culver
Director of Product Marketing
- How identity verification can help reduce fraud
- What one-time passwords cost contact centers
- The current level of concern across many different contact center sizes
- How voice biometrics is being leveraged and how it is benefitting contact centers
- The benefits of call signaling analysis and “phoneprinting”
This paper aims to provide a comprehensive guide to authentication strategies and predict trends for authentication in the coming years, through the following chapters:
- History of authentication
- What is authentication
- The landscape today
- Authentication weaknesses
- The human authentication experience
- Authentication trends in 2023 and beyond
In 2020, Pindrop acquired New-York based company, Next Caller Inc., and with it, the VeriCall® Technology—a best-in-class phone number (ANI) validation and spoof detection service.
VeriCall technology is responsible for helping to streamline the call experience for customers of the country’s largest brands. The solution provides near real-time caller ID intelligence to remove friction during authentication and helps to secure the phone channel by flagging high-risk interactions like call spoofing.
Two years later, the investment in VeriCall technology has taken another exciting step forward with Pindrop’s release of a brand new Call Verification technology, available with new subscriptions of Pindrop and Next Caller’s call center solutions.
Pindrop’s Call Verification technology combines state of the art machine learning insights and analysis from its award-winning platform with the intelligence of the VeriCall rule engine and its patented Routing Analysis technology. The result is powerful new capabilities, easier integration, and digital reporting tools for businesses. These advancements further distance our technology’s performance from alternative solutions.
Pindrop’s Call Verification technology can deliver the following benefits:
- A higher percentage of calls that can receive step-down authentication
Previously, VeriCall technology “Green lights” an average of 75% of call traffic out-of-the-box (and 90% of calls when paired with Pindrop’s Risk-Based Authentication)**Calls that receive the Green light become opportunities to reassess the need for knowledge-based security questions, one-time passcodes, and/or account PIN requirements for the caller, where doing so can save the business time and money while making life easier for customers.
By leveraging even more call data insights, Call Verification technology looks to further increase the Green light rate to well over 90%.
- Detect call spoofing with greater precision
Call Verification technology benefits from the combination of VeriCall technology’s industry-leading ability to identify spoofed calls with high accuracy and Pindrop’s own machine learning insights to continue to prevent spoofed calls from being given Green scores with high reliability while also tightening analysis to limit false positives.
- Identify fraud risks with accuracy
Call Verification technology is also capable of identifying calls with high risk of fraud. Flagging risks can help you to mitigate fraud losses, protect customer accounts, avoid bad publicity, and increase agent confidence.Leveraging information from the Pindrop Intelligence Network and assessing the calling patterns, Call Verification technology is able to help businesses identify potentially fraudulent calls with actionable intelligence by alerting on less than 1% calls. This efficient analysis makes it easier for businesses to take action on potential risks in near real time–which can include additional validation steps, specialized call routing, alerting agents, and gathering intel for fraud investigation.
Enterprises will also be able to utilize a fraud feedback loop and Allow/Block lists to address business-specific threats.
- Incorporate STIR/SHAKEN Attestations
The Call Verification service provides enterprises with the ability to ingest STIR/SHAKEN Attestations as a data point to supplement its machine learning models and call risk assessment process. This solution enables organizations to leverage Attestation-related insight while also maintaining the ability to assess potential call risks with high reliability and accuracy when attestation data is not present.
- Streamline Integration
Using a simple API endpoint, Call Verification technology is designed for fast, lightweight implementation. Pindrop’s solution can also reduce the installation burden by simplifying the call data capture process.
The Call Verification technology is the latest innovation to spring from service platforms that combined have analyzed a staggering 5.5 billion calls to date, and counting. Through a lean, enterprise-grade technology with minimal overhead, Call Verification technology brings an unprecedented combination of cloud-based call authentication and fraud detection performance to businesses of various sizes.
Call Verification technology is available now, delivered as part of the latest versions of Pindrop’s and Next Caller’s enterprise grade call center products, Next Caller’s VeriCall® Technology, and Pindrop’s Protect Anti-Fraud and Passport Authentication solutions.
This Call Verification technology can be added to existing Pindrop customers as an optional add-on subscription. For more information, please contact your account team, or you can reach out to us here.
In June of 2021, an FCC mandate went into effect requiring voice service providers to implement STIR/SHAKEN protocols. No, that isn’t a government-mandated happy hour at Verizon and AT&T headquarters. Instead, the rather long-winded acronym (Secure Telephone Identity Revisited/Signature-based Handling of Asserted Information Using toKENs) took aim at a simple goal: stop spam calls!
We’ve all experienced the problem. One, twice, maybe even a dozen times a day, our cell phones ring from a number we don’t recognize. The result is that millions of exasperated Americans hit the “ignore” button on billions of spam calls every year.
In fact, the FCC estimated that by the end of 2019, a whopping 50% of all telephone traffic would be spam. One look at your voicemail inbox likely shows that three years later, they were right.
But, apart from being annoying to us, why did the government get involved in the first place? Well, for one, spam calls are illegal. They cost network operators money to connect, and the ones making those calls are usually up to no good.
What’s more, a lot of spam calls are actually being answered by innocent people who then fall victim to any number of fraud schemes. Through STIR/SHAKEN, the federal government hoped to curb the problem.
The theory was sound: If carriers could differentiate calls that originated on their network from those that did not, the person answering the call wouldn’t have to worry about whether the call was spam. This differentiation is defined by the carriers as an “Attestation.” Each call, then, was to be delivered to its destination with an Attestation (A, B, or C) that matched the carrier’s confidence in the call’s origination.
In practice, however, the objective of STIR/SHAKEN proved difficult—not all call types (like VoIP phone systems) fit neatly within a classification of “spam” or “not spam.” Your deskphone or softphone could be flagged as spam purely by the way that the call originates and travels through the telephone network.
In the end, the complexity of call traffic makes it hard to rely on the STIR/SHAKEN framework exclusively as a form of validating calls. For one important group, the limitations of STIR/SHAKEN prevent it from being that silver bullet: Contact Centers.
Contact Centers Shouldn’t Confuse STIR/SHAKEN for Call Authentication
The ineffectiveness of STIR/SHAKEN Attestations to authenticate callers for contact centers may be a direct result of the fact that the protocols weren’t designed to verify or identify customers in the first place. The STIR/SHAKEN framework was designed to prevent, or at least signal, potential spam.
So, while carriers could flag, or even block, a non-certified call to an individual’s phone, businesses face far more nuanced scenarios with a larger variety of call types. A bank, for example, does not have the luxury of simply ignoring calls from unknown origins. Other problems, like the ones listed below, add to that complexity:
- Major carriers were required to adopt STIR/SHAKEN mandates, but hundreds of smaller carriers faced fewer implementation requirements. As a result, Attestation data is often lost or degraded when major carriers pass calls to smaller carriers. According to Pindrop’s analysis of a 260-million call sample, about 65% of call traffic reached its destination without any Attestation at all.
- Even when available, STIR/SHAKEN Attestations are not designed to assess risk. Call legitimacy is difficult to ascertain on calls given anything other than an Attestation A—and some of those A-rated calls were proved to be questionable by the analysis done in the Pindrop report.
- Carriers get to “choose-their-own-adventure” when assigning attestation levels, resulting in inconsistencies between carrier networks that may impact efficacy.
This report series monitors and analyzes the roll out of STIR/SHAKEN protocols, and the implications for contact centers that plan to use them for call authentication. The latest downloadable report in the series covers the time period from April 2021 before the FCC-issued mandate (June 30, 2021) through June 2022.
The report uses detailed call data analysis to share our observations, including:
- The (un)availability of STIR/SHAKEN Attestations
- The (in)efficacy of STIR/SHAKEN Attestations
- STIR/SHAKEN Attestations compared to VeriCall® Technology call risk scoring
Through Advanced Call Verification–powered by VeriCall Technology–Pindrop provides its customers with the ability to ingest STIR/SHAKEN Attestations as a data point to supplement its machine learning models and call risk assessment process, which is specifically designed for contact center authentication.
Pindrop customers interested in utilizing STIR/SHAKEN Attestations can thus leverage potentially valuable Attestation-related insight while also maintaining the ability to reliably assess call risks with a high degree of accuracy when attestation data is not present.
Download the Pindrop report to learn more. Or, chat with our experts!
