As companies have gotten better at detecting and preventing online fraud in recent years, would-be criminals have redirected their efforts to the corporate call center.
Financial services companies and retailers, for example, are reporting a rise in call center fraud, says Shirley Inscoe, a senior analyst with Aite Group, covering fraud and data security, in large part because "fraudsters tend to take the path of least resistance."
"Some enterprises will want to move their call centers closer and tighten controls and limit what's outsourced. But others are looking for third-parties who can provide the kind of security services they can't."
"Criminals are channel-agnostic," says Ori Bach, direction of solution management for call center provider NICE Systems and the call center is currently the weakest link in the enterprise. "It's a remote channel with a large human factor. As fraudster's have gotten less successful online, they've either moved solely to contact center attacks or to cross-channel attacks--starting in the call center and migrating to another channel using a credential they've attained."
Armed with data easily gleaned from social media--an account holder's first pet or the name of his high school mascot--a fraudster can whiz past the typical call center authentication process.
A criminal capable of Caller ID or Automatic Number Identification may not even have to answer a personal question to get the keys to the kingdom. Both Microsoft co-founder Paul Allen's debit card and bank account details were stolen and Wired reporter Mat Honan's identity was compromised using call center fraud tactics.
Call center agents, after all, are presumably focused on making the customer happy, which makes them especially gullible to fraud attempts, says Inscoe. The key to fighting the escalating battle against such fraud may not be human intervention but emerging technologies.
"It's a technology arms race," says Bach of NICE Systems. "And today's call center industry needs to have next generation tools."
One such tool is a voice biometrics engine, capable of identifying an individual "voiceprint" based on traits as vocal tract length, mouth size and shape of nasal passage--physical characteristics even the savviest criminal should find difficult to impersonate. "Many banks are intrigued [by voice biometrics] as a possible solution to better authenticate their customers," says Inscoe. "Some focus on all customers while other advocate screening calls against a hot file of voice prints of callers who committed fraud previously."
NICE Systems recently began using voice biometrics incorporating 50 traits on all calls in conjunction with interaction analytics that can alert an agent to fraud patterns in word choice or caller tone.
A real-time guidance engine takes the agent through the appropriate steps under various potential fraud scenarios. "Our agents are not security professionals, so when a high-risk alert is generated they are instructed to transfer the call to our security professionals," Bach explains.
There's little doubt that a determined criminal will find a way to game these systems over time. "It is something we constantly work on and there is no logical conclusion," says Bach. "It's been endless cycle of new fraud and anti-fraud technologies for the past ten years. Fraudsters are very innovative."
And while the increased vulnerability of the call center could impact the call center outsourcing and offshoring business (NICE Systems is based in Israel but operates call centers around the world for companies including JPMorgan Chase, American Express, and Air France), Bach says the effect has been mixed. "Some enterprises will want to move their call centers closer and tighten controls and limit what's outsourced," Bach says. "But others are looking for third-parties who can provide the kind of security services they can't."
The biggest challenge, however, is keeping fraud prevention efforts in the background and maintaining good customer service focus on the front end. "Most customers are legitimate customers so this needs to be managed very carefully," Bach says.
Bach says there's a lesson to be learned from aggressive measures taken over the past ten years in the area of airport security. "If you overtrain and add too much security and technology, you introduce a level of suspicion to the interaction which may not be necessary," Bach says. "We want to keep providing positive interactions with legitimate customers while identifying that small number of fraudsters that represent a huge amount of risk. It's the proverbial needle in the haystack."
Read more about outsourcing in CIO's Outsourcing Drilldown.