Working alongside the Webex Contact Center team, Pindrop has certified Pindrop® Passport and Pindrop® Protect and added them to the Webex App Hub

We are dedicated to helping our customers quickly and easily authenticate inbound calls, drive automation in the IVR (Interactive Voice Response system), and detect fraud. 

With voice-based authentication methods, contact centers can reduce caller frustration, shorten resolution times, and improve security and compliance.

Using the Pindrop® API Connector within the Webex Contact Center, we seamlessly integrate into contact center call flows, enabling quick setup and easy deployment.

How it works

In any partner integration, Pindrop® Technologies captures a copy of an inbound call and runs a thorough analysis. The analysis of an inbound call is predicated upon a deep, carrier-style integration where the Pindrop® Solution ingests the call audio, metadata, keystroke presses, and other signaling. 

This approach allows our technology to perform an accurate, multifactor analysis of the inbound caller’s voice, device, behavior, network, risk, and liveness. This will help you determine if the caller is a genuine consumer or a fraudster.  

For more insight into how fraudsters operate, check out our article on the fraudster playbook

Webex Contact Center: Customer SIPREC integration

The diagram below showcases the robust architecture of the Webex Contact Center + Pindrop integration. It illustrates a scenario where a customer using a premise-based Session Border Controller (SBC) routes calls to Pindrop. Pindrop also supports a flexible Bring Your Own Carrier (BYOC) model, allowing you to route calls directly from your carrier. Contact Pindrop to determine if your carrier is supported.

A high-level architectural diagram illustrating the call flow from an SBC to the Cisco Webex Contact Center and then to the Pindrop network for voice authentication and fraud detection.
This is a high-level architectural diagram illustrating the call flow from an SBC to the Webex Contact Center and then to the Pindrop network for voice authentication and fraud detection.

Key elements of the Webex CC + Pindrop integration

1. Pindrop® API connector

The Pindrop® API Connector enables your organization to establish a secure trust relationship between your Pindrop account and the Webex Contact Center, allowing you to access Pindrop’s voice authentication and fraud detection services seamlessly. 

Once the trust relationship is established, integrating Pindrop’s capabilities is as straightforward as making HTTP requests within your Webex CC call flows. These requests allow you to initiate voice authentication, detect fraud, capture key data points for analysis, and make intelligent routing decisions.

2. Easy-to-use agent UI

Pindrop has constructed a pre-built agent user interface, delivered through the Webex Contact Center agent desktop. 

This helps implement Pindrop intelligence and policy-driven instructions to Webex Contact Center agents as clearly and intuitively as possible. This user-friendly interface helps agents easily understand and apply Pindrop’s capabilities in their daily operations. 

A view of Pindrop's pre-built agent user interface. It showcases call risk status, phone number, call duration, and more.
A view of Pindrop’s pre-built agent user interface. It showcases call risk status, phone number, call duration, and more.

 3. Supportive resources for self-guided implementation

To simplify the process, we have authored a detailed user guide that provides clear, step-by-step instructions to help contact center administrators implement Pindrop® Solutions in their Webex Contact Center environment. 

Additionally, Pindrop resources are readily available for support and guidance, ensuring a smooth and successful integration. 

Real-world success

Some of the largest banks, credit unions, insurance companies, and healthcare providers in the world trust Pindrop to combat fraud and deliver secure, efficient customer service. To read more about how Pindrop integrates with other leading contact center platforms, check out our posts on Five9 + Pindrop authentication and fraud detection or how to integrate Pindrop® Solutions and Genesys Cloud CX.

Ongoing collaboration and future development

At Pindrop, we’re committed to continuous innovation and close collaboration with the Webex Contact Center. We adapt our solutions to address evolving customer needs. Our teams actively monitor and enhance the current integration, exploring new capabilities to support future use cases.

Do you have a call center challenge you’d like Pindrop and Webex Contact Center to address? We’d love to hear from you.

Pindrop Protect & Passport: Discover the Power of Multifactor Authentication

Join this webinar to learn more about the balancing act of security and customer experience. PIndrop Protect + Passport provides a single platform for passive, multi-factor authentication and anti-fraud at every point of every call.

WEBINAR

Discover the Power of Multifactor Authentication

The balancing act of security and customer experience. Pindrop Protect + Passport provides a single platform for passive, multi-factor authentication and anti-fraud at every point of every call.

Discover the power of multifactor authentication & fraud detection for contact centers.

Pindrop’s integrated platform establishes a risk foundation across the platform and enables end-to-end integration from pre-ring to disconnect. Featuring five technologies on one platform, Pindrop’s authentication and fraud detection products offer holistic scoring.

