What Does a Customer Experience When You Handle Fraud the Right Way?

PositiveCX.jpg

By: Tim Prugar

This morning, tens of millions of Americans woke up and experienced the same, sinking feeling:

Was my information exposed in the Equifax Breach? Am I at risk for being a victim of fraud?

As a business, your customers are frightened right now. They're worried about their accounts, and their identities, and the lives that they have worked hard to build for themselves and their families. What they want more than anything is the peace of mind that if something goes wrong, it can and will be taken care of in a timely fashion.

I know that feeling well - last month I was the victim of credit card fraud. The feelings above were real, and they were intense. However, my bank was able to transform a very scary experience into a positive one by making it easy to have my problem addressed and fixed. The fundamental tension in fraud prevention is between Customer Experience and Security. However, as you'll see here, those two can very easily work hand-in-hand to protect the customer while ensuring loyalty. 

My story, originally posted over at CustomerThink, is as follows:

Speed

I had just become the victim of credit card fraud.

While sitting at my desk, I received an email alert from my bank — one of the largest in the United States — that my credit card had just been used in Iowa. Of course, I wasn’t in Iowa. And I hadn’t used my credit card in nearly three weeks.

Upon looking, to me, it was an amount that clearly showed someone was testing the card to see if it would go through — often the first step in a fraudster’s bag of tricks.

My bank prompted me to confirm the purchase — “Was this your purchase, or is something wrong?” it read. They had started on the right foot, and with 15% of banking customers who experience fraud closing all accounts with that provider, the bank knew the next steps were just as critical to keeping my business.

I clicked “something is wrong” and my card was immediately frozen. I called the support number listed in the email, was quickly authenticated by the bank, and in less than five minutes, my card was closed, the fraudulent transactions reversed, and a new card was on its way.

Efficiency

Chances are, you or someone you know has or will be a victim of credit card fraud. According to the consumer financial protection bureau, more than 10% of the US will fall victim at some point in their lifetime; indeed, the United States accounts for 47% of the world’s credit card fraud cases.

To combat this, companies are always improving their security. For example, the advent of EMV, the smart chip on your card, has led to a decline in total losses in recent years, as it has become more difficult for some fraud acquisition techniques like card skimming.

So where do high-tech fraudsters turn when they’re thwarted? The weakest link, of course. And today that is the call center. The place where customers are earned and lost.

In 2016, call-center fraud rose more than 110%. Financial institutions authenticating primarily through ANI — automatic number identification — were startlingly vulnerable to attacks carried out by phone spoofing, which remains a heavily relied upon technique for fraudsters.

Shoring up this vulnerability is a fine line for financial institutions to walk.

Too little security and perpetrators of fraud can easily game the system. Too much security, and you’re putting an already aggravated customer through the ringer.

The worst thing a bank can do is handle this poorly: bouncing someone between multiple agents, poorly thought out knowledge based authentication question that either the person may not know the answer to, or a fraudster may be able to figure out through social media, long hold times, etc.

You need a system that does this, and does it quickly, so a customer can get on with their day as quickly and efficiently as possible.

Positivity

Ironically, having my credit card stolen ended up being a pleasant experience, because now I’ve got a great story to tell — a firsthand account of how a powerful authentication system can transform the customer experience in fraud cases.

How a company handles fraud and makes the customer feel is important; a company has the same responsibility as when they’re trying to convince a customer to buy. If someone has a terrible experience dealing with the counter-fraud measures of their banking institution — that can derail the entire relationship.

Speed is a factor in situations like this, and with a solid authentication system in place, my bank and I can operate with trust and peace of mind that I am who I say and solve the problem at the speed I desire as the victim. I want to get a person on the phone as quickly as possible.

When a company can authenticate a caller quickly, they chop off the clunky knowledge based process at the beginning of the call and it allows them to green light calls like mine.

The primary benefits are twofold: identifying fraudulent calls and beginning the procedures on dealing with such calls, or authenticating the call quickly before any further damage is done by a perpetrator of fraud.

Who knows what the damage of an additional 5, 10 or even 30 minutes means in terms of fraud — but we can stop the damage before it gets that far.

When companies use efficient technology to put the customer experience first while simultaneously demonstrating a commitment to strong security measures, everyone comes out ahead.

Even though my account was compromised, even though there was fraud — I walked away with a positive feeling about the company, because of the efficiency of how my case was handled.

With brand loyalty harder than ever to win, and fraudsters continuing to evolve the way they commit attacks, smart organizations will do well to bake fraud prevention into their CX.

 

Tim Prugar is the VP of Operations at Next Caller. He can be reached at tim@nextcaller.com.

