Will Biometrics Change the Way Your Business Accepts Payments?

By: Tim Prugar

Yes. Yes they will. But Payments will also change the way that Biometrics are leveraged for security. 

Technology has widened the chasm between small businesses and behemoth competitors like Amazon and Alibaba. This becomes most clear in the payments space, where smaller merchants struggle to process the volume and speed of transactions with the technological innovation that larger firms can afford. Small Business Trends took a look at the role biometrics plays in payments, and had an interesting takeaway:

Biometrics is not a Binary

Well, shouldn't be a binary anyway. Biometric identifiers don't get scored as "Correct" or "Incorrect" like knowledge-based identifiers do (Either "Appetite for Destruction" is your favorite album or it isn't!). Instead, authentication solutions look for the probability of a match based on a number of traits or signifiers - once that probability crosses a certain threshold, it's deemed a "match." 

The most effective biometric systems increase the probability that a biometric identifier is deemed a match by marrying that fingerprint or iris or what-have-you to other data signals. As the article points out, fingerprint biometrics can have their efficacy increased when paired with data signals like geolocation or Device ID. Similarly, Jack Ma made Alipay more secure by marrying the "Selfiepay" concept with smiling or nodding as a movement captcha. 

But what about Voice Biometrics?

Voice biometrics are an effective solution for authenticating callers and detecting fraud. Without additional data points, however, Voice Biometrics fails to meet its full potential. 

Here's what Voice Bio can leverage to get even smarter:

Dynamic Blacklists - If a call is coming from a known fraudulent number, a suspicious international number range, or a compromised account- why treat it as a basic customer call? Leverage this information, much of which can be accessed via API in near-real-time, to flag calls before they even reach you Biometric Authentication. 

Spoof - According to Next Caller's research, 94% of all fraudulent attacks on the call center leverage ANI spoofing as one of the methods to gain access.  Smart call centers use information about whether a call is spoofed to "green light" a call for an agent or flag that call for further scrutiny. 

Geolocation - Where should your caller be? If they're somewhere else - that's a solid indicator to at least take a second look at a call. 

Again, all of the above information is available in near-real-time, much faster than a Voice Biometric Authenticator can perform an analysis. 

The next major wave of Biometric Security won't be the implementation of the solutions, but the marrying of data that makes those solutions smarter. 

 

Tim Prugar is the Director of Customer Success at Next Caller. He can be reached at tim@nextcaller.com

Should ISPs Prepare for "Hacktivism" in the Wake of Net Neutrality Vote?

     The internet erupted in a collective fury last week as the FCC voted to rollback net neutrality regulations. From the internet commons of Reddit to the New York Times Editorial Page, observers noted with concern, anxiety, or full-blown rage that the policy shift was a threat to the concept of a free and open internet. The popular wrath was directed at two main sources: FCC Chairman Ajit Pai and massive Internet Service Providers (ISPs) who potentially stand to gain from the deregulation. With ISPs squarely in the sights of the internet’s vengeful wrath, the rise of “hacktivism” should give ISPs significant pause about the security threats this policy change can bring to their organizations.

 

What is Hacktivism?

            A blend of hacking and activism, hacktivists leverage security breaches or other cyber attacks to advance a political or social cause. Rather than looking for money, Hacktivists are seeking to combat perceived injustices. Examples include an attack on the state of Michigan’s website in the wake of the Flint Water Crisis, the hacking of DNC Emails, and even the data breach at Ashley Madison.

 

Why Should Net Neutrality Make ISPs “Productively Paranoid”?

            First and foremost, there’s already been an alleged hacktivist attack as a result of the net neutrality vote. The FCC itself has claimed that it suffered multiple distributed denial-of-service (DDoS) attacks that they believe had the goal of shutting down the public commenting system in advance of the net neutrality vote. These tactics are becoming increasingly common as an expression of internet outrage, and ISPs don’t need to look much further than headlines to see the anger that these policy changes have caused:

Comcast and Verizon’s Sneaky Push to Kill Net Neutrality is Just Embarrassing

Comcast and other ISPs celebrate imminent death of net neutrality rules

Verizon Apparently Thinks You’re Stupid 

FCC Buried By Fake and Hate-Filled Comments on Net Neutrality

            To sum…many people are very unhappy.