Featuring Scott Engels, Director of Global Sales Engineering for Pindrop this webinar gives a high-level overview of the application of Pindrop products in call centers and offers a live look at these solutions.

Improve customer experiences

Enable automatic authentication for trusted callers

Risk mitigation and protection against fraudster attacks

Reduce call handling times

Reduce operational costs, fraud losses, and customer churn

Your expert panel

Scott Engels

Director, Global Presales Engineering, Pindrop

One-Time Passwords (OTPs) were created to help enhance security, as they can protect you from an identity theft attack. OTPs can take the form of automatically generated numbers that are sent to your cell phone or specific text/word strings that the user needs to recite in order to capture their voice sample. OTPs are often used for the purpose of account login, identity verification, device verification, or password recovery. However, the protection OTPs once offered has diminished and users today can be easily deceived. Through deception, a fraudster can steal your personal data to gain access to your bank accounts and other valuable data.

Fraudsters can use various platforms including social media, phone calls, and online chat applications to target their victims to mistakenly reveal personal information. Fraudsters can use various schemes to induce the victims to share their OTPs, such as encouraging the victim to join a contest or telling the victim that s/he has won a prize¹. They can impersonate government or bank officials, technical support staff, or the victim’s friends to access personal details and accounts. For example, a fraudster can call the victim, pretending to be a telecom technician, and tell the victim that their account was compromised by a hacker. After that, the fraudster can instruct the victim to download an application for the telecom company to conduct investigations. This way the fraudster can remotely access the victim’s computer, and ask the victim for bank login details and an OTP, claiming to check if the victim’s account had been compromised. If the victim provides these details, the fraudster can transfer the money in her account to another count. 

Here are some key reasons why OTPs might not provide the best security to use for authentication:

  • Increase in Average Handle Time (AHT): Customers may have long waits to receive OTPs depending on their phone signal strength or may not have instant access to their cell phone. This will increase the AHT and create a bad customer experience, especially for genuine callers. This is definitely a problem with significant financial consequences any company would want to avoid. A couple of years ago, Forbes reported that businesses lost $75 Billion due to poor customer service.²
  • Increase in Cost: To provide a customer with an OTP, companies have to pay a certain amount per SMS-based OTP. Depending on the customers’ cell phone carrier, they may encounter bad signals and delay the delivery of the OTP. If customers have to request an OTP multiple times, the companies’ costs will only grow. Additionally, the increase in costs might also include headcount. If OTPs are adding handle time to every call, will that require more employees?
  • SimJacking: Based on the most recent Facebook breach³, we know that almost half a billion phone numbers and their corresponding Facebook accounts were exposed. The leak of phone numbers could potentially make a huge number of users prone to SIM swap-type fraud. In addition to a list of these numbers, fraudsters can also buy digital files packed with personal data and account details sourced from mass online data breaches and cyberattacks, to open an account in their victim’s name. If fraudsters, combined with other details, potentially accessed separately through either social engineering or online searches, could gather enough information to pass security questions at the respective mobile network operator, they could theoretically register a new SIM. The victim’s SIM could also get deregistered, and the answers to security questions changed to new information no longer matching the victim’s, allowing the fraudsters to take over the victim’s account and eliminate the victim’s attempts at correcting the situation.
  • Diminished Impact on Security: Over time, fraudsters adapted and found ways to beat OTPs. Simple, quick turnarounds such as calling the bank pretending to be the victim and getting the bank to send the OTP followed by a call to the victim, pretending to be the bank and asking the victim to read back the code on the text message, are low tech.
  • Added Friction: OTPs add an additional layer of identity verification and authentication burden on the consumers. The extra time required to process the OTP and the additional work the consumer needs to do diverts the focus of the conversation and delays the resolution of the consumer’s issue. This friction could result in lower Net Promoter Scores and reduced customer satisfaction.  

 

Today, many companies are still using OTPs for authentication purposes and those who use them could face higher costs and unhappy customers. Therefore, the importance of having an authentication technology based on credentials and risk criteria extracted from a call clearly stands out – especially if such decisions are automated and governed through a flexible policy engine aimed to build trust for genuine callers. There are other ways to establish trust in a customer interaction without creating the additional cost and friction of OTPs. For example, you can use spoof detection techniques to determine whether an incoming call is spoofed or not and whether you can trust the call. For further security and identity verification, you could deploy multi-factor, risk-based authentication processes that allow you to leverage other factors like certain behaviors, voice, and device.