Every day, we trust financial institutions with both our money and very sensitive personal information. Authentication is a critical need for financial institutions to maintain security and protect every individual’s account from unauthorized access. Whether this access results in active fraud or consumer data breaches, the result is costly in both money and brand reputation.
Now, think about all the different ways you can possibly engage with your financial institutions—walk into a branch, engage online, log into a mobile app, interact with an ATM or kiosk, or simply call them. Much of the time, these different applications and systems authenticate in different ways, and while one system may be strong, another may be prone to breaches. Efforts to enable faster authentication are often associated with reduced security, and reduced security makes it easier for someone to steal credentials, mine data, and commit fraud. The main problem financial institutions face, however, is not simply authentication and layered security. The real problem is a lack of unity and consistency coupled with the challenge to manage the complexity of securing multiple users across diverse environments. Enter the FFIEC.
What is the FFIEC?
The Federal Financial Institutions Examination Council (FFIEC), established in 1979, is a formal interagency body with a key goal of making recommendations to promote uniformity in the supervision of financial institutions. The FFIEC is empowered by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau.
The FFIEC is responsible for developing uniform principles, standards, and reporting systems for federally supervised financial institutions, their holding companies, and the nonfinancial institution subsidiaries of those institutions and holding companies. It conducts schools for examiners employed by the five federal member agencies represented on the FFIEC and makes those schools available to employees of state agencies that supervise financial institutions.
The FFIEC’s Latest Authentication Guidance
In August 2021, the FFIEC issued the “Authentication and Access to Financial Institution Services and Systems” Guidance to replace “Authentication in an Internet Banking Environment” and the “Supplement to Authentication in an Internet Banking Environment” issued by the FFIEC in 2005 and 2011, respectively. The Guidance reinforces the need for financial institutions that use Internet or mobile cellular network communications for providing customers with banking services or transactions to effectively authenticate users and customers as part of their information security program.
The new Guidance identifies some of the latest risks and considerations for financial institutions to tackle, including:
- The more extensive cybersecurity risk landscape necessitating layered security;
- The importance of monitoring, activity logging, and reporting processes and controls;
- The existence of bad actors focused on social engineering techniques and call center weaknesses and the usefulness of risk mitigation tools to establish effective call center controls and combat threat actors;
- The weakness of single factor authentication and the value of biometric identifiers;
- The importance of reliable identity verification methods.
Download the Pindrop FFIEC Authentication FAQ.
Looking for more information on the risks identified by the latest FFIEC Guidance and how Pindrop can help?
Download the Datasheet
How does the FFIEC enforce this Guidance?
While the FFIEC itself does not itself have any enforcement authority, the regulators comprising its board of governors, including the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Consumer Financial Protection Bureau refer to FFIEC standards, handbooks and guidance when performing examinations.
If a regulator is engaged in an audit, examination, or investigation pursuing a complaint, the regulator may look to compliance with the Guidance as evidence of the reasonableness of the actions taken by the financial institution. Moreover, the failure of a financial institution to implement appropriate controls may expose the institution to potential loss from fines and penalties issued by its primary regulator as well as from consumer litigation. Therefore, it is important for these financial institutions to be aware of and make efforts to comply with the Guidance.
How can Pindrop help?
Pindrop’s solutions are designed to provide the opportunity for organizations to create and improve upon multi-layered security controls, like multi-factor authentication. For financial institutions, Pindrop’s solutions can help address the considerations highlighted in the Guidance in several ways, including:
- Layered approach to security: Pindrop solutions use a multi-factor authentication approach, including voice (Something You Are), device (Something You Have), network analysis (Something You Have), behavior-keypress analytics (Something You Are) and other factors such as risk to help financial institutions to identify potential fraudsters and to give financial institutions additional tools to help them verify genuine customers.
- Bad actors focused on social engineering and call center weaknesses: Pindrop’s call center authentication and fraud solutions are uniquely positioned to address manipulative social engineering techniques by leveraging patented technologies like its Deep VoiceⓇ Engine.
- Ability to help the institution monitor, log activity, and report potential suspicious activity: Pindrop offers solutions that provide account risk analytics based on call data that help identify when suspicious activity on an account may have occurred. Pindrop’s approach also provides inputs that financial institutions can use for both preventative and detective controls in the form of account monitoring analytics and fraud detection.
- Enhanced MFA authentication factor: The Guidance identifies the use of voice as a methodology for enhanced authentication control.
- Reliable identity verification methods: Pindrop’s voice-authentication solutions offer a mechanism for financial institutions to help them verify genuine callers against enrolled profiles and reduce the risk of identity theft, as part of their customer identification program.
From the abovementioned technical solutions to consultations with our fraud and authentication experts, these are just some of the ways Pindrop can help. For more details on how Pindrop’s solutions help financial institutions follow FFIEC Guidance, make sure to Download the Pindrop FFIEC Authentication FAQ today.
DISCLAIMER: This blog does not, and is not intended to, constitute legal advice or the provision of legal advice for or on behalf of Pindrop or any third party. Any customer or potential customer of Pindrop is responsible for ensuring that it obtains its own legal advice.
Part 1 – Crypto
Cryptocurrency adoption is increasing globally by the day and going mainstream comes with its own challenges to providing a seamless and secure customer experience. As crypto is the new kid on the block, even the slightest bad experience can damage a crypto exchange’s reputation and slow adoption rates in this volatile industry.
Speedy and efficient authentication procedures give companies a competitive advantage in today’s digital-first world across many industries and crypto exchanges are no different. The transaction process for crypto exchanges needs to be highly efficient when processing large numbers of investors, especially in instances when a cryptocurrency makes headlines for a spike in value. One small mistake and millions of dollars go to the next competitor, or worse, users miss their opportunity.
To properly identify a new user, crypto exchanges are generally required by law to use document verification, where users must take a selfie along with a photo of their ID to prove they are who they say they are. This process is rather expensive but clearly required when first enrolling a user onto a crypto-exchange platform. But what happens when users get locked out of their account, forget their password, or need to make a high-dollar transaction? Document verification in these cases is not only costly for the business but frustrating for the user. These hassles can turn users off and find them looking to other platforms. On the bright side, there are alternate solutions for crypto exchanges to make the overall experience a lot better for their customers.
Voice Authentication for CryptoCurrency Platforms
Voice biometric authentication can allow customers to utter just a few syllables and be verified, as speaker recognition systems offer more accurate authentication in less time. Background noises get removed to solely focus on the voice — to identify attacks ranging from voice morphing and recorded voices, to synthesized and simulated voices.
You can quickly and easily embed this kind of customer experience into your crypto exchange with an Application Programming Interface (API). When it comes to a Speaker Recognition API, the first step in leveraging voice biometrics is to have the user enroll their voice for future authentication. Pindrop’s API endpoints perform user voice enrollment by consuming an audio sample and creating a voice profile against a user identifier, without ever storing audio or personally identifiable information (PII). This makes voice authentication ideal for secure platforms like crypto exchanges that benefit from the element of privacy. When the user needs to authenticate, whether it’s for a secure transaction or a locked account, they simply need to verify their voice through a live recording or callback from an agent. The process is fast, seamless, and much less expensive than document verification.
Take a hard look at your customer’s authentication experience, especially in the context of stressful crypto trading, non-fungible token (NFT) releases, and large transactions that benefit from extra security. You can improve that experience and your bottom line by implementing secure, voice authentication.
Pindrop has one platform to service voice interactions for organizations – regardless of if those interactions are prompted on a mobile device to a call center or through a smart speaker. If you would like to identify voices regardless of where they are coming from through ”voice single-sign on”, Pindrop can help. Contact us.
There are many ways to complete call authentication, but the process typically involves using information (“factors”) from one or more of the following categories:
- Something you know, like the answer to security questions or passwords
- Something you have, like a phone or a token in your possession
- Something you are, like your voice or fingerprint that is unique to you
In theory, something you know, something you have, and something you are could be combined to confirm that a person is who they say that they are. Ideally, only you should know your favorite pet’s name, your phone should be within arm’s reach, and your voice is unique to you. But in reality, each of these categories are not created equal. To the extent that a factor can be compromised, authentication may become ineffective, inefficient, or frustrating.
Some factors of authentication can also be Active or Passive. Active Authentication is the process of authenticating calls by requiring callers and/or agents to actively participate in authentication. Passive Authentication is the process of authenticating calls without any interaction with the caller or required actions by the agent or the caller.
Let’s review how each category of authentication could impact security and customer experience.
