Organized crime groups seeking to commit financial fraud tend to target banks when the financial institutions are most vulnerable and through the weakest link—which, unfortunately may include the bank’s contact center personnel, says Shirley Inscoe, senior analyst at Aite Group.
She’s surveyed security-related executives at many of the country’s top 40 banks in order to get an understanding of how such groups go about obtaining sensitive customer information with which to steal their money.
In an interview with Banking Exchange, she provided a couple of scenarios in which intruders may use pretext techniques to get information:
“During a distributed denial of service attack, when the online banking channel is not available, they will flood into the contact centers knowing that they are overwhelmed. The contact centers are trying to assist customers as quickly as possible. Security may not be at its best. Contact people may be taking short cuts in their authentication procedures. So the criminals strike particularly at those times,” Inscoe says.
Another example: “During a merger, when everything is changing. The acquired bank has new products to understand. They have a new system to learn. They’re very vulnerable at times like that,” she says.
In response, Inscoe says the bankers she’s talked to indicate they may look into new technologies to either identify the voice of the caller or to identify technical information associated with a particular call that don’t depend on the traditional knowledge-based questioning techniques.
“In other words, to use technology to look at a lot of different aspects of that call, such as what kind of device was used? Was it a land line or cell phone or VOIP call? Where did it originate? There is a lot of information that can be analyzed to identify that caller or where that call came from, so the bank can identify those repetitive callers.
“Some banks are actually using voice biometrics to create a voice print of the fraudster, after they have lost money to one of these people…These negative voice prints can be used to determine that this same bad guy is back again,” she says.
Another thing that banks are doing is to deploy behavioral analytics that look at all activity across a customer’s file. “Suppose that customer, who did get information compromised, suddenly is detected trying to generate an online money transfer. The analytics would issue an alert that that is atypical for this customer, and catch the transaction before it leaves the bank,” Inscoe says.
Additionally, the bank can contact the legitimate customer separately to determine whether the attempted transfer was on the up-and-up. “If the customer says no, then the bank does not send the transfer. The true customer is assured that their account is safe and the fraudster didn’t get to accomplish what he wanted to do,” she says.
Nevertheless, banks need to constantly update their defenses based on all the new lines of communication—text, chat, email—that customers now have available. “That’s why call centers have become contact centers,” she notes.
“One thing I’m hearing from the banks that is happening is email account takeover,” she says. “Let’s say I typically interact with my bank via email. It is not unusual to email my bank to make specific requests and they handle them that way. The fraudster is able to gain access to my email because my credentials have been compromised, and then they emulate my emails…They might ask for something a little bit different from what I normally ask for, but in the name of customer service, the bank sends that wire transfer or whatever.”
The two avenues of defense against email takeover, she says, is to never violate policy, and to re-authenticate the customer periodically to make sure he or she is legitimate.
“First of all, contact center personnel shouldn’t do something they shouldn’t do, even if they’ve exchanged emails with this client before. They should honor their own policies. Second, it’s important, when they are emailing back and forth with a client, to have some additional level of authentication occasionally, particularly if there is a request for a monetary transaction of a larger value than has happened before.”