Hello, is that really you?

The telephone is just as susceptible--as the Internet--to fraud, but banks can mitigate security risks by better identifying callers.

The phone channel needs to be better secured, and just as much as the Internet platform does.

Geoff Noble, a banking and finance specialist with RSA, told ZDNet Asia that the phone banking channel is "more highly at risk now as more banks focus on Internet security".

Michael Greco, managing director for Asia-Pacific at Intervoice, a unified communications provider which counts banks like ABN Amro and Citibank as customers, agreed. Phone banking, he said, is not any less risky than Internet banking.

"The security risk of telephone banking is largely based on the fact that you're dealing with humans."
-- Geoff Noble
banking and finance specialist, RSA

Greco noted that since most systems today use a piece of information the caller knows to authenticate his identity, once his identity is compromised, that information is no longer a secure method of authentication.

"Therefore, a solution that utilizes only something the caller knows is not secure enough," he said. "It is safe to assume that once one's identity is compromised, the telephone banking system could be a channel that is exploited by the perpetrator."

So important is the need to better secure telephone banking that the Federal Financial Institutions Examination Council (FFIEC) in the United States drew attention to the channel last year.

Greco said: "The FFIEC released guidance in 2001 and 2005 that outlined the need for stronger authentication methods for users accessing financial services over the Internet. However, in 2006, the FFIEC provided clarification regarding telephone banking by stating that, 'while the guidance focuses on Internet banking systems, its principles apply to all forms of electronic banking, including telephone banking systems'."

Is it that unsafe?
But are regulators simply being paranoid? Maybe, but considering the fact that humans are the interface behind the phone and human error is a weak link in security, a little paranoia can be a good thing.

Noble said: "The security risk of telephone banking is largely based on the fact that you're dealing with humans." He noted that phone banking operators are largely trained for customer service and sales, and not for authenticating a caller's credentials.

phone banking

Phone banking operators are not trained
to authenticate a caller's credentials, security experts say
Photo courtesy of Intervoice

Identity theft is a global and multichannel issue, and banks worldwide cannot afford to ignore the phone channel.

While banks in Asia have taken the initial steps toward securing person-not-present banking--with many implementing two-factor authentication for Internet banking--"telephone banking is an area yet to be completely addressed", Greco said.

RSA, which hardware tokens are used as a second level of authentication for online banking, is working with Intervoice to better combat telephone banking fraud.

Intervoice will integrate its Voice Portal product with RSA's Adaptive Authentication for Phone, which adds the human voice as a way for automated telephone banking services to identify customers. The partnership is aimed at helping banks deliver good personalized customer service, while securing the phone channel with stronger authentication.

"Integration with RSA's technology has allowed Intervoice to add an additional tier to the caller authentication solution," said Greco. "RSA's risk-based analysis engine allows typical user behavior, location and voiceprint characteristics, to be taken into account when authenticating the user."

The RSA engine generates a risk score by looking at the various parameters, such as the caller's phone number and user behavior profiles. The majority of telephone banking callers can continue uninterrupted with their transaction, as only callers or transactions flagged as high risk by the RSA Risk Engine, are subject to secondary authentication. The second level of authentication can be in the form of one-time passwords, biometric voiceprint samples or additional content-match questions.

On whether any bank has implemented the integrated technologies, Greco said: "There are a number of financial institutions that are customers of both Intervoice and RSA. Many of them are interested in leveraging a single risk-based management solution for all access channels to their system."