Hackers on the phone

Financial institutions face a growing challenge in securing customers’ credentials across multiple channels

By Geoff Noble

With the rise of Internet banking, financial institutions have beefed up web security to prevent hackers stealing customers’ credentials and fraudulently accessing accounts. But the fraudsters, typically, remain undeterred. Barred by a technologically robust steel door, they’re getting in through an open window: the good, old-fashioned telephone.

In March, ASIC issued a warning reminding consumers about the increasingly innovative techniques scammers are using to lure unsuspecting victims into handing over their hard-earned money. Yet a fraudster who obtains a bank customer’s credentials can use the phone to access accounts, review transactions, and transfer funds, with little fear of being detected—until it’s too late.

The authentication techniques currently used when customers call in to call centres and interactive voice response/voice response units (IVR/VRU) tend to be based on PINs, a favorite sports team, or other relatively simple passwords. This simplicity makes them easy to circumvent. For instance, a fraudster can call an organisation such as a financial institution and pose as a customer who has lost or misplaced his or her PIN. The customer service representative will have difficulty determining whether the caller is legitimate. This creates a loophole through which an imposter can take over accounts or gain access to funds by “socially engineering” customer service staff.

Today, financial institutions are deploying security measures across the various remote channels that their customers use: the web, phone and direct mail. While most institutions started with enhanced security online due to regulations and the fact that most attacks targeted that channel, the next focus is on the susceptibility of telephone banking.

With approximately 80 per cent of customer interactions taking place over the phone, it makes sense to focus there. The regulators agree: under the August 2006 FAQ clarifications to the October 2005 Federal Financial Institutions Examinations Council (FFIEC) guidance, financial institutions in the US had until the end of 2006 to complete risk assessments and implement risk mitigation activities for user authentication technologies in online and telephone banking systems.

The FFIEC’s guidance aims to fight cross-channel fraud by protecting high-risk transactions and access to customer information via all channels, specifically mentioning the web and telephone. These regulations should be well heeded even by advancing countries such as Australia and New Zealand that have yet to have such assessments mandated.

Responding to these challenges, financial institutions are beginning to look into methods of securing the telephone channel. Popular strategies include the deployment of voiceprint biometrics coupled with behind-the-scenes risk analysis for each transaction. These strategies enhance security with minimal impact on user convenience. Similar risk-based authentication strategies have already proven effective in securing the online channel.

Experience shows that a fraudster who has attacked an institution in one way is likely to broaden his or her activities across multiple remote channels. In this way, fraud migrates across channels. Therefore, it is critical for financial institutions to adopt a layered strategy spanning the various channels accessed by customers.

This message is certainly starting to resonate. According to a 2006 RSA survey of specialists at leading financial institutions, 60 per cent of respondents believe that cross-channel fraud is now a bigger problem than pure online fraud, and 80 per cent reported that cross-channel coordination is the biggest internal challenge they face.

It seems many consumers are still more comfortable using the phone than the Internet to conduct their sensitive business. That confidence needs to be nurtured and protected, even as financial institutions seek to make the online medium more attractive and secure.

Geoff Noble is banking & finance specialist at RSA, the security division of EMC.