 

 What Can You Do To Protect Yourself From Hacktivist Attacks?

            The most important thing to recognize is that attackers focus on vulnerabilities and weaknesses. Any plan to shore up security must identify and secure frequently-overlooked channels.

1.     The Phone

Whether it’s PBX, VOIP-based UC systems, or a consumer-facing call center, the phone channel is a prime target for bad actors. ISPs should be certain that PBX/UC systems have secure passwords and that systems are in place to detect suspected breaches. A hacked PBX can run up hundreds of thousands of dollars in long-distance calls in a single weekend, and would be a perfect way for hacktivists to make ISPs feel financial pain for the net neutrality shifts.

ISPs who operate consumer-facing call centers should employ technology that can detect instances of call spoofing or robodialing in real-time. Executing a Telephony Denial-of-Service (TDos) attack by flooding a call center with robocalls is an effective way to completely shut down a call center, like what happened at the Minnesota insurance exchange. ISPs want to be sure to have strong anti-spoofing technology in place to prevent account takeover protect their customers’ personal data in the event of an attack.

2.     Phishing Attacks

The human being is always the weakest link in the fraud chain. From Snapchat to the World Anti-Doping Agency to GoogleDocs, significant cyber threats can be facilitated by an employee clicking on a link or downloading and opening a file they shouldn’t. It is essential that ISPs exhibit a heightened sense of internal security, and ensure that all employees have received recent training on phishing attacks, social engineering practices, and basic email safety.

3.     Third Party Vendors

With the rise of interconnectivity and the Internet of Things, it’s no longer enough to worry about your own security protocols and practices – you must also be rock-solid certain as to the security credentials of your third party vendors. An air conditioning vendor contributed to Target’s data breach, and Lady Gaga’s album was leaked after a collaborator was hacked. How are you being certain that your vendor partners aren’t accidentally putting your business at risk?

3 Lessons Contact Center Leaders Can Learn From WannaCry

By: Tim Prugar

     The transnational WannaCry Ransomware Attack exploded across the internet early Friday Morning on May 12th, and it’s aftershocks are still being felt early this week as some machines in Asian Markets are being booted up for the first time after the weekend. For the curious, Nicole Perlroth over at the New York times provides an outstanding overview of the background events leading up to this cyber attack, but the basic facts are relatively simple. A hacker or team of hackers identified a vulnerability in the Server Message Block (SMB) Protcol in Microsoft Software, and put together a ransomware attack that spreads through a system’s file-sharing capabilities. The attack would immediately encrypt all of the system’s files, demanding a Bitcoin payment for the de-encryption and safe release of the pertinent documents. The attack, like many, was unleashed via a simple phishing ploy – an unsuspecting victim downloaded and opened a file they shouldn’t have that contained the malicious software. The rest was a nightmare for the cybersecurity community.

     While the WannaCry threat can reasonably be classified as “cyber terrorism”, and patches to protect machines from being infected have already been issued, Information Security Officers should use this incident as an opportunity to pull lessons about protecting all channels from attacks from bad actors. What can fraud experts, CISOs, and Call Center Leaders learn from the WannaCry attacks?

 

1. The Human is the Weakest Link In the Fraud Chain

The methods through which WannaCry spread and replicated may have been automated, but the door for access was opened by a human being. Basic social engineering is at the heart of many of these phishing, SMSishing, and vishing scams, and the phone is one of the most lucrative channels for manipulating a human being to a desired end. CISOs and Call Center Leaders should be investing heavily in training agents to identify and recognize common social engineering methods and tricks, and should consider exploring technologies that are able to identify calls real-time that have been spoofed or otherwise manipulated. There is a high correlation between ANI Spoofing and phone fraud attempts, so more information allows agents to “trust but verify” with more complete data.