Something you know
‘Something you know’ is perhaps the most common form of authentication used. Passwords, PINs, Member IDs, account numbers, and security questions are considered Knowledge-Based Authentication (“KBA”). KBAs can be Dynamic or Static. Dynamic KBA is the use of publicly available information to verify identity and the questions are updated as your public information changes. Static KBA is the use of questions with presumably unique answers that should be specific to you.
Security
Data breaches and wide scale social engineering like phishing and vishing have exposed the personal information of hundreds of millions of Americans to fraudsters. As a result, ‘something you know’ is quickly becoming just ‘something you know, too’. What’s more, research from Gartner suggests that more than half of the time, fraudsters are able to supply the right answer to a KBA question.
The Customer Experience
The answers we provide to security questions are like great hiding spots; they can be so good that we forget them! Pindrop internal data places the percentage of callers who forget the answer at 20%-40%. If you provided the answers to your security questions years ago, do you still have the same favorite food today? Did you write New York City as ‘New York’ or ‘NYC’? Do we really have just one favorite pet?
There may be a tendency to submit clever or less-than-obvious answers to security questions in part because we understand that they are really just another form of a password. Thus, the customer faces a dilemma: potentially compromise their protection in favor of an answer that’s easier to remember, or complicate the answer knowing that doing so might frustrate their own experience later on. Making customers responsible for this choice is just one of the issues with using security questions. Other forms of ‘something you know’, like passwords or account numbers face the same challenge; customers are apt to forget the information and be forced into another form of authentication anyway. In the end, ‘something you know, too’ might be better described as ‘something you might know’.
Businesses should not rely on ‘something you know’ factors as a means of efficient or effective authentication, given how readily available the information is for fraudsters online, how frequently customers fail the requirement, and the time and related frustration needed to complete the process. A ‘something you know’ strategy is unlikely to provide sufficient security or customer experience, much less a balance of the two.
Something you have
‘Something you have’ involves using a physical possession to authenticate a caller. This can include a cell phone or key fob. As a factor of authentication, providing ‘something you have’ can be either active or passive.
Security
Technology has made it more challenging for a business to determine when a caller actually has something in their possession that only they should have. Commonly, that ‘something you have’ is a device, like a cell phone. In the past, when an individual called a business from a device, the business could simply use the phone number displayed on the caller ID to search their database for a match with a customer account. With a match, at least one factor of authentication could be completed instantly and passively to the benefit of both parties. This process is called ANI matching, and 42% of contact centers rely on it to authenticate. But today, the rise of call spoofing has undermined this otherwise efficient and customer-friendly strategy. Spoofing allows a caller to change the number shown on the caller ID. Without the ability to detect spoofing, a business using ANI match runs the risk of matching a spoofed number to a customer’s record, and rolling out the red-carpet to a fraudster posing as a customer. The fraudster gains an advantage having automatically cleared at least one factor of authentication before ever reaching an agent. This fraud risk is heightened if the fraudster does not need an agent at all to complete their scheme. Thus, ANI matching implementations are inherently compromised without ANI Validation.
Customer Experience
Asking customers to participate in their own authentication adds points of failure, which can add friction to their experience. Using the cell phone as an example, ‘something you have’ is not always ‘something you have handy’. How do we safely access a key fob while driving? How do we find our account number online or in an email if we have a bad internet connection or we are already using our phone for the call? If the ‘something you have’ isn’t easily accessible, the remaining authentication requirements prolong the process and amplify frustration. In some ways, if the ‘something you have’ still requires a caller to actively participate, the impact is quite similar to ‘something you know’.
However, ‘something you have’ can be passive (e.g. ANI match supported by ANI Validation). When passive, a business can authenticate the something in question behind the scenes to reduce or eliminate the burden on the caller. Passive methods can facilitate the seamless experience that customers have become accustomed to in other channels, where providing information digitally can be automated in ways that are less clunky than providing information out loud. The passive approach can also help lower average handle time, cost per call, and the number of calls that require agents, all of which are important performance metrics for contact centers.
While active authentication of ‘something you have’ can be effective in some scenarios, passive techniques can also be effective, but can be faster, more cost effective, and more customer-friendly.
Something you are
‘Something you are’ uses a person’s unique attributes as a means of authentication. Good examples are your voice, your speech or behavior patterns, or your fingerprints. ‘Something you are’ is the most convenient form of authentication because a person is never without it.
Security
Unlike the other factors of authentication, ‘Something you are’ does not rely on the knowledge to answer secrets or questions. It does not require access to or possession of a device. ‘Something you are’ is more secure because there are fewer ways for the information to be missing or compromised.
Customer Experience
‘Something you are’ can contribute to a good customer experience because there are fewer points of failure. It doesn’t rely on a caller’s memory or on a possession that may not be accessible. There is also no wasted time on security questions or passcodes because the entire process takes place passively as the caller engages in conversation with the IVR or agent.
‘Something you are’ authentication methods are highly accurate and sophisticated and can be an ideal long-term choice for businesses that aim to fully automate a multi-factor authentication process. Particularly for businesses that deal in sensitive information or process high fraud risk transactions, ‘something you are’ authentication offers a one-stop-shop to help secure interactions while also limiting the number of active steps for customers to complete. ‘Something you are’ authentication can also be bolstered with other layers of protection that utilize data and machine learning to assist in the authentication process.
Conclusion
The ultimate goal of authentication is to establish more secure interactions with customers. But, if what is required for that security ends up making customers feel like criminals, we may end up inadvertently discharging one issue only to incur another. While finding the right balance of service and security can be tricky, beginning with a ‘something you have’ approach (like, ANI Match + ANI Validation) can be a fast first step toward benefiting a greater number of customers.
As a starting point, passive ‘something you have’ authentication can restore trust in the number calling and provide a better experience for customers through:
- Personalization. This can include greeting the caller by name (in the IVR or at the agent level), and pre-populating account details instead of asking the caller to spell or repeat information. Personalization helps customers feel valued and contributes to long term brand spending and loyalty.
- Prediction. From pending orders to known account issues, from regular callers to those with recent requests, the ability to anticipate why someone is calling and meet the customer “where they are” can be a differentiator for businesses competing to provide superior service. Particularly in the IVR, suggesting menu options upfront, bypassing them entirely, or providing relevant messages automatically can replicate the flexibility and features over the phone that customers enjoy online.
- Risk management. Identifying risks early in the call process helps to optimize security resources and can allow agents to focus on providing superior service.
The passive capabilities within this process can also work to lower handle time and cost per call, which can generate the return on investment needed to fund future investment for layering in a more comprehensive ‘something you are’ strategy.
Imagine that you are trying to log in to your 401k account after a long time and as luck would have it you don’t remember the password. You try to reset the password online but you don’t remember the answers to the security questions you had set up while opening the account. After several minutes of a frustrating online experience, you call the customer service number but find out that there is no option to reset the password in the automated menu. As a last resort, you punch out to the agent. After an eternity of listening to the hold music, you finally reach the agent and ask them for help. Half an hour has already passed when you hear the agent say “please answer these five randomly generated questions so that we can authenticate you”. You spend another 15 minutes as the agent spells out every letter on five different license plate numbers to identify a car that you may have owned a decade ago but have now forgotten about. By the time you finally get your password reset, you have lost an hour of your productive day.
These experiences range in their level of frustration but are very common. At the core of this experience is the process of identification which in turn is based on the very foundational element of Knowledge-Based Authentication questions or KBAs. These KBAs can be fixed or dynamic (multiple choice questions generated on the fly like in the license plate example above). But in the end, the answers always depend on something you know, not something you are or something that you are doing.
It is commonly understood that KBAs are frustrating, not just for the consumers but for the contact centers themselves. Pindrop research shows that up to 30% of customers struggle with KBA based identity questions, while more than half of criminals pass them. According to a Forrester report1, a North American bank reported that knowledge-based authentication (KBA) has had a 25% false reject rate, which resulted in an unacceptable level of customer dissatisfaction. Adopting voice biometrics allowed the bank to reduce false rejects to less than 3%.
But these observations have been known to the industry for a long time. Steps have already been taken by companies to reduce their reliance on KBAs and adopt more friction-less biometric and behavioral modalities. However, despite the customer dissatisfaction, delays, longer wait times, and ongoing data breaches, KBAs do continue to persist and are still one of the more prevalent forms of consumer identity and verification. Why is this so? What are companies losing out on by sticking to KBAs? How much value can be unlocked by removing KBAs from the ID&V process? We explore these topics in this blog.
