Avatar photo

By Vukosi Maluleke

Digital Journalist

Can multi-factor authentication curb call centre fraud?

'Whenever you tighten up one channel against security breaches, fraudsters find another way in' − expert.

Fraudsters are forever finding ways to get their hands on customers data, and call centres have become the latest target.

According to TransUnion’s 2023 State of Omnichannel Fraud Report, call centre fraud is on the rise with criminals attempting to take over customer accounts by guessing answers to security questions.

TransUnion’s research suggests that targeting of agent-led authentication methods over the phone is on the rise, with non-fixed Voice over Protocol (VoIP) posing the greatest risk.

ALSO READ: Police alert – Online banking fraud in Gauteng a rising concern

As an attempt to boost security without compromising customer experience, call centres are switching from knowledge-based authentication (KBA) to multi-factor authentication (MFA), TransUnion’s research indicates.

Why call centres?

Shelley McKeaveney, senior vice president: growth, MEA region at Entersekt, says the rise in call centre breaches can be attributed to tighter security measures across other digital platforms.

“Whenever you tighten up one channel against security breaches, fraudsters find another way in,” said McKeaveney.

She indicated that call centres could be the “most porous channel” since most companies have gone the extra mile to lock their websites with apps and multi-factor authentication.

“Unfortunately, many call centres still rely on knowledge-based questions to verify customer identity, said McKeaveney.

Apart from being time-consuming, the process exposes call centres to phishing attempts, warns McKeaveney.

Beefing up security

According to TransUnion’s report, managers should focus on risk-based authentication which entails a continuous assessment of each user session. TransUnion recommends various multifactor authentication options such as secure one-time passcode (OTP), app-based push notification and biometric authentication using fingerprint or facial recognition.  

McKeaveney said Entersekt has received a growing number of queries from South African corporates looking to boost their call centre security.

She indicated that call centres can use multi-actor authentication in the same way it’s used when browsing to cryptographically bind customers’ digital identities.

“Without too much extra effort, the same principle could be applied to confirm the identities of callers during call centre interactions,” said McKeaveney.

She suggested agents could authenticate a caller using the company’s app whie on the call.

“Once verified, the agent would be assured of the identity and could confidently continue with the call,” McKeaveney explained.

ALSO READ: These are the top threats small businesses face

According to McKeaveney, in-app authentication also facilitates additional verification by using PIN or biometrics.

What about customers without smartphones? McKeaveney says GSM (mobile network) authentication with USSD or SMS can still be used, and made available even for customers who are sceptical about using apps.

“The wonderful thing about the advances we’ve made in context-aware authentication is that companies can deploy the best option for each customer,” said McKeaveney.

If you’re worried about your SIM being cloned or swapped without your knowledge, worry not. McKeaveney said GSM authentication allows for SIM age verification “to ensure there has been no SIM swap”.

Better security, better customer experience

McKeaveney said multi-factor authentication not only boosts customer data protection, but improves customer service by reducing the time spent using the outdated knowledge-based authentication.

“Upfront customer authentication can cut between 15 to 30 seconds off a call,” she said.

McKeaveney notes that African Bank has successfully implemented the USSD option, reducing caller verification time from almost two minutes − through their Entersek system.

“Getting security out of the way before the [actual] call means agents can focus on addressing the customer’s issue, which makes for a better experience all-round,” she adds.

ALSO READ: Simple rules to help you to remain secure online

McKeaveney says companies have a responsibility to safeguard customer data, and protect their call centre agents from fraudsters who are evidently experts at manipulating agents.

“When the best security solution also offers the best customer experience, it begs the question why companies wouldn’t make the change,” said McKeaveney.

Read more on these topics

Cybercrime fraud

Access premium news and stories

Access to the top content, vouchers and other member only benefits