Will Biometrics Change the Way Your Business Accepts Payments?

By: Tim Prugar

Yes. Yes they will. But Payments will also change the way that Biometrics are leveraged for security. 

Technology has widened the chasm between small businesses and behemoth competitors like Amazon and Alibaba. This becomes most clear in the payments space, where smaller merchants struggle to process the volume and speed of transactions with the technological innovation that larger firms can afford. Small Business Trends took a look at the role biometrics plays in payments, and had an interesting takeaway:

Biometrics is not a Binary

Well, shouldn't be a binary anyway. Biometric identifiers don't get scored as "Correct" or "Incorrect" like knowledge-based identifiers do (Either "Appetite for Destruction" is your favorite album or it isn't!). Instead, authentication solutions look for the probability of a match based on a number of traits or signifiers - once that probability crosses a certain threshold, it's deemed a "match." 

The most effective biometric systems increase the probability that a biometric identifier is deemed a match by marrying that fingerprint or iris or what-have-you to other data signals. As the article points out, fingerprint biometrics can have their efficacy increased when paired with data signals like geolocation or Device ID. Similarly, Jack Ma made Alipay more secure by marrying the "Selfiepay" concept with smiling or nodding as a movement captcha. 

But what about Voice Biometrics?

Voice biometrics are an effective solution for authenticating callers and detecting fraud. Without additional data points, however, Voice Biometrics fails to meet its full potential. 

Here's what Voice Bio can leverage to get even smarter:

Dynamic Blacklists - If a call is coming from a known fraudulent number, a suspicious international number range, or a compromised account- why treat it as a basic customer call? Leverage this information, much of which can be accessed via API in near-real-time, to flag calls before they even reach you Biometric Authentication. 

Spoof - According to Next Caller's research, 94% of all fraudulent attacks on the call center leverage ANI spoofing as one of the methods to gain access.  Smart call centers use information about whether a call is spoofed to "green light" a call for an agent or flag that call for further scrutiny. 

Geolocation - Where should your caller be? If they're somewhere else - that's a solid indicator to at least take a second look at a call. 

Again, all of the above information is available in near-real-time, much faster than a Voice Biometric Authenticator can perform an analysis. 

The next major wave of Biometric Security won't be the implementation of the solutions, but the marrying of data that makes those solutions smarter. 

 

Tim Prugar is the Director of Customer Success at Next Caller. He can be reached at tim@nextcaller.com

What You Can Expect After the Verizon Breach

By: Tim Prugar

Yesterday, ZDNet broke the story that a data breach at Verizon resulted in the exposure of the names, phone numbers, and PINs for over 14 million Verizon customers. The data was accessed in June after it was discovered to be improperly stored on a server maintained by Nice Systems, an Israel-based company. 

The scope of the damage has yet to be established, but here are some safe bets on what you will see in the wake of this breach:

Explosion of Call Center Fraud at Verizon

Obtaining customer names, phone numbers, and PINs is pretty much the Holy Grail for fraudsters. Having this information allows fraudsters to order new handsets, obtain additional personal information for a secondary attack, set up call forwarding, or engage in number porting. Attacks using this information will almost always center around spoofing, and will most likely look something like this:

1) Fraudster researches the individual who owns the account they wish to breach online or through social media to figure out the answers to Knowledge-Based Authentication Questions.

2) Fraudster spoofs the number of the account they're attacking in order to present a matching ANI to the IVR system or the live agent.

3) Fraudster gives the name they've obtained from the breach to the agent when they reach a live person.

4) Fraudster gives the PIN they obtained through the breach. If there are any Knowledge-Based Authentication questions, Fraudster answers them easily based on their prior research. They're in. The Account Takeover is complete. 

 

Exploitation of Two-Factor Authentication (2FA)

Fraudsters will attack the Verizon Call Center directly - but for most fraudsters this will be the first step in a two-step plan. 

Many banks leverage 2FA to ensure the security of the accounts. 2FA largely relies on mobile devices, leveraging callbacks or SMS messaging to ensure the security of the customer. 

As Fraudsters set up call forwarding or port numbers during their primary attack on the Verizon Call Center, they will have the ability to intercept this 2FA from financial institutions. By successfully navigating this authentication process, fraudsters can attempt to execute wire transfers, open lines of credit, order replacement credit cards, or any amount of nefarious behavior. Expect fraudsters to leverage spoofing once again to present as the compromised customer to the financial institution to execute this plan. 

 

Increased Attacks on ISPs

We predicted in this post that ISPs would encounter "Hacktivism" and retaliatory breaches in the wake of the Net Neutrality debate. There isn't evidence yet that this breach is a direct result of internet unrest, but ISPs would be wise to batten down the hatches on their cyber and telephony channels. 