The Future of KBAs
The Identity and Verification market is between $6-8B globally2 which includes KBAs and credit-based identity data. In the US alone there are 9 leading identity verification solution providers that leverage vast repositories of personal consumer data, credit files and demographic databases to create dynamic KBAs that are used by FIs to protect new account opening applications and remote channel transactions. The fact that KBA’s are joined at the hip with the credit assessment processes that underpin financial transactions and the core businesses of many companies has entrenched KBAs into their operational folds. This deep operational embedding makes KBAs sticky in the short term and continues to offer some value as a secondary identification tool. But the gravitational pull of consumer experience and fraud prevention is pulling companies away from KBAs.
Aite-Novarica Group found that the importance of KBAs amongst financial institutions has been diminishing with 60% of the respondents either not using KBAs or reducing their usage. In addition, the National Institute of Standards and Technology (NIST) has stated that KBAs can no longer be used as a means of authentication for governmental agencies. Many FI executives follow NIST guidelines closely and view them as global best practices.


KBAs are on the way out and need to be replaced with more comprehensive and sophisticated biometric and analytical tools.
The Real Cost of KBAs
A few interesting trends are taking place in contact centers.
Source: Contact Babel The US Contact Center Decision-Makers’ Guide, 2018 and 2021
Not only has the average call duration increased by almost 2 minutes, the cost of servicing those calls has also been inching up. It now costs up to 40% more to handle a call compared to the cost three years ago. More importantly, the cost to authenticate those callers has increased by 22c per call. Covid-19 has certainly contributed to and exacerbated these trends by further increasing the overall call volumes for contact centers.
These trends indicate that customer service is getting longer, costlier and more complex. Insofar as KBAs are used in this process, they will continue to be part of the problem. KBAs can further elongate the authentication process and increase call durations. But the real cost of KBAs really lies in its effect on customer experience.
Contact Babel research3 shows that caller abandonment rate i.e. the rate at which calls are not contained in the self-service channel, has been increasing. The abandonment rate has increased from 5.4% in 2012 to 6.1% in 2020. Although this rate of increase is small, it is an important flag that shows that customer satisfaction may be adversely affected. In particular, the report states that the main reason for abandoning self-service sessions was that the self-service function simply does not offer what the customers want. Forrester Research4 states that only 18% of customers will continue association with a brand after it has disappointed them. These factors demonstrate that poor customer service comes at a significant cost in terms of customer attrition, revenue churn, and loss of brand reputation. Time delaying and friction-inducing KBA process is more likely to further hurt customer experience than help it. It is increasingly evident that relying on KBAs may not be the best strategy if the goal is to reduce long-term customer servicing costs, while still improving customer experience.
Unlocking the Financial Value of KBAs
Between increasing customer satisfaction and reducing friction, there is a substantial amount of value locked into contact center processes. Every second that a KBA adds to the call wait time or every percentage point of friction it creates for customers, costs the company in terms of cost increase or revenue loss. Not to mention the gates it leaves open for fraudsters to walk in. Unlocking the financial potential trapped in KBA processes is paramount to a company’s long term success.
Improve Security Posture
Contact centers spend anywhere between 20-60 seconds per call authenticating callers. This includes approximately 3-4 KBAs5. Reducing each KBA shaves off precious seconds from the call handle time which not only reduces call processing costs but also helps contact centers to process more calls. Using ANI validation tools in combination with ANI match and call risk assessment can help contact centers remove at least 1-2 KBAs. A more detailed assessment of the financial value of KBA reduction is outlined here.
Reduce Average Handle Time (AHT)
Several high-profile data breaches have already released a large trove of personal information belonging to millions of consumers into the fraudster’s domains. In addition, fraudsters can leverage several brute force solutions, caller ID spoofing tools and sophisticated fraud rings to extract valuable information out of unprotected IVRs and use that information to pass KBA authentication and take over consumer accounts. KBAs are largely powerless to stop these attacks. After a tumultuous 2020, there has been an increase in the volume and variety of fraud attacks. In 2020, at least $36 Billion6 was mostly lost to unemployment fraud—a full 10% of the $360 billion in CARES Act unemployment benefit funding. In the UK, as much as £1.5B may have been lost to fraud through Universal Credit Payments. The risk and the cost of fraud is overwhelming. Not to mention the negative impact on the brand reputation. Reducing reliance on KBAs is a vital step towards stopping fraud.
Enhance Customer Experience
Removing KBAs with the help of passive tools like ANI validation or multi-factor authentication can contribute to a better authentication process. Pindrop research shows that an improved authentication process correlates with more positive customer satisfaction and Net Promoter Scores (NPS). Forrester’s research report found7 that 1 point improvement in customer experience index score could increase revenue by $110M for a large financial institution.
KBAs are a legacy tool that no longer supports the goals of the next-generation contact centers. Removing KBAs can help improve customer satisfaction, protect the contact center and unlock a substantial amount of value for the business.
1Forrester – Best Practices And Trends: Voice Biometrics, 2021
2https://www.mordorintelligence.com/industry-reports/identity-verification-market; https://www.industryarc.com/Research/Identity-Verification-Market-Research-510330
3Contact Babel The US Contact Center Decision-Makers’ Guide, 2012 and 2021
4Forrester Research – “Transform The Contact Center For Customer Service Excellence, 2021
5Data from Pindrop research
6Pindrop 2021 Voice Intelligence Security Report
7Forrester Research – How Customer Experience Drives Business Growth, 2020
It’s helpful to think about the authentication process on a spectrum, where not every customer interaction needs to face the same level of authentication requirements. For less risky interactions, fewer factors of authentication can be appropriate. Higher risk interactions, by contrast, may require more factors to authenticate.
For lower-risk interactions (those that may require two or fewer factors of authentication), Automatic Number Identification (ANI) Validation combined with ANI match can be a powerful tool to authenticate customers and help protect their information from bad actors. But regardless of how many factors may be required for a given interaction, removing at least one of the active authentication steps can help businesses improve their customers’ experiences.
What is ANI Validation?
ANI Validation helps determine whether a call is coming from the device that owns the number; it is unlikely that the call has been spoofed or manipulated. ANI Validation is a passive process, working behind the scenes without requiring active participation by the caller. It can be completed almost instantly once a call reaches the IVR.
What is ANI Matching?
An ANI represents the phone number that is calling you. On an inbound call, businesses can use the phone number calling to search their own database for a match with an existing customer account. However, an ANI match alone does not determine whether or not the number displayed on the caller ID has been spoofed or manipulated.
The Threat of Call Spoofing
Call spoofing undermines trust in the caller ID process by allowing the calling party to manipulate the ANI. Criminals often use this tool to replace their calling number with the number of a real customer. Businesses that use ANI matching without ANI Validation run the risk of matching a spoofed number to a customer’s account.
Combining ANI Validation with ANI Match
For authentication purposes, ANI validation can increase the reliability of an ANI match. Pairing ANI Validation with ANI Match can replace active authentication requirements with passive ones which helps streamline the process to the benefit of customers and helps protect against bad actors.
ANI Validation: Innovating The Customer Experience
In the contact center world, we’ve broadly accepted the notion that each phone call is a single experience for customers. But for many, a phone call is not a singular experience at all. Instead, a phone call can consist of a series of impressions, or mini-experiences. Consider how it feels as a customer to wait on hold, enter a passcode, listen to each option in an automated menu, or converse with an agent. These steps can feel isolated, where some may carry more weight than others when the caller is asked to assess their experience overall. A barrage of security questions can be frustrating enough to cause the caller to abandon the call entirely (and perhaps the brand, too) or give up on the opportunity for self-service by repeatedly pressing ‘0’ for an agent. Waiting on hold can overshadow the stellar performance of an agent. The problem with conventional ways of measuring a customer’s overall experience, then, is the inability to fully account for which mini-experiences during the call were responsible for defining it.
ANI Validation has innovated the customer experience by helping improve specific areas where inefficient or ineffective authentication measures can result in a caller’s bad experience. ANI Validation can also help businesses meet or exceed the rising demands of consumers, many of whom are accustomed to the flexibility, features, and freedom of digital interactions.
Let’s deconstruct the anatomy of a phone call to isolate where many mini-experiences happen and discuss how rethinking our approach to authentication can help improve the phone call experience for customers.
For example, let’s split the phone call into 2 phases: The Set Up and The Action.
