As phone phishing grows, can bank biometrics screen out the scammers?
About 50 financial institutions around the world are beginning to implement biometric authentication at their contact centers.
Last month, Dutch consumer finance protection authority Kifid ordered Rabobank to compensate two phishing scam victims. In separate cases from 2013, the victims had lost a total of €71,000 ($80,000) to telephone scammers who posed as Rabobank employees.
The victims claimed the scammers already knew confidential details about their accounts when they phoned them for more information, in what was made to appear like a standard procedure.
However, Kifid only ordered Rabobank to compensate the victims €12,500 ($14,000), less than 20 percent of their losses, arguing that the victims had surrendered sensitive personal information too readily over the phone. While the bank assumed some of the burden, the phone-phishing victims were ultimately left with most of the responsibility.
These phishing cases show how little protection banks give consumers against telephone scams, even though this type of crime is on the rise.
Fraud.org reports that telephone phishing scams in the US increased by 25 percent between 2012 and 2013. In 2013 more than 36 percent of the phishing complaints that were filed on Fraud.org were for scams that started with a phone call.
The phishing calls target the contact center, the customer, or both. Typically, the victims are elderly, but any consumer is vulnerable to these attacks. Young consumers are shifting to online banking and are less familiar with what security steps to expect in a telephone transaction with a bank's contact center.
Through novel security technology, banks have created a culture of consumer trust online, where customers expect to input a string of passwords to access their accounts. But can new security technology create consumer trust over phone channels, as well?
Among their online security innovations, banks have started to replace traditional knowledge-based passwords with biometric authentication. Biometrics relies on biomarkers, such as a person's voice or fingerprint, to gain access to a bank account.
Now, about 50 financial institutions around the world are beginning to implement biometric authentication at their contact centers. Barclays and the Australian Taxation Office have been using voice biometrics at their contact centers since 2012 and 2014, respectively. Barclays deployed voice biometrics more widely in 2014.
One biometric authentication technique, called natural language understanding, uses artificial intelligence to verify a caller's identity before the individual is connected to an institution's contact center.
The system compares the caller's voice against a database of registered voiceprints. If the software identifies a fraudster, the call is diverted from the contact center and routed to another team. These voice biometrics techniques act as an added security layer on top of existing caller-ID technology.
"The industry as a whole tends to focus on the channel where they are experiencing the most fraud, at any given time, and enhancing security in that channel," says Brett Beranek, director of product strategy for voice biometrics at Nuance Communications.
Nuance Communications provides biometric authentication technology to Barclays and the ATO. Beranek adds that the industry most recently took steps to fight credit-card fraud within digital channels, but many institutions are now revisiting security on the phone channels at their contact centers.
In general, consumers have less technological protection when banking by phone than by app. To access their accounts over the phone, customers most commonly answer a series of verification questions with an agent at the bank's contact center.
Criminals are likely to pass this security step by gathering the correct answers through phishing emails, social media, or calling the customer directly in a telephone scam.
Even if biometrics could help reduce phishing calls to contact centers, no scenario yet exists where it would protect a consumer who receives a phishing phone call at home.
At the moment, biometric authentication is neither a fail-safe security tool nor ready to become a best practice at bank contact centers. It is currently more effective as a rapid login tool on banking apps than as a security device.
The voice-recognition step or a fingerprint match replaces the complicated string of PINs and passwords that consumers generally input to verify their identities. Using biometrics simply speeds up the online banking process.
Beranek says it will be years before biometric authentication will be ready for banks to adopt on the large scale. Artificial-intelligence technology, in general, needs to improve before biometrics becomes a robust security tool.
More on security
- Adobe pulls Creative Cloud update that deleted Apple Mac data
- SMS Android malware roots and hijacks your device - unless you are Russian
- Microsoft careers data exposed by MongoDB flaw
- Your whole organisation needs to get real about IT security: Here's how to do it
- Hackers are using malware and phishing scams to steal Netflix users' passwords, bank details
- Hollywood hospital becomes ransomware victim