 

Tim Prugar is the Director of Customer Success at Next Caller. He can be reached at tim@nextcaller.com.

 

 

Speed Read: How to Hack Biometrics

Hot off the presses, two quick articles to start your week. Both on the subject of hacking biometrics, voice or otherwise. 

  • The Register breaks down how scientists are trying to identify and stop the methods that hackers and fraudsters circumvent voice biometric authentication systems. SPOILER ALERT: spoof plays a major role. 

 

  • A lively debate focusing on the "hackability" of biometrics. It looks like the question isn't if biometrics can be hacked, but how easy it is to do. 

 

Click to learn more about Next Caller's unique approach to real-time caller authentication and fraud prevention.

3 Lessons Contact Center Leaders Can Learn From WannaCry

By: Tim Prugar

     The transnational WannaCry Ransomware Attack exploded across the internet early Friday Morning on May 12th, and it’s aftershocks are still being felt early this week as some machines in Asian Markets are being booted up for the first time after the weekend. For the curious, Nicole Perlroth over at the New York times provides an outstanding overview of the background events leading up to this cyber attack, but the basic facts are relatively simple. A hacker or team of hackers identified a vulnerability in the Server Message Block (SMB) Protcol in Microsoft Software, and put together a ransomware attack that spreads through a system’s file-sharing capabilities. The attack would immediately encrypt all of the system’s files, demanding a Bitcoin payment for the de-encryption and safe release of the pertinent documents. The attack, like many, was unleashed via a simple phishing ploy – an unsuspecting victim downloaded and opened a file they shouldn’t have that contained the malicious software. The rest was a nightmare for the cybersecurity community.

     While the WannaCry threat can reasonably be classified as “cyber terrorism”, and patches to protect machines from being infected have already been issued, Information Security Officers should use this incident as an opportunity to pull lessons about protecting all channels from attacks from bad actors. What can fraud experts, CISOs, and Call Center Leaders learn from the WannaCry attacks?

 

1. The Human is the Weakest Link In the Fraud Chain

The methods through which WannaCry spread and replicated may have been automated, but the door for access was opened by a human being. Basic social engineering is at the heart of many of these phishing, SMSishing, and vishing scams, and the phone is one of the most lucrative channels for manipulating a human being to a desired end. CISOs and Call Center Leaders should be investing heavily in training agents to identify and recognize common social engineering methods and tricks, and should consider exploring technologies that are able to identify calls real-time that have been spoofed or otherwise manipulated. There is a high correlation between ANI Spoofing and phone fraud attempts, so more information allows agents to “trust but verify” with more complete data.

 

2. The Cost of Attacks Go Beyond Money

     The big story of the WannaCry attacks isn’t the absolute value of the money extorted (some reports have it at less than $60,000), but the “collateral damage” losses of disruption to services, man hours lost, and even potential health implications. The WannaCry ransomware didn’t just infect computers in a vacuum – it infected computers at Universities, the British National Health System, train stations in Germany, and multi-national corporations based out of France and China. Similarly, when fraud teams do cold “dollars and cents” cost benefit analyses of fraud solutions for the Contact Center, they often look only at their absolute number of fraud losses, and compare that to the cost of the solution. CISOs and Contact Center Leaders should look at the problem holistically: How much time are we losing due to caller authentication? Can we quantify the damage being done to our brand due to fraud and data breaches? Are fraudsters leveraging information stolen at the contact center level to make larger, more costly fraud attacks elsewhere?

 

3. Hackers and Fraudsters Are Very, Very Good At Exploiting Vulnerabilities

     Some hackers and fraudsters are organized criminal enterprises; others are impish troublemakers. Either way, these people are experts at identifying weaknesses in security systems and exploiting them for their own gain. Just as the architects of the WannaCry attack masked their malicious software to get a foot in the door, so too do those looking to commit account takeover or identity theft through the Contact Center mask their phone number to minimize the likelihood of detection. By using ANI Spoofing, fraudsters look to mimic the phone number of an existing customer to bypass ANI-matching authentication procedures, or look to mimic a completely random phone number to hide their own identity. Either way, these fraudsters are leveraging spoof as the main method for their attacks, and any technologies that can detect these spoofing attempts real-time provide an added layer of much-needed security at the Contact Center level.

 

     So what can CISOs and Contact Center Leaders do in the wake of the WannaCry attack to ensure that all channels are adequately defended from bad actors?

