Call centers are often the weakest link in otherwise robust corporate security networks, because of the human dimension. They are staffed by people who make mistakes and are prey to scams and blackmail. Call centers are also vulnerable to malicious employees with an ax to grind or those willing to commit fraud for monetary gain.
According to the Pindrop 2017 Call Center Report, voice fraud rates climbed at more than 350% since 2013 across several industries, including banking.
Most Identity Data is Stolen
Consider this fictional example of call center fraud. A caller contacts a U.S. bank and informs the customer service representative (CSR) that he/she wants to do an electronic funds transfer to pay their child’s college tuition bill for a school in France.
The caller says he/she needs to send the money urgently, explaining they tried unsuccessfully a number of times to perform the transaction online, and need help. The CSR asks the caller a battery of security questions to authenticate their identity. Without missing a beat, the caller provides the correct account number, physical address, the last four digits of the social security number on file, etc.
Eager to help ‘the long-time customer,’ the CSR approves the funds transfer and schedules the transaction for the next business day. Since the caller provided all the correct answers, the CSR has no way of knowing he/she was a fraudster.
Since personally identifiable information (PII) has and continues to be stolen in an endless stream of data breaches, most of the details required to carry these type of attacks are available for purchase on the dark web. However, the fraudster could also be working with a malicious insider who has provided the necessary PII required to compromise the target account.
Three Ways to Reduce Call Center Fraud Use the Cloud
Instead of relying on call center employees to handle sensitive personal information, some organizations employ a secure, cloud platform to process payments. Employees can see that transactions are taking place but they have no visibility into sensitive customer data and card numbers.
Increasingly, companies are abandoning crude forms of authentication like passwords which are too easily breached, copied or shared. Instead, they are supplementing knowledge- based questions with advanced authentication methods such as biometrics and one-time passwords. Some banks and credit card companies use one-time passwords to verify the identity of an account holder before a CSR can perform any requested transactions.
Fraud Behavior Analytics
To automate fraud detection, an increasing number of organizations are turning to behavior-based security and fraud analytics. These analytics engines ingest and process enormous amounts of data from disparate systems — and then use machine learning models to pinpoint anomalous activity.
In the call center fraud scenario described above, data from the ticketing system would show that the account password was changed a few days earlier. Meanwhile, data from the core banking solution would identify that the destination foreign account for the funds was recently created. In addition, phone system records would show that the time of day of the (fraud) call is inconsistent with previous calls associated with the account. And finally, data from public records would show that the real account holder is childless.
By correlating data from different information “silos” behavior- based fraud behavior analytics could predict the risk and prevent the funds transfer.
Detecting and preventing call center fraud embodies many of the same challenges associated with fighting insider threats, since the attacker in both cases is authenticated to perform sensitive transactions. As a result, the advanced security measures described above, especially enhanced authentication and security analytics, can be used to predict and prevent fraud and data exfiltration by both insiders and outsiders.
About the author: Saryu Nayyar is CEO of Gurucul, a provider of behavior based security and fraud analytics technology. She is a recognized expert in information security, identity and risk management, and author.
Copyright 2010 Respective Author at Infosec Island