Banks are fighting to keep their call centres free from criminals who pose as — or become — call-centre staff to steal customer details.
Just two years ago, phishing was the greatest threat to the security of JP Morgan Chase's customers. Today, the company is far more worried about the people manning its call centres.
Staff have been caught stealing customer information using mobile phones, cameras and USB drives, said Iain Johnston, fraud specialist at JP Morgan Chase Asia Pacific.
Speaking at a Financial Times event called Securing the Bank last Thursday in Sydney, he said: "We have found incidences where screenshots have been taken by mobile phone or where people are writing texts at incredible speed under their desks".
He told the conference that the bank has tightened its hiring policies for call centres located in India, the Philippines, Indonesia and Ethiopia, but monthly staff intakes of between 200 to 600 recruits make the task challenging.
While the Indian government has established a national database of call-centre employees to help prevent crime, police corruption in Indonesia makes reporting breaches difficult.
"We had an instance where a staff member had stolen money from the till… if you want to report that to [the Indonesian] police, you have to pay them $10,000 to secure an arrest," he said.
Identity theft is the fastest growing type of fraud — in Australia alone fraud costs $6bn per year, according to Dr Clive Summerfield, deputy director of the University of Canberra's National Centre for Biometric Studies.
"We know from people's behaviour that fraud is likely to be committed by people inside an organisation," he said.
Although staff at offshore call centres are accused of higher rates of criminality, the real problems with offshore call centres is the flow of data across borders and differing privacy legislation, said Dr Summerfield.
"If your identity is ripped off overseas — while local organisations may have back-to-back contracts with outsourcers — there's a long chain of events to acting on that," Summerfield told ZDNet Australia.
Voice biometrics a solution?
A University of Canberra-developed voice-based biometric authentication system may offer a solution, said Summerfield.
"One of the things that it does is to authenticate the caller without the need for a call centre to see your personal information. Because you authenticate the caller within the system, when you get transferred to an operator for a transaction there is no need for them to know your address or date of birth. All that appears on screen is how sure your computer is the account holder is same as person [as the caller]," said Summerfield.
He explained that this kind of authentication means organisations that hold sensitive information are able to retain the authentication process within the customer's country of origin — therefore resolving the problem of cross-border data flows.