     Security Leaders would be wise to conduct a thorough audit of Contact Center authentication and security protocols to ensure that vulnerabilities and weaknesses in the call flow are identified, isolated, and addressed in a timely fashion. Tools such as blacklists, voice biometrics, and anti-spoof technology are all strong safeguards to keep bad actors out, but they are used best in tandem as a layered solution to provide the highest possible level of Contact Center security.

 

Tim Prugar is Next Caller's Director of Customer Success. He can be reached at tim@nextcaller.com.

Three Strategies for Call Center Optimization

Artist's rendering of Michael Cho dictating a blog post.

Artist's rendering of Michael Cho dictating a blog post.

Next Caller Philosopher-King Michael Cho was recently asked by Execs in the Know, a global network of customer experience professionals, to put together some thoughts for a guest blog post. You can read Michael's insight on optimizing the call center not only for excellent customer service, but also to increase revenue below:

Michael's Guest Post at Execs in the Know

So Sayeth The Times: 3 Reasons Why Biometric Authentication Should Give You Pause

 

In Tuesday's New York Times, the Room for Debate blog took on concerns surrounding the growing use of biometric authentication in the banking sector. Typically these arguments are more polarizing, with a traditional "A IS GOOD vs. A IS TERRIBLE!" style of debate. But when it came to Biometrics, something interesting happened: both sides agreed that Biometric Authentication is an imperfect, and sometimes deeply flawed, science. They merely disagreed on the implications of that for banking security. 

Look, Biometric Authentication is LIGHT YEARS ahead of static passwords and easily-researchable security questions. It's here to stay. The debate isn't whether or not banks should utilize biometric authentication - the debate is whether these financial behemoths should be relying on biometrics as their sole, or even their main, first-stage fraud solution. To make a football analogy, the Carolina Panthers would never say to their quarterback "Hey, Cam, you're revolutionizing the quarterback position and doing things we never thought possible - we can just rely on you and don't need to have an offensive line, or receivers, or running backs - I'm sure you can do it all and won't fail." No coach would ever say that. Of course not. After all, that's the Chicago Bears' patented offensive strategy. 

                                Not Funny, Tim.

                                Not Funny, Tim.

So let's take a deeper dive into the challenges presented by Biometric Authentication:

1. Just Because It's Biometric Doesn't Mean It's Not Data

Target. Snapchat. Ashley Madison. Data breaches that have exposed the personal information, home addresses, credit card information, or even Social Security Numbers of customers and employees have made front page news on dozens of occasions. As Claire Gartland of the Electronic Privacy Information Center points out, citizens have action steps they can take when this type of information is released. They can cancel cards or apply for new SSNs. But what recourse do people have when biometric information is leaked? The Office of Personnel Management has already admitted that 5.6 million fingerprints were stolen in a recent data breach, and hackers have already shown their ability to replicate fingerprints and iris scans to game security systems. Voice biometrics has similar flaws. If your customer data can be breached, so too can your biometric data (regardless of the encryption or tokenization).  

 

2.  Do Your Customers Trust You?

Just because I'd let my friend hold $100 for me doesn't mean I'd trust him to hold onto my fingerprints and DNA. I've seen enough Law & Order to know better. Biometric authentication brings about very real Orwellian concerns on behalf of consumers. What are you going to do with this information? What assurance do I have that this will only be used for authentication? While James Lewis of the Center for Strategic and International Studies writes these concerns off as "nervous dystopian projections" and "irrational" (ouch!), the comments show a very different perception of this development in technology. 

                   "I, for one, welcome our new Biometric Overlords!"

                   "I, for one, welcome our new Biometric Overlords!"

3. Impact on Customer Experience

The number one concern for Fraud Analysts is "Catching and Stopping Fraud." However, "Limiting False Positives" and "Ensuring a Seamless Customer Experience" finish a close second and third. Biometric Authentication can have serious impacts on both of those exceedingly important CX metrics. Will MasterCard spring for me to become better looking if my face is consistently judged not to be my actual face? Voice biometrics necessitate 15-30 seconds of analysis at the time of connection on a call - increasing average handle time and also increasing customer frustration at the outset. Biometric authentication also requires certain technologies that can serve as a barriers-to-entry for customers that may not be able to purchase smart phones. Are banks going to be in the business of only offering security to those who can afford it?

So What Now?

While the debate in the Times cast a significant amount of doubt on the viability of Biometric Authentication as the sole solution for banks, we should refrain from throwing out the baby with the bathwater. Biometric Authentication is an enormously promising development in the world of security, but it is a mistake to view this development as a panacea, or a reliable sole method for thwarting fraudsters. Banks who are looking to increase first-stage fraud prevention at the payment and call center level would be wise to combine known fraudster block lists, Biometric Authentication, and carrier and transaction level metadata to best defend against nefarious attacks and protect their customers' assets...and peace of mind. 