Ready to ditch your OTPs to better deal with those on the prowl? Pindrop can help. Contact us.
¹Wong, Cara; The Straits Times, “Scammers tricked more people into revealing their OTPs last year; victims lost more than $15 million (https://www.straitstimes.com/singapore/scammers-tricked-more-people-into-revealing-their-otps-last-year-victims-lost-more-than-15), April 1, 2020, straitstimes.com
²Hyken, Shep; Forbes, Businesses Lose $75 Billion Due To Poor Customer Service” (https://www.forbes.com/sites/shephyken/2018/05/17/businesses-lose-75-billion-due-to-poor-customer-service/?sh=2d33a02016f9), May 17, 2018, forbes.com
³Cunningham, Ben; Pindrop, “Facebook Breach Means More Munitions for Fraudster ATO attempts” (https://www.pindrop.com/blog/facebook-breach-means-more-munitions-for-fraudster-ato-attempts/), April 6, 2021, pindrop.com
Patterson, Dan and Kates, Graham; CBSNews, “We found our personal data on the dark web. Is yours there, too?” (https://www.cbsnews.com/news/we-found-our-personal-data-on-the-dark-web-is-yours-there-too/), March 25, 2019, cbsnews.com

A security researcher has discovered a method that would have enabled fraudsters to steal thousands of dollars from Facebook, Microsoft, and Google by linking premium-rate numbers to various accounts as part of the two-step verification process.
Arne Swinnen discovered the issue several months ago after looking at the way that several of these companies’s services set up their two-step verification procedures. Facebook uses two-step verification for some of its services, including Instagram, and Google and Microsoft also employ it for some of their user accounts. Swinnen realized that the companies made a mistake in not checking to see whether the numbers that users supply as contact points are legitimate.
“They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP,” Swinnen said in a post explaining the bug.  “Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number.”
For services such as Instagram and Gmail, users can associate a phone number with their accounts. In the case of Instagram, users can find other people by their phone number, and when a user adds a number, Instagram will send a text to verify the number. If the user never enters the code included in the text, Instagram will eventually call the number. Swinnen noticed that Instagram’s robocallers would call any number supplied, including premium-rate numbers.

“One attacker could thus steal 1 GBP per 30 minutes.”

“As a PoC, 60 additional calls were made in an automated fashion with Burp Intruder, each with 30 seconds throttle in between. This concluded the theft of one symbolic pound over the course of 17 minutes,” Swinnen said.
“One attacker could thus steal 1 GBP per 30 minutes, or 48 GBP/day, 1.440 GBP/month or 17.280/year with one [instagram account, premium number] pair. However, a dedicated attacker could easily setup and manage 100 of these pairs, increasing these numbers by a factor 100: 4.800 GBP/day, 144.000 GBP/month or 1.728.000 GBP/year.”
Swinnen said that the same number could be linked to any number of different Instagram accounts, upping the amount of money that an attacker could steal. Facebook, which owns Instagram, patched the issue and paid Swinnen a $2,000 bug bounty for the submission.
Google and Microsoft had similar issues, although with different systems. Google will use a mobile phone as a part of its two-step verification system, and will sometimes place a phone call to a number to give the user a six-digit token for authentication.
“Entering a premium number here would result in a phone call from Google, but the number would be blocked after a few attempts when no valid token is entered. However luckily, eurocall24.com supported forwarding the call to a SIP server (“Callcentre”) and consuming them with a SIP client (Blink in this case) so I could actually hear the message out loud,” Swinnen said.
Once he got past the registration process, Swinnen was able to set up a system that would execute logins and generate the phone calls.
“First, the call destination for the premium number on eurocall24.com was modified to a standard ‘conference service’, so I wouldn’t be bothered by it anymore. Then, a selenium script to login with username & password to the 2FA-protected account was recorded with the Firefox IDE plugin & exported to alogin.py python script. Last but not least, a second quick & dirty python script loop.py was designed to execute the former one every 6 minutes and executed. Two hours and 17+1 (enrollment) calls later, the symbolic Euro was mine again.”
Microsoft’s problem was with its Office 365 service, specifically with free trials. By prepending or appending zeroes or random digits to premium-rate numbers entered as part of the trial registration process, Swinnen could cause Microsoft’s system to call the numbers many times over.
“On top of this, Microsoft allowed concurrent calls to the same premium number. Eurocall24.com limits the number of concurrent calls from one source address to one of its premium numbers to 10, so a PoC was performed where 2*10 concurrent calls were made within less than one minute, yielding a little more than 1 EUR profit,” Swinnen said.
Both Google and Microsoft put mitigations in place to address the problems, and Microsoft paid Swinnen a $500 bounty. Google didn’t award a bounty.

Voice security is
not a luxury—it’s
a necessity

Take the first step toward a safer, more secure future
for your business.