 

2. The Cost of Attacks Go Beyond Money

     The big story of the WannaCry attacks isn’t the absolute value of the money extorted (some reports have it at less than $60,000), but the “collateral damage” losses of disruption to services, man hours lost, and even potential health implications. The WannaCry ransomware didn’t just infect computers in a vacuum – it infected computers at Universities, the British National Health System, train stations in Germany, and multi-national corporations based out of France and China. Similarly, when fraud teams do cold “dollars and cents” cost benefit analyses of fraud solutions for the Contact Center, they often look only at their absolute number of fraud losses, and compare that to the cost of the solution. CISOs and Contact Center Leaders should look at the problem holistically: How much time are we losing due to caller authentication? Can we quantify the damage being done to our brand due to fraud and data breaches? Are fraudsters leveraging information stolen at the contact center level to make larger, more costly fraud attacks elsewhere?

 

3. Hackers and Fraudsters Are Very, Very Good At Exploiting Vulnerabilities

     Some hackers and fraudsters are organized criminal enterprises; others are impish troublemakers. Either way, these people are experts at identifying weaknesses in security systems and exploiting them for their own gain. Just as the architects of the WannaCry attack masked their malicious software to get a foot in the door, so too do those looking to commit account takeover or identity theft through the Contact Center mask their phone number to minimize the likelihood of detection. By using ANI Spoofing, fraudsters look to mimic the phone number of an existing customer to bypass ANI-matching authentication procedures, or look to mimic a completely random phone number to hide their own identity. Either way, these fraudsters are leveraging spoof as the main method for their attacks, and any technologies that can detect these spoofing attempts real-time provide an added layer of much-needed security at the Contact Center level.

 

     So what can CISOs and Contact Center Leaders do in the wake of the WannaCry attack to ensure that all channels are adequately defended from bad actors?

     Security Leaders would be wise to conduct a thorough audit of Contact Center authentication and security protocols to ensure that vulnerabilities and weaknesses in the call flow are identified, isolated, and addressed in a timely fashion. Tools such as blacklists, voice biometrics, and anti-spoof technology are all strong safeguards to keep bad actors out, but they are used best in tandem as a layered solution to provide the highest possible level of Contact Center security.

 

Tim Prugar is Next Caller's Director of Customer Success. He can be reached at tim@nextcaller.com.

So Sayeth The Times: 3 Reasons Why Biometric Authentication Should Give You Pause

 

In Tuesday's New York Times, the Room for Debate blog took on concerns surrounding the growing use of biometric authentication in the banking sector. Typically these arguments are more polarizing, with a traditional "A IS GOOD vs. A IS TERRIBLE!" style of debate. But when it came to Biometrics, something interesting happened: both sides agreed that Biometric Authentication is an imperfect, and sometimes deeply flawed, science. They merely disagreed on the implications of that for banking security. 

Look, Biometric Authentication is LIGHT YEARS ahead of static passwords and easily-researchable security questions. It's here to stay. The debate isn't whether or not banks should utilize biometric authentication - the debate is whether these financial behemoths should be relying on biometrics as their sole, or even their main, first-stage fraud solution. To make a football analogy, the Carolina Panthers would never say to their quarterback "Hey, Cam, you're revolutionizing the quarterback position and doing things we never thought possible - we can just rely on you and don't need to have an offensive line, or receivers, or running backs - I'm sure you can do it all and won't fail." No coach would ever say that. Of course not. After all, that's the Chicago Bears' patented offensive strategy. 

                                  Not Funny, Tim.

                                Not Funny, Tim.

So let's take a deeper dive into the challenges presented by Biometric Authentication:

1. Just Because It's Biometric Doesn't Mean It's Not Data

Target. Snapchat. Ashley Madison. Data breaches that have exposed the personal information, home addresses, credit card information, or even Social Security Numbers of customers and employees have made front page news on dozens of occasions. As Claire Gartland of the Electronic Privacy Information Center points out, citizens have action steps they can take when this type of information is released. They can cancel cards or apply for new SSNs. But what recourse do people have when biometric information is leaked? The Office of Personnel Management has already admitted that 5.6 million fingerprints were stolen in a recent data breach, and hackers have already shown their ability to replicate fingerprints and iris scans to game security systems. Voice biometrics has similar flaws. If your customer data can be breached, so too can your biometric data (regardless of the encryption or tokenization).  