The Set-Up
The Set Up defines the phase of a call which must be completed before the caller can address their issue. The Set Up consists of two points for mini-experiences:
- Waiting On Hold
- Authentication
The Set-Up is a necessary inconvenience for callers and can contribute to a bad mini-experience because it is not the reason for the call. Customers do not call to wait on hold or to authenticate. Unfortunately, delays, friction, or miscues can often result in customer frustration; for example, customers might share negative stories, abandon the call, or choose to do business with a competitor instead.
Luckily, the Set-Up can help improve a customer’s experience by removing or lessening their direct involvement in the authentication process. ANI Validation with VeriCall® Technology analyzes call metadata with machine learning to determine the likelihood that a call is coming from the device that owns the number. VeriCall® Technology, delivered through an API, can receive call metadata and produce a score in under 60 milliseconds. The process does not require the caller’s active participation.
Waiting on Hold
Waiting on hold can be inconvenient to a customer and can also cause them to abandon a call entirely. Many consumers are not willing to wait on hold for very long, if at all. The good news is that while placing callers on hold may at times be a necessity, the amount of time they wait can be reduced by lowering overall call handle time (when agents spend less time with each caller, they are free to answer more calls). Learn more about average handle time here.
Authentication
Completing authentication steps takes time, which contributes to overall average handle time. This is an ideal opportunity to apply ANI Validation which can remove active steps for customers by turning them passive and help avoid bad mini-experiences (like spelling out personal information, answering security questions, or other active participation requirements). ANI validation can also help to save the business time and related call costs for calls that can be validated.
In our example, the second phase of a call that follows The Set-Up is The Action.
The Action
The Action defines the phase where a caller can begin actually addressing their issue. The Action consists of two points for mini-experiences:
- The IVR
- The Agent
ANI Validation can positively impact mini-experiences in the IVR and at the Agent level in a variety of ways, but each is related to the role that ANI Validation plays in authenticating the caller passively and as early in the call process as possible.
The IVR
ANI validation can mean that callers face fewer active authentication requirements in the IVR, particularly when it can increase the reliability of an ANI match. If a customer profile is identified using ANI match and ANI validation, the IVR can be improved in some of the following ways:
Personalization: The caller can be greeted by name, and avoid having to spell or repeat personal information like their name, address, or account number.
Prediction: The business can bring forward IVR menu options that are likely to match why the customer is calling, like open order status, known account issues, and more.
Menu choices: Expand the list of IVR options that are accessible to the caller.
Self-Service: Any of the above benefits can encourage the caller to consider self-service (if available), instead of abandoning the IVR for an agent prematurely. When more callers self-service, hold time, handle time, and related costs can be reduced.
The Agent
Callers who arrive at the Agent level having already cleared two factors of authentication (ANI Validation and ANI Match) can get down to business sooner. Agents can start the conversation with the customer’s information at hand. They also avoid having to engage in frustrating Set Up activities like asking security questions. The resulting efficiency can improve caller experience while improving the agent’s experience and their performance metrics in the process.
Conclusion
ANI Validation has the potential to transform both phases of a call, The Set Up and The Action. Because it is a passive tool that can be implemented using an API, it can deliver the capabilities your business needs to help minimize The Set Up from the caller’s perspective, help protect the call operation from spoofing, and help add efficiency to IVR and Agent interactions. These benefits can begin improving customer experience soon after implementation and can deliver return on investment in the form of handle time reduction and the related cost per call.
To learn more about how ANI Validation has helped top US banks and telecommunications companies, visit our Case Studies.








Plan and prepare for widespread deployment
Account for known and unknown integration or performance limitations
Seek to develop a passive, customer-friendly call authentication process
The STIR/SHAKEN framework allows voice service providers to authenticate that the caller ID information transmitted with a particular call matches the caller’s number. Upon widespread implementation, the hope is that S/S will help reduce illegal spoofing, allow law enforcement to identify bad actors more easily, and help voice service providers identify calls with illegally spoofed caller ID information before those calls reach their subscribers. However, S/S was not designed to be a silver bullet for seamless authentication in the contact center. Indeed, the FCC has encouraged the industry to develop and implement new caller ID authentication technology in addition to the actions taken by the FCC.
Your expert panel


Tim Prugar
VP Operations, Next Caller, a PindropⓇ Company








Learn the best practices in leveraging risk as part of a policy-based multifactor authentication strategy.
Discover best practices in using risk as part of your enrollment and authentication strategy.
Identify the differences between authentication and authorization.
Meet the Experts:



Jay Hart
Principal Sales Engineer at Pindrop
Dave Dalebroux
Principal Sales Engineer at Pindrop








What is authentication?
What it means to identify and verify someone.
The basics of multi-factor authentication.
Your expert panel



Jay Hart
Principal Sales Engineer at Pindrop
Dave Dalebroux
Principal Sales Engineer at Pindrop
Contact center authentication defends your business, but many leaders are struggling with choosing the best type of authentication solution for them. In addition, recent shifts to massive swarths of the workforce staying home have created new challenges in security, workforce optimization, and consumer behavior.
We’ve organized a collection of tools, assets, and other resources to aid contact center leaders in their race to optimize operational costs, improve customer experience, and improve security measures, as organizations restructure and prepare for the road ahead. You can explore the tool kit on this page linearly or choose the section you need.
WHAT IS CALLER AUTHENTICATION?
Caller authentication is the process of verifying the identity of persons via the phone channel. From email to bank logins, many companies have employed tools like two-factor verification to make their services more secure. Along with a potential spike in call volumes, a similar need for proper identification of callers surges to the forefront. Businesses deploying effective caller authentication ensure that the entire process is customer friendly while maintaining a secure operation – not always an easy balance to strike.
“SYMPTOMS” OF BAD CALLER AUTHENTICATION PRACTICES
When it comes to caller identification, it’s all about giving your customers a secure and enjoyable experience. You definitely have to review your related processes if:
- There is a lack of personalization in the customer experience especially when calling from a verified number.
- The average handle time on your calls is above the industry average.
- There are frequent security issues possibly leading to account takeovers.
You are getting bad reviews from your customers regarding their experience when contacting your call center. Pindrop’s data shows that 41% of consumers blame the brand for the fraud happening. Furthermore, 90% of consumers say 3 or fewer bad experiences cause them to churn.
HOW CALLER AUTHENTICATION WORKS
Caller authentication – in general, follows 3 steps:
- A call is placed to a contact center
- The call is connected to the contact center
- Caller authentication takes place
Authentication operationally comes in two flavors: Passive and Active.
PASSIVE AUTHENTICATION
Passive Authentication is the process of authenticating callers without any interaction with the caller or required actions on behalf of the agent or the caller themselves. Passive authentication results in calls that are authenticated before being connected to the agent. Creating a smoother, more personalized customer experience, reducing average handle time by eliminating required actions on behalf of the agent & caller, and strengthening the front lines of your contact center against attack. Passive authentication methods also help increase self-service options in the IVR.
Active Authentication is the process of authenticating callers by requiring callers and/or agents to actively participate in authentication. The most common permeation of this is the use of knowledge-based authentication questions. Here, agents are expected to ask questions to ascertain whether or not the person is who they say they are.
Designing an optimal passive caller authentication process:
When establishing your authentication process, it’s best to think about Authentication on a spectrum. Not every transaction is created equal. For transactions that are at less risk of fraud, fewer factors of authentication can be appropriate. Higher risk transactions, by contrast, will require more.
For lower-risk transactions (require 2 or fewer factors of authentication), ANI Validation combined with ANI match can be a powerful tool to verify customers quickly and easily without compromising security.
What is ANI Validation?
ANI Validation confirms that a call is coming from the device that owns the number. In other words, the call has not been spoofed or manipulated.
What is ANI Match?
Automatic Number Identification (ANI) is a telephony service that allows the receiver of a phone call to capture and display the phone number making the call. In short, an ANI represents the phone number that is calling you.
On an inbound call, businesses can use the ANI to search their own database for a match with an existing customer account. This process makes it fast and easy for the business to know when a customer is calling, personalize the call, and reduce security steps to make authentication easier for customers.
The Threat of Spoofing
Call spoofing undermines trust in the Caller ID process by allowing the calling party to manipulate the ANI. Criminals often use this tool to replace their calling number with the number of a real customer. Businesses that are not able to detect call spoofing run the risk of authenticating calls from impersonators.
