Fake call-center staff more dangerous than phishers

Banks are fighting to keep their call centers free from criminals who pose as--or become--call-center staff to steal customer details.

Just two years ago, phishing was the greatest threat to the security of JP Morgan Chase's customers. Today, the company is far more worried about the people manning its call centers.

Staff have been caught stealing customer information using mobile phones, cameras and USB drives, said Iain Johnston, fraud specialist at JP Morgan Chase Asia Pacific.

Speaking at a Financial Times event called Securing the Bank last Thursday in Sydney, he said: "We have found incidences where screenshots have been taken by mobile phone or where people are writing texts at incredible speed under their desks".

He told the conference that the bank has tightened its hiring policies for call centers located in India, the Philippines, Indonesia and Ethiopia, but monthly staff intakes of between 200 to 600 recruits make the task challenging.

While the Indian government has established a national database of call-center employees to help prevent crime, police corruption in Indonesia makes reporting breaches difficult.

"We had an instance where a staff member had stolen money from the till... if you want to report that to [the Indonesian] police, you have to pay them US$10,000 to secure an arrest," he said.

Identity theft is the fastest growing type of fraud--in Australia alone fraud costs US$6 billion per year, according to Dr Clive Summerfield, deputy director of the University of Canberra's National Center for Biometric Studies.

"We know from people's behavior that fraud is likely to be committed by people inside an organization," he said.

Although staff at offshore call centers are accused of higher rates of criminality, the real problems with offshore call centers is the flow of data across borders and differing privacy legislation, said Dr Summerfield.

"If your identity is ripped off overseas--while local organizations may have back-to-back contracts with outsourcers--there's a long chain of events to acting on that," Summerfield told ZDNet Asia's sister site ZDNet Australia.

Voice biometrics a solution?
A University of Canberra-developed voice-based biometric authentication system may offer a solution, said Summerfield.

"One of the things that it does is to authenticate the caller without the need for a call center to see your personal information. Because you authenticate the caller within the system, when you get transferred to an operator for a transaction there is no need for them to know your address or date of birth. All that appears on screen is how sure your computer is the account holder is same as person [as the caller]," said Summerfield.

He explained that this kind of authentication means organizations that hold sensitive information are able to retain the authentication process within the customer's country of origin--therefore resolving the problem of cross-border data flows.