 

2.  Do Your Customers Trust You?

Just because I'd let my friend hold $100 for me doesn't mean I'd trust him to hold onto my fingerprints and DNA. I've seen enough Law & Order to know better. Biometric authentication brings about very real Orwellian concerns on behalf of consumers. What are you going to do with this information? What assurance do I have that this will only be used for authentication? While James Lewis of the Center for Strategic and International Studies writes these concerns off as "nervous dystopian projections" and "irrational" (ouch!), the comments show a very different perception of this development in technology. 

                     "I, for one, welcome our new Biometric Overlords!"

                   "I, for one, welcome our new Biometric Overlords!"

3. Impact on Customer Experience

The number one concern for Fraud Analysts is "Catching and Stopping Fraud." However, "Limiting False Positives" and "Ensuring a Seamless Customer Experience" finish a close second and third. Biometric Authentication can have serious impacts on both of those exceedingly important CX metrics. Will MasterCard spring for me to become better looking if my face is consistently judged not to be my actual face? Voice biometrics necessitate 15-30 seconds of analysis at the time of connection on a call - increasing average handle time and also increasing customer frustration at the outset. Biometric authentication also requires certain technologies that can serve as a barriers-to-entry for customers that may not be able to purchase smart phones. Are banks going to be in the business of only offering security to those who can afford it?

So What Now?

While the debate in the Times cast a significant amount of doubt on the viability of Biometric Authentication as the sole solution for banks, we should refrain from throwing out the baby with the bathwater. Biometric Authentication is an enormously promising development in the world of security, but it is a mistake to view this development as a panacea, or a reliable sole method for thwarting fraudsters. Banks who are looking to increase first-stage fraud prevention at the payment and call center level would be wise to combine known fraudster block lists, Biometric Authentication, and carrier and transaction level metadata to best defend against nefarious attacks and protect their customers' assets...and peace of mind. 

By: Tim Prugar (tim@nextcaller.com)

 

Top Call Center And Telecom Trends For 2016

Authored by: Sheldon Smith is a Senior Product Manager at XO Communications (XO.com). XO is a telecommunication services provider that specializes in nationwide unified communications and cloud services.  Sheldon has an extensive background in UC and he has over 15 years of experience in the technology industry. His position involves overall product ownership of Hosted PBX, SIP, VoIP and Conferencing.

Overview

Research and Markets, a market research store, states the global contact center market is on track for a compound annual growth rate of 9.26 percent over the next four years, as companies look to outsource communication services and improve the customer experience. However, growth isn’t just happening over the long term. With 2015 almost over, it’s worth taking a look at what next year may bring for the call center and telecoms market: Here are five top trends for 2016:

Improved Mobility

Most telecom providers have built-in support for mobile devices and in some cases, wearable technology — but according to research firm Gartner, 2016 will usher in a new type of mobility powered by the “device mesh.” Put simply, this mesh extends beyond “traditional” consumer devices to also include home electronics, automotive digital systems and environmental tools. For telecom companies, this means increasing demand from users to support any device, anywhere, anytime.

The Ambient Experience

Gartner also predicts the rise of “ambient user experience” over the next year. Enabled by the device mesh, the idea here is to create a customer experience that “seamlessly flows across a shifting set of devices and interaction channels blending physical, virtual and electronic environment.” This is a sea change: Consumers are trending away from devices as discrete channels but instead view them as part of a unified whole. For call centers, the means a rise in the number of callers who expect agents with full access to historical records along with any online, mobile or previous phone conversations.

Stepped-Up Security

Breaches are now an expected outcome for many companies regardless of size or industry. The same applies to telecom providers: Personal data stored by your organization is a hot-ticket item for determined hackers. In 2016, expect to see a rise in the number of security startups and VoIP providers that offer native encryption for all communication data — in transit and at rest. Improved controls for local admins are also on-tap: C-suites and security pros alike want to know what is happening on their network, why and how they can put a stop to it, as needed.