Combining ANI Validation and ANI Match
In order to safely match an ANI with an existing account, businesses must first validate that the ANI has not been changed or manipulated. ANI Validation is the process used to make this determination.
Once your business can trust the number on the caller ID, then match it to an existing customer account, two factors of authentication have been completed. For businesses that only require two factors of authentication to complete certain transactions, ANI Match + ANI Validation is a light-weight, simple solution to streamlining the security process in a way that benefits customers while remaining safe from bad actors.
Aite Researched 9 F.I. Call Centers
See How Your Customer Experience Stacks Up Against Theirs
Download the Report
MULTI-FACTOR AUTHENTICATION
For transactions that come with a higher risk of fraud, multi-factor authentication is required. Multi-factor authentication is the use of multiple disparate data points to authenticate or verify identity. In practice, its application in call centers means the utilization of numerous data points to ensure the caller is genuine. Voice, device, and behavior are 3 common points used to authenticate callers- though multi-factor authentication generally refers to the use of two or more ways of verifying an identity. Using multi-factor authentication technology to assist the agent in authenticating the caller, reduces the cost per call by reducing the amount of time agents are on the phone and can improve customer experience by personalizing it.
Multi-factor Authentication typically leverages at least two of 5 “factors”:
Something You Know:
Like the answer to a knowledge-based question
Something You Are:
Like a Voiceprint
Something You Have:
Like a mobile device or keycard
Something You Do:
Like your dialing pattern
Something You Use:
Like carrier signaling or call dialing
KNOWLEDGE-BASED AUTHENTICATION (KBA)
Knowledge Based-Authentication (KBA) is the combination of real and fake-out questions that should help agents root out imposters and fraudsters. However, due to the answers to these questions being available publicly or leaked online – the effectiveness of this method is no longer accepted. Knowledge-based authentication comes in two flavors:
- Dynamic knowledge-based authentication is the use of publicly available information to verify identity and the questions are updated as your public information changes. An example would be “Which of these addresses have you been associated with in the past?”
- Static knowledge-based authentication is the use of questions with presumably unique answers that should be specific to you – for example, “What is your favorite food?” The assumption here is that this information is something that only you or someone very close to you would know – and therefore could be used to identify you.
Pindrop’s research shows that a third of the time genuine consumers cannot remember the answers to static KBAs and that more than half of the time fraudsters guess the right answer. Additionally, dynamic knowledge-based authentication questions have been compromised as mega-breaches have spread addresses, phone numbers, and credit information across the dark web for years.
In short, multi-factor authentication, and more so passive multi-factor authentication, is a more effective and beneficial form of caller authentication. The passive approach offers many benefits concerning security, operations, and customer experience. Call center leadership looking to increase capacity, improve customer experience, reduce agent stress, and address fraud costs should seriously consider passive multi-factor authentication as a solution.
OPTIMIZING CALLER AUTHENTICATION ENROLLMENT
Enrollment optimization is the transformation of the processes concerning enrollment into their most efficient state for the callers and the business. Enrollment processes differ but are typically categorized as either passive or active. As noted above, optimization leans towards passive solutions as they do not require consumer interaction, nor agent involvement. Passive enrollment requires no human interaction and optimizes enrollment by ensuring a seamless experience for the caller and the best return on authentication investments.
A seamless experience is essential not only for customer experience and brand loyalty but also for the effectiveness of your authentication planning. Its simple, passive enrollment of every caller better ensures enjoyable experiences during each call, which welcomes consumer interaction, and deepens their affinity to your brand. The more seamless you can make every interaction, the better the customer experience. In short, passive enrollment is the optimal solution for authentication enrollment.
WHY IS ENROLLMENT OPTIMIZATION IMPORTANT?
Because your authentication solution is only as useful as the number of your customers enrolled, your goal should be 100% adoption. Though this is impossible, it is critical to note that should few consumers enroll, your authentication solution would be much less effective, as inferior enrollment rates translate to inferior authentication rates. Again, passive enrollment goes a step further, ensuring the better authentication rates by delivering the higher enrollment rates.
TIPS FOR OPTIMIZING ENROLLMENT FOR ENHANCED AUTHENTICATION RIGHT NOW
Leverage ANI as a factor in the ID claim. ANI, or automatic number identification, helps to take the cognitive load off the caller by leveraging data that already comes with the call. ANI of an incoming call can be matched with data on the file to look up a uniquely matched identity. This data can be leveraged not only for a first-time caller but also for an identity claim for a returning caller. Rather than having to answer a knowledge-based authentication question or share sensitive information over the phone to verify identity, ANI can be looked up silently in the background of the call.
Leverage a unique identifier. Having a consistent, asserted identity claim, ensures that call after call, time after time, you can identify a caller across different lines of business. Leveraging a unique identifier provides a seamless, passive process, authenticating the caller in the background of a call so you can get them where they need to be faster.
Avoid clunky active enrollment. Active enrollment with specific passphrases is time-consuming for customers just wanting to have their issues handled; customers calling into a call center may find that as a distraction to resolving the issue at hand, resulting in sub-optimal user experience. Make the enrollment process seamless and straightforward by enrolling callers as they naturally engage with call center agents instead of forcing a separate enrollment process.
Keep things simple with API integration whenever possible. Pindrop’s APIs are straightforward – the footprint is small, they’re effortless to use. It’s a simple process, and the APIs are leveraged across both the agent leg and the IVR leg of the call.
Engage experts, including process engineers, privacy by design, and Pindrop’s Business Intelligence Team to craft an ideal end customer experience.
CALLER AUTHENTICATION BEST PRACTICES
Contact centers use authentication tools to provide frictionless, personalized customer experiences. But some authentication tools are better suited to that task than others. Exploring best practices for contact center authentication translates to positive gains in other areas. Optimizing your authentication practices can reduce average handle times, empower your customers, and improve operational efficiencies. You can leverage authentication best practices for quantifiable operational gains for your contact center. But more importantly, applying caller authentication best practices will improve your customers’ experience, increase your performance in customer experience metrics and give a boost to your brand’s power and the overall loyalty around it.








Pindrop will examine use cases for customer authentication and strategies that support reducing average handling time in the contact center, reducing the number of knowledge based authentication questions, boosting customer satisfaction through a streamlined and security experience.
ANI Validation
Customization & personalization
Identity and multi-factor authentication
Strategies for implementing lightweight API-driven ANI validation schemas through full-featured powerful identity verification
Meet the Experts


Amit Gupta
Director of Product Management, Pindrop


Sam Espinosa
VP of Marketing, NextCaller, a Pindrop Company
Fraudsters thrive during periods of chaos and uncertainty. Any disruption to the status quo provides an opportunity to seize sensitive consumer data and leverage it against individuals and their financial institutions.
Significant increases in phone, text and email phishing are enabling fraudsters to take advantage of the current financial uncertainty and public health concerns. Access to personal information leads to validating the data with targeted institution’s own customer services tools, mainly through contact center agents directly, or through the automated interactive voice response systems.
With verified account numbers and some basic information, a fraudster has all they need to execute fraud through the phone channel using convincing scripts involving the current crisis to socially engineer contact center agents and individuals.
Scammers are using new versions of old tactics to leverage times of uncertainty, fear and heightened emotion to expose individuals and contact centers to an increase in fraud incidents.
Today’s post will be a brief look at the tactics fraudsters have been using in the current climate of uncertainty.
The New Fraud Scripts
In “normal” times, a fraudster’s script may have read something like this:
I’m going to be traveling overseas, please lift any fraud monitoring for me for two weeks because I’ll be out of the country and don’t want my card blocked.
Or, a different angle:
I’m leaving for a three-week vacation and I need you to wire me money as I want to have plenty of cash-on-hand for expenses and incidentals.
But times have changed, and just as fraudsters’ tactics are constantly evolving to meet the security measures to stop them, the same holds true for the scripts they’re currently adapting to profit from public fears and panic. By the middle of April, the FTC had already logged over 8,000 fraud reports with reported losses that total nearly $5 million.
Here are four categories of current fraud tactics to be on the lookout for, including examples of the most common “scripts” we’re hearing reported by contact center agents and fraud analysts around the country.
