How your bank can fight fraudsters with biometrics

Call centers have come a long way, but new technology can boost security further.

Today’s fraudsters are able to bypass traditional contact center security procedures, so what can banks do to beef up cybersecurity? Biometric authentication, which relies on customers themselves through voice, facial or fingerprint recognition, is one of the tools companies are using to keep customer data secure.

By Katie Kuehner-Hebert

Community banks now have an additional tool to thwart contact center fraud: biometric authentication when customers use their smartphones. Most of the newer smartphone models incorporate biometric authentication capabilities, whether fingerprint, facial or voice. And with more and more people choosing to bank on their mobile devices, it presents an opportunity for banks to shore up their security and customer service with improved functionality.

Biometric authentication is superior to just using passwords, says Conor White, Americas president of biometric authentication company Daon in Reston, Va. “The passwords that are traditionally used were invented in 1960, and when technology is older than me, it’s usually not that good,” he says. “Moreover, passwords weren’t invented to be used on thousands, if not millions of platforms. They don’t scale.”

“The passwords that are traditionally used were invented in 1960, and when technology is older than me, it’s usually not that good.”
—Conor White, Daon

Knowledge-based authentication, such as asking customers personal questions, has also proved to be fairly insecure, White says. Fraudsters can learn a lot about a customer by accessing their LinkedIn profile and reading their Facebook, Twitter and Instagram messages. They can also use social engineering—or tricking someone to give up their personal information—to successfully masquerade as that customer when interacting with a bank.

“It’s particularly successful if a fraudster calls pretending to be someone very important and acts irritable,” White says. “The call center representative who gets graded based on metrics around performance will let them though. It’s a human nature thing.”

Quick stat

70%

of respondents said they would like to use biometric authentication at work

Source: 2019 Veridium survey

White says Daon’s IdentityX platform activates facial, voice and fingerprint biometric sensors embedded in mobile devices. These sensors can be combined in various ways to create a multi-factor authentication system for better security.

A number of community banks now use Daon’s platform directly and through third parties, such as banking platform providers and system integrators that provide call center services for banks on an outsourcing basis, White says. However, Daon’s IdentityX platform prompts a customer to use the biometric sensors on their smartphone to authenticate themselves and alleviate the risk of contact center representatives being duped through social engineering. While there’s “no such thing” as 100 percent security in any authentication measure, biometrics is best, according to White.

“If a fraudster records someone’s voice and tries to use that to get past biometric authentication, we have technology that detects when a recording is being replayed,” he says. “We have an automatic challenge in the biometric voice protocol, and any prerecorded response won’t work.”

IdentityX also includes face “liveness detection” measures to spot fraudsters who download photos from a customer’s LinkedIn profile and then try to use that to authenticate via the facial recognition modality, White says. The person would be prompted to nod or shake their head, smile or blink, and a fraudster using a downloaded photo would fail such tests.

Balancing convenience and security

Another biometric authentication solution for bank contact centers is offered by CallVU in Tel Aviv, Israel. CallVU incorporates fingerprint and facial recognition sensors within smartphones to identify callers. Banks can choose to integrate either or both types of authentication to maximize customer security or ease of use.

For banks, CallVU provides solutions directly or works with integrator companies that provide outsourced contact center services to such institutions, says Ori Faran, the company’s CEO and founder.

Everyone who’s ever created an online login knows how frustrating it can be to have to enter their information or to request a lost password replacement. How does biometric authentication compare in terms of the customer experience? It depends on the modality, but any biometric modality is superior to traditional authentication measures, Faran says.

There is some friction with voice recognition because a person needs to record their voice, although Faran confirms that the process should be seamless afterward. For fingerprint and facial recognition, it’s simple because they already open their smartphones this way.

Knowledge-based questioning can introduce a great deal more friction, especially if a customer can’t remember their last several transaction amounts, Faran says. Contact center managers tell him that representatives ask as many questions as it takes for the customer to get three or four answers right.

However, Faran says that fraudsters can just learn those answers about customers by viewing their information on LinkedIn, Facebook and Instagram, so it’s not the most secure way of authenticating.

Using multifactor authentication

Avivah Litan, a Gartner Research vice president and distinguished analyst in Potomac, Md., says smartphone biometric authentication is a much stronger form of authentication than common methods like standard passwords or even one-time passwords shared with customers via SMS, email or phone calls.

A smartphone serves as a strong authentication factor that is bound to the user’s identity and account at the bank, and the biometric serves as another strong authentication factor that further binds the phone and the user’s identity and account to the user’s physical attributes, Litan says.

“This three-factor authentication method—user ID, account or identity; plus phone; plus biometric—is one of the strongest authentication methods that can be used today across a large population.”
—Avivah Litan, Gartner Research

“This three-factor authentication method—user ID, account or identity; plus phone; plus biometric—is one of the strongest authentication methods that can be used today across a large population,” she says. “Call centers have high fraud rates, especially as online banking controls increase, so strong authentication of callers to call centers is especially needed and welcome.”

Each biometric authentication modality has varying accuracies, but the decision on which one or what combination to use should be made based on user preference and convenience, Litan says.

“Biometric authentication should never be the only factor used to authenticate a customer, as each type is subject to false positives—some more than others,” she says. “So, there must be a backup system in case the biometric authentication fails and the user is indeed legitimate.”


Katie Kuehner-Hebert is a writer in California.

Top