Can multi-factor authentication curb call centre fraud?
'Whenever you tighten up one channel against security breaches, fraudsters find another way in' − expert.
Call centre agents need protection from fraudsters who are experts at manipulation. Picture: iStock
Fraudsters are forever finding ways to get their hands on customers data, and call centres have become the latest target.
According to TransUnion’s 2023 State of Omnichannel Fraud Report, call centre fraud is on the rise with criminals attempting to take over customer accounts by guessing answers to security questions.
TransUnion’s research suggests that targeting of agent-led authentication methods over the phone is on the rise, with non-fixed Voice over Protocol (VoIP) posing the greatest risk.
As an attempt to boost security without compromising customer experience, call centres are switching from knowledge-based authentication (KBA) to multi-factor authentication (MFA), TransUnion’s research indicates.
Why call centres?
Shelley McKeaveney, senior vice president: growth, MEA region at Entersekt, says the rise in call centre breaches can be attributed to tighter security measures across other digital platforms.
“Whenever you tighten up one channel against security breaches, fraudsters find another way in,” said McKeaveney.
She indicated that call centres could be the “most porous channel” since most companies have gone the extra mile to lock their websites with apps and multi-factor authentication.
“Unfortunately, many call centres still rely on knowledge-based questions to verify customer identity, said McKeaveney.
Apart from being time-consuming, the process exposes call centres to phishing attempts, warns McKeaveney.
Beefing up security
According to TransUnion’s report, managers should focus on risk-based authentication which entails a continuous assessment of each user session. TransUnion recommends various multifactor authentication options such as secure one-time passcode (OTP), app-based push notification and biometric authentication using fingerprint or facial recognition.
McKeaveney said Entersekt has received a growing number of queries from South African corporates looking to boost their call centre security.
She indicated that call centres can use multi-actor authentication in the same way it’s used when browsing to cryptographically bind customers’ digital identities.
“Without too much extra effort, the same principle could be applied to confirm the identities of callers during call centre interactions,” said McKeaveney.
She suggested agents could authenticate a caller using the company’s app whie on the call.
“Once verified, the agent would be assured of the identity and could confidently continue with the call,” McKeaveney explained.
According to McKeaveney, in-app authentication also facilitates additional verification by using PIN or biometrics.
What about customers without smartphones? McKeaveney says GSM (mobile network) authentication with USSD or SMS can still be used, and made available even for customers who are sceptical about using apps.
“The wonderful thing about the advances we’ve made in context-aware authentication is that companies can deploy the best option for each customer,” said McKeaveney.
If you’re worried about your SIM being cloned or swapped without your knowledge, worry not. McKeaveney said GSM authentication allows for SIM age verification “to ensure there has been no SIM swap”.
Better security, better customer experience
McKeaveney said multi-factor authentication not only boosts customer data protection, but improves customer service by reducing the time spent using the outdated knowledge-based authentication.
“Upfront customer authentication can cut between 15 to 30 seconds off a call,” she said.
McKeaveney notes that African Bank has successfully implemented the USSD option, reducing caller verification time from almost two minutes − through their Entersek system.
“Getting security out of the way before the [actual] call means agents can focus on addressing the customer’s issue, which makes for a better experience all-round,” she adds.
McKeaveney says companies have a responsibility to safeguard customer data, and protect their call centre agents from fraudsters who are evidently experts at manipulating agents.
“When the best security solution also offers the best customer experience, it begs the question why companies wouldn’t make the change,” said McKeaveney.