Travel-Related Inconveniences and Emergencies
Many of the most common scripts involve appeals for emergency financial assistance due to travel restrictions and guidelines set forth by the federal and state government. One narrative that we’re hearing from a number of agents involves fraudsters claiming to be stuck outside the country. It sounds something like:
I left the country over a month ago and don’t even know when I’m going to be allowed to come home. This is an emergency. I need you to wire me money because of the travel restrictions from this pandemic, or make an immediate ACH transfer, now.
There’s typically a sense of urgency, as fraudsters are aware of the high call volumes that agents and analysts are currently contending with. Armed with the consumer data they’ve acquired from a vast increase in phishing scams, fraudsters are primed to scam the contact center and take advantage of agents who are attempting to assist people in genuine need.
Caretaker Fraud
What is an agent supposed to do when a scammer calls in frantically asserting that a person they’re caring for is in dire need of financial assistance to pay for emergency medical bills?
I’m calling on behalf of Mrs. Smith, who’s in the hospital right now with complications due to COVID-19. She’s isolated from her immediate family, who live out-of-state, and she has asked me to help her get access to the funds she badly needs for bills, rent and everything else. I’m the only person she has access to and I’m the only one that can help her.
There has been a marked increase in fraudulent activity targeting the elderly. In an attempt to stay on top of important financial and health updates, seniors may inadvertently click on a scammer’s link and make their private financial data and login credentials vulnerable, which fraudsters then use to gain access to their banks, insurance companies, mortgage lenders, credit card issuers, and more.
Send Me a New Card / Raise Spending Limit
The current public health crisis has reverberated throughout financial markets, leading to an unprecedented number of unemployment claims in the past month, opening both individuals and FI’s to the associated scams that prey on peoples’ financial panic.
A red flag should go up for any direct requests for a new card or increased spending limit. Fraudsters aren’t calling in to set up payment plans or request payment forbearances. Rather, they’re attempting to scam the contact center with urgent messages about how the current pandemic has put them in a position where they need access to more of their money, and right now.
I lost my job due to all this craziness. At first, I worked from home but was laid off a month ago and I’m still waiting on the loan assistance and unemployment I filed for. I’m facing eviction, can’t afford groceries and need to feed my kids. I really need you to raise the spending limit on my card.
-or-
I’m quarantined at my parents’ house in Michigan and all of my credit cards, not to mention everything else I own, are back at my apartment in New York. I need you to send me a new card. I was also furloughed, so please increase the limit on the card so I can bridge the gap until I receive unemployment.
Financial Surrogate Scams
Finally, fraudsters are targeting some of the largest financial institutions by gathering consumer data with mobile and email scams that claim an individual’s account has been compromised. Unwitting people concerned about their financial security click on bad links, providing sensitive information to fraudsters who turn around and use it to drain their bank accounts and max out their credit cards acting as financial surrogates.
I have legal power of attorney for Mr. Johnson, who is gravely ill and in no position to speak to anyone in person, let alone over the phone. He has medical bills to pay. Please wire money / make a direct ACH deposit into this other account.
Even as most people are rallying together to get through the current challenges facing our world, bad actors are attempting to exploit vulnerabilities and capitalize on the uncertainty of the time. Contact centers should be on alert as fraudsters continue to adapt their tricks and tactics, appeal to emotions, and convey urgency to carry out their scams.
Pindrop Protect’s anti-fraud solution arms your fraud team with predictive analytics, machine-learning, and productivity saving accuracy. The technology allows you to identify fraudulent cross-channel activity — often before it occurs, utilize enhanced IVR monitoring capabilities, and stop potential phone fraud in real-time. To learn more about Pindrop® Protect, check out our on-demand webinar on Pindrop Pulse.
The cloud offers a lot of great functionality for contact centers, from slashing operational costs to reducing the burden on staff. However, despite its many benefits, many contact center companies are still wary of the cloud. Digital transformation can feel like a huge undertaking with all of the technology and operational changes companies must go through, and many companies are satisfied with their current infrastructure.
The good news is that no matter where you are in your digital transformation journey — whether you’ve sworn off the cloud forever or you’re the cloud’s biggest evangelist — you can still use Pindrop’s technology to ensure protection against fraudsters. While Pindrop’s technology is based in the cloud, you don’t have to move your entire infrastructure over to the cloud to use it, or have even made the move to the cloud yet at all.
With Pindrop’s Tap to Cloud solution, a contact center can be completely on-prem and still leverage the benefits of Pindrop’s technology. Tap to Cloud is an on-prem appliance that securely connects the client’s on-prem application into the cloud for Pindrop’s systems to analyze, with very minimal effort to the contact center team. It can offer increased flexibility for contact centers no matter where they are in their digital transformation journey. Additionally, the appliance is not connected to LAN or other boxes, so you don’t have to sacrifice any amount of security just because it is on-prem.
Historically, any type of on-prem call center deployment or project is long, typically taking 6-9 months to complete. However, Tap to Cloud has a light footprint that allows us to implement it much more quickly. In fact, we recently had a customer deploy the solution who was able to have it up and running in just 60 days. With very little time and effort, any contact center can now utilize the power of Pindrop’s anti-fraud and authentication solutions.
If you are looking for a solution for your contact center to detect and prevent fraud but aren’t ready to make the move to the cloud, Pindrop’s Tap to Cloud solution can help. Our team will make things easy, working with you to determine your needs and goals, and implement our solution quickly and seamlessly. Contact us today to learn more.
Multifactor Authentication has many advantages; however, effectively getting consumers enrolled in authentication activities is mission-critical for contact center security professionals. The optimization of enrollment processes contributes to optimal authentication abilities and cost savings. The optimization of these processes leans heavily on passive approaches as it removes barriers and overcomes objections of consumers; enrollment optimization ultimately results in time savings for customer service agents.
Having an enrollment strategy and process that removes barriers for both consumers and contact center employees is imperative especially in challenging times.
In this article, we will discuss the necessity of focusing on enrollment to achieve optimization of authentication rates.
What is Enrollment Optimization?
Enrollment optimization is the transformation of the processes concerning enrollment into their most efficient state for the consumer and the business. Enrollment processes differ but are typically categorized as either passive or active. As noted above, optimization leans towards passive solutions as they do not require consumer interaction, nor agent involvement. Passive enrollment requires no human interaction and optimizes enrollment by ensuring a seamless experience for the caller and the best return on authentication investments
A seamless experience is essential not only for NPS scores and brand loyalty but also for the effectiveness of your authentication planning. It’s simple, passive enrollment of every caller better ensures enjoyable experiences during each call, which welcomes consumer interaction, and deepens their affinity to your brand. The more seamless you can make every interaction, the better the customer experience. In short, passive enrollment is the optimal solution for authentication enrollment.
Why is Enrollment Optimization Important?
Because your authentication solution is only as useful as the number of your customers enrolled, your goal should be 100% adoption. Though this is impossible, it is critical to note that should few consumers enroll, your authentication solution would be much less effective, as inferior enrollment rates translate to inferior authentication rates. Again, passive enrollment goes a step further, ensuring the best authentication rates by delivering the highest enrollment rates. Below are five tips you can use to begin optimizing your enrollment processes now.
5 Tips for Optimizing Enrollment for Enhanced Authentication Right Now
- Leverage ANI as a factor in the ID claim. ANI, or automatic number identification, helps to take the cognitive load off the caller by leveraging data that already comes with the call. ANI of an incoming call can be matched with data on the file to look up a uniquely matched identity. This data can be leveraged not only for a first-time caller but also for an identity claim for a returning caller. Rather than having to answer a knowledge-based authentication question or share sensitive information over the phone to verify identity, ANI can be looked up silently in the background of the call.
- Leverage a unique identifier. Having a consistent, asserted identity claim, ensures that call after call, time after time, you can identify a caller across different lines of business. Leveraging a unique identifier provides a seamless, passive process, authenticating the caller in the background of a call so you can get them where they need to be faster.
- Avoid clunky active enrollment. Active enrollment with specific passphrases is time-consuming for customers just wanting to have their issues handled; customers calling into a call center may find that as a distraction to resolving the issue at hand, resulting in sub-optimal user experience. Make the enrollment process seamless and straightforward by enrolling callers as they naturally engage with call center agents instead of forcing a separate enrollment process.
- Keep things simple with API integration whenever possible. Pindrop’s APIs are straightforward – the footprint is small, they’re effortless to use. It’s a simple process, and the APIs are leveraged across both the agent leg and the IVR leg of the call.
- Engage experts, including process engineers, privacy by design, and Pindrop’s Business Intelligence Team to craft an ideal end customer experience.