By: Tim Prugar (tim@nextcaller.com)

 

About Customer Authentication

 by Laura Zegar (@LauraKZegar)

“Why do I always have to give the customer service rep my information again when I’ve already entered it in the automated phone system?”

Those were the first words out of my sister’s mouth when I told her I was writing a customer experience blog post on caller authentication. She’s asked that question many times. I’m sure you have, too.

Many callers dread a cumbersome authentication process. Who can blame them? Too much customer effort erodes the overall customer experience. Ask your customers to authenticate multiple times on one phone call or assign them complicated passwords, and they just might switch to your easy-to-do-business-with competitor.

American customers spend approximately 15 billion minutes per year on authentication. Guess who spends all those minutes with your customers? That’s right – your contact center agents. Over 25% of agent call handle time is spent solely on authentication.

Chances are, you can’t complete any revenue-generating business transactions with these customers until they’re successfully authenticated. Translation: You don’t make a single cent until you’ve verified your caller.

So how exactly does a poor authentication process impact the customer experience? Let’s walk through some common scenarios.

First, customers must manage multiple PINs, passwords and authentication questions across numerous service providers. Recalling the correct information for a specific provider is often challenging, particularly if your authentication includes complicated PINs or passwords with no significance to the customer.

Example: Bob calls your customer service number and attempts to authenticate in the IVR for a self-service transaction to verify his balance due. Unfortunately, he quickly realizes he can’t remember his PIN. He enters several of his commonly used PINs, hoping that one will successfully identify him. After multiple failed authentication attempts, Bob must either transfer to an agent for assistance or hang up and call back once he locates his PIN.

Not a good start to what should be a simple self-service transaction.

Even if customers know their credentials, their next hurdle is successfully completing the authentication in your IVR. Multi-layered authentication prompts may be confusing, or the IVR may not recognize a customer’s speech or accent. If your technology isn’t customer-friendly, your customers will either involuntarily transfer to an agent or, worse, voluntarily skip the IVR authentication process on future calls.

Example: Mary decides to call your customer service number, prepared with her PIN in hand. She selects the Spanish IVR option to verify her balance due and, when prompted, verbally provides the correct PIN in her regional Spanish accent. Unfortunately, your IVR only recognizes non-accented Spanish and fails to properly authenticate Mary. At this point, Mary must transfer to an agent or call the IVR back to manually key in her PIN.

Another bad start to a simple self-service transaction.

What about customers who do successfully authenticate in your IVR and transfer to an agent? They’re still not out of the woods. Their authentication may not transmit correctly to your agent, requiring the customer to authenticate a second time. And if the customer is transferred to another agent? That authentication may not transfer with them, either, requiring yet anotherverification.

Example: Mike dials your customer service number and quickly authenticates with his PIN in the IVR. He verifies his balance due, then decides to transfer to an agent for questions about his bill. The agent greets Mike and repeats the authentication process.

You know what’s coming next.

Mike asks, “Why do I always have to give you guys my information again when I’ve already entered it in your automated phone system?”

The agent apologizes, explaining that she did not receive Mike’s information on her screen. She successfully authenticates Mike and determines that he must be transferred to another department for further assistance. Mike is transferred to another agent…who again repeats the authentication process.  

All this before Mike can even address his actual inquiry! Ouch.

Bob, Mary and Mike are just three examples of the authentication challenges faced by customers every day. Multiply these per customer, then per company, and we have a serious customer experience problem.

If your customers repeatedly fail the authentication process, it’s time to examine your overall people, process and technology capabilities to identify where the breakdown lies.

Are your agents comprehensively trained on your policies, procedures and authentication best practices? Is your authentication process simple yet robust? Have you leveraged reliable, smart technology to streamline the customer and agent user experience? And, most importantly, have you done all this with a customer-centric view?

With careful planning and execution, even small changes to one or more of these capabilities can yield significant improvement to your customer’s authentication experience.

Before you know it, your customers will be asking a different question when they call you: “Why aren’t my other service providers this easy to call?”

About Laura:

I’m a customer-centric manager with 15+ years of customer experience, strategy and operations expertise…and I’m pretty passionate about it!

Customer capabilities I’ve managed include experience and retention, strategy, system design and implementation, and contact center operations. My experience spans the wireless / telecommunications, retail, banking, IT, health care, sales, government and HR / benefits outsourcing industries.

Outside the customer world, I’m an equally passionate Chicago foodie with a penchant for fitness, design, style, social media…and everything else in between.