Power to the People

According to global online community Customer Think, one big change coming to call centers of the future is the ability for customers to help themselves with minimal assistance from an agent. While CT takes the long view and says 2020 is the year to watch for this kind of transition, the tech market of 2016 should lay critical groundwork. For example, improved interactive voice response (IVR) systems will make it possible for customers to “self-serve” most of their issues, in turn putting more pressure on front-line call center staff to become subject matter experts. Over the next year, expect the view of agents to shift from one of “first contact” to “final option” — knowledge and skills must improve to match demand.

Bandwidth for Big Data

If telecom providers want to stay competitive through 2016, they’ll need to do better with big data. It’s no longer enough to simply store this steady stream of information — consumers expect their provider to offer real insight when it comes to buying habits and predicted needs. Handling the big data deluge means providers need to shore up available bandwidth and make sure they’re ready to manage the transition from steady flow to rushing river as data demands. According to business news publication Trade Arabia, companies in the Middle East — the world’s second-largest mobile phone market — faces the challenge of dealing with a tech-savvy consumer base that effectively jumped over landline adoption to embrace Internet-connected devices. The result? Massive amounts of data to analyze and insights to glean, and the chance to get a leg up on North American providers that don’t dive headlong into big data.

Ready for 2016? The future holds better mobility, improved user experience and security backed by a tech-savvy populace with big data focus.

Top Tips For A Successful Data Management Strategy

Contributed by: Sheldon Smith is a Senor Product Manager at XO Communications. XO Communications is a nationwide provider of communications services for businesses including SIP Trunk Services. Sheldon has over 15 years of experience in the technology industry. 

 

Effectively managing data is about more than securely storing and transporting information — companies need a strategy that covers data through the entire lifecycle. As noted by a recent Deloitte Center for Health Solutions study, however, this is a challenging task, and the report found that fewer than half of all companies surveyed had a “clear, integrated analytics strategy.” With big data quickly expanding in scope and gaining speed, it’s essential for businesses to draft a plan before jumping in; here are four top tips for a successful data management strategy:

Understand Value

The goal of any data strategy is to provide high-level guidelines that can be applied across departments, applications and use cases with equal facility. To accomplish this aim, companies need to first understand the value of their data. According to Souvik Choudhury of SunGard Availability Services, “all data is not created equal — and understanding the business value of data is critical for defining the storage strategy.” The same holds true for broad-spectrum policies. Companies must take the time to logically segment their data based on frequency of use, ability to replace, and potential loss impact if stolen or compromised. Once value is assigned, data strategies become a far less daunting task.

Consider Compliance

Compliance is a critical part of any data management strategy. Worth noting, however, is that the requirements to stay “in compliance” vary widely across industry verticals. While some standards, such as PCI DSS, are relevant to companies in a variety of sectors, certain standards carry more weight in one sector than another. Consider health care; HIPAA demands not only specific data handling procedures but also holds health care providers accountable if third-party vendors mishandle patient data or experience data leaks. Law firms, meanwhile, must be able to demonstrate clear data paths from creation to the current moment, and ensure that all data is discoverable in the event that a trial demands an accounting of specific communications or transactions. To form an effective data management strategy, therefore, companies must take the time to understand specific compliance requirements — better to meet or exceed the standards up front rather than risking a fine or other penalty for noncompliance.

Spend on Security

Data security is the next step in an effective management strategy. According to CIO, there are two key components to ensuring that data is protected: Securing information virtually and physically. Virtually, this means limiting employee access and using two-factor authentication for any kind of high-level movement or editing. Physically, companies need to spend on server stacks that are secure — this could take the form of cloud-based offerings, colocation providers or on-site storage, as long as servers are set apart from general foot traffic and are reliably monitored. In addition, it’s worth investing in a solid data encryption solution. This way, even if information is stolen or compromised it’s of no use to malicious actors.

Pursue Accuracy

Last but never least is the need to pursue accurate data. Your best bet here? Start small and ensure that all data collected is timely, relevant and comes from a reliable source. Once DevOps teams get used to handling this flow of accurate data, ramp up the speed and see what happens. By taking the time to ensure accuracy before going all out, it’s possible to reduce the possibility of human error and save money over the long term by avoiding unnecessary data management investments.

Want better data management? Start with value, seek compliance and security, and ensure accuracy for best results.