Pindrop® authentication solutions help contact centers authenticate legitimate callers quickly and accurately, reducing call handle times, enabling personalization, and improving customer experience. Contact us today to see Passport in action and learn how much we can save your organization in time, costs, and brand loyalty.
As technology advances, fraudsters use different, constantly evolving techniques that include exploiting the phone channel. With increasingly sophisticated attacks, fraudsters maneuver around authentication and security measures to access sensitive information that helps them take over accounts.
This evolving criminal strategy is part of a $14 billion call center problem. From January 2016 to August 2017, call centers have experienced a 160% increase in global fraud call rate – a rise from 1 fraudulent call for every 937 calls compared to 1 in 769 calls. Additionally, Pindrop® Labs analyzed millions of calls and collected data from the top eight U.S. banks, top five U.S. insurers, and additional enterprise call centers to find recurring techniques used by fraudsters.
Data dealing, spoofing, and voice morphing are only a few methods fraudsters use to access accounts. Additionally, social engineering is often added into a fraudster’s mix of techniques as a tactic to help them get around call center agent procedures.
For example, a fraudster duo known as Mr. and Mrs. Smith is actually one fraudster acting as two. Armed with voice morphing technology, this fraudster may call into a call center to add an “authorized” user (such as a spouse) to an account. If “Mr. and Mrs. Smith” is clever enough, a call center agent may add an “authorized” user without first properly authenticating.
According to Pindrop® Labs, this fraudster attempts to evade voice biometrics by using voice morphing in an attempt to sound like their victim. However, Pindrop identified the fraudster with a known phoneprint and generated voiceprints for both the male and female voices.
In addition to voice morphing, Mr. and Mrs. Smith utilized social engineering – one of the simplest yet most effective fraudster tactics. Fraudsters know your employees want to deliver a positive customer experience, and they will relentlessly exploit that desire through psychological manipulation. The fraudster will socially engineer a situation to connect empathetically with the call center agent – such as acting like a parent in a hurry – to maneuver around standard authentication or voice biometric standards.
Because each fraudster uses different combinations of techniques, a “one-size-fits-all” authentication solution approach will not detect all fraudsters. Call centers need a multifactor authentication solution that focuses on enhancing customer experience while deterring fraudsters.
To take a deeper dive into the minds of fraudsters like Mr. and Mrs. Smith, read our eBook Part One: Call Center Fraudsters Unmasked. To find out how Pindrop helped identify and deter these fraudsters, be sure to check out Part Two: Call Center Fraudsters Defeated.
Cloudflare, one of the larger content-delivery networks and DNS providers on the Internet, had a critical bug in one of its services that resulted in sensitive customer data such as cookies, authentication tokens, and encryption keys being leaked and cached by servers around the world.
The vulnerability was in an HTML parser that Cloudflare engineers had written several years ago but had recently replaced by a newer one. The company was migrating various services from the old parser, written using Ragel, to the new one, and a change made during that process is what caused the bug to activate and begin leaking memory with private information in it. The bug active for several days, and Cloudflare said the most critical period was Feb. 13 to Feb. 18.
“It turned out that the underlying bug that caused the memory leak had been present in our Ragel-based parser for many years but no memory was leaked because of the way the internal NGINX buffers were used. Introducing cf-html subtly changed the buffering which enabled the leakage even though there were no problems in cf-html itself,” John Graham-Cumming of Cloudflare said in a post-mortem on the response to the vulnerability.
Cloudflare has a massive and diverse customer base that includes companies such as Uber, Yelp, OkCupid, Medium, and 1Password. There is a running list being maintained of all of the known customers, including some that are known not to have been affected by the vulnerability. 1Password is among those who have said their data was unaffected.
The bug had a broad potential effect for Cloudflare’s customers, as well as for the company itself. Because of the way the company’s infrastructure is set up, a request to one Cloudflare site affected by the vulnerability could end up revealing private information from a separate site. Also, search engines routinely cache web content for faster serving, and some of the leaked private data from Cloudflare sites had been cached by Google and other engines.
“We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data.”
“The infosec team worked to identify URIs in search engine caches that had leaked memory and get them purged. With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines,” Graham-Cumming said.
“We also undertook other search expeditions looking for potentially leaked information on sites like Pastebin and did not find anything.”
Some of the sensitive data leaked by the vulnerability belonged to Cloudflare itself rather than its customers. Although no customer encryption keys were leaked, an SSL key Cloudflare used to encrypt connections between its own machines did, as did some other internal authentication secrets.
A researcher with Google’s Project Zero discovered the memory leak last week while doing unrelated research, and after confirming what he had found, reached out to CloudFlare’s security team immediately.
“It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output. My working theory was that this was related to their ‘ScrapeShield’ feature which parses and obfuscates html – but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers,” researcher Tavis Ormandy of Google said in his initial analysis of the flaw.
“We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users.”
Cloudflare implemented a partial fix for the memory leak within a few hours of Ormandy’s initial report and fully fixed it earlier this week.
Image: Maarten Van Damme, CC By license.
UPDATED–The move toward two-factor authentication and two-step verification for high-value services has been a positive one for user security, but many of those services use SMS as the channel for the second step in the authentication process, a method that the United States government is preparing to recommend against using.
The National Institute of Standards and Technology has published draft guidance that recommends against companies and government agencies using SMS as the channel for out-of-band verification. Many services that have deployed 2FA or 2SV as part of the authentication process use SMS to deliver short codes that users then enter into an app or site. However, text messaging isn’t considered a secure channel and NIST is now saying that the use of SMS as a channel for out-of-band verification won’t be permitted in future versions of its Digital Authentication Guideline.
“If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number,” the guidance says.
“Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”
From a security perspective, the change from NIST is a positive one, experts say. It pushes the authentication industry toward a more secure option and will have an effect on government agencies, which follow the NIST guidance.
“For the average case of a large web service that’s using SMS for two factor, this doesn’t mean SMS is going away. SMS is still far better than no two factor at all,” said Jon Oberheide, CTO of Duo Security, which makes two-factor authentication software.
“For the government, this is a good thing. It’s good from an authentication industry perspective, because it starts moving things forward.”
Another problem with text-based 2FA is that the codes sometimes will show up on the lock screen of a user’s phone, allowing anyone within sight of the phone to obtain the code. The more secure method, which is used by a number of services, including Gmail, is to have a separate app on the user’s device that generates a unique code that the user then enters on the site.
The NIST guidelines also discuss the use of biometrics, but says that the agency only supports their use as authenticators in limited circumstances. NIST says that biometrics aren’t considered secret and some of them can be obtained by attackers through various methods, making them somewhat susceptible to forgery.
“They can be obtained online or by taking a picture of someone with a camera phone (e.g. facial images) with or without their knowledge, lifted from through objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns for blue eyes),” the guidelines say.
As a result, NIST says biometrics are supported for authentication, but only with an additional factor, such as a password or hardware token.
This story was updated on July 26 to add comments from Oberheide.
The first step in protecting against phone scams is understanding how they work. That’s why in this series, we’re breaking down some of the newest and most popular phone scams circulating among businesses and consumers.
The Scam
You’re a small business owner running a website through a popular hosting site. You have purchased the unique URL that fits your company, and you set up your website. You muddle your way through figure out SEO, m
What Really Happened
You realize shortly after hanging up with the Google specialist that your website is not displayed on Google’s front search page. You also realize that several withdrawals have been made from your account that you have not authorized. Soon after, you catch on to what has happened. You’ve been scammed, and the fraudsters stole your credit card information. How did this happen?
- Robocalling – Scammers use robocalls to attack a multitude of people quickly while also being able to conceal their identity and location through Caller ID spoofing
- Vishing – Fraudsters use the phone channel to persuade victims to divulge sensitive information, like credit card numbers, to initiate account takeovers
- Impersonation – by falsely implying that they are associated with Google, they are gaining your trust and/or intimidating you with their importance
Google Listing Scam Examples
Another day, another “Google Listing” call – A variation of the robocalls surrounding the Google Listing scam. According to Pindrop Labs research, there are 8 variations of robocalls connected to this scam.
Avoid and report Google scams – A list of scams tied to the Google name.
Pindrop Labs presents Emerging Consumer Scams of 2016 – Pindrop Labs has researched and discovered the 5 emerging phone scams effecting consumers in 2016, including the Google Listing Scam, and will be presenting a webinar on these findings on Wednesday, February 24th from 2:00-2:30pm ET.