SA call centres look to MFA to combat fraudsters
There is an increase in the number of incidents involving fraudsters who use social engineering tactics against call centre agents to access customer information and accounts.
This is according to global authentication and platform application company Entersekt. The company says research shows that more companies are moving away from knowledge-based authentication (KBA) to multi-factor authentication (MFA) to boost security without compromising customer experience.
Entersekt points to research by TransUnion company Nuestar which shows that the majority of US call centres had seen a year-on-year increase in call centre fraud. It also shows that targeting of agent-led authentication methods over the phone channel had grown by 70% in 2021, amounting to a US$5.8-billion increase in fraud.
Research found that 60% of financial institutions plan to supplement KBA with MFA, and more than one-third of non-financial organisations plan to replace KBA entirely.
The rise in call centre breaches is largely due to tighter security across other digital channels.Skelley McKeaveney, Entersekt.
Shelley McKeaveney, senior VP: growth, MEA region at Entersekt, says while they do not have statistics that reflect the situation in South Africa, it is similar. “We are seeing a growing number of queries from South African corporates looking to beef up their call centre security. Unfortunately, many local call centres still rely on knowledge-based questions to verify customer identity. Not only does this mean the customer and agent must spend more time on each call, but it exposes call centres to phishing attempts.”
McKeaveney says the rise in call centre breaches is largely due to tighter security across other digital channels.
“Whenever you tighten up one channel against security breaches, the fraudsters find another way in. Companies have spent a good deal of time locking down their websites and their apps with multi-factor authentication, but that will sometimes leave the call centre as the most porous channel,” she says.
Businesses are also aware of the cost and resource implications of technology implementation to secure channels.
“But ultimately it depends on time spent on calls versus the reduction in fraud,” says McKeaveney.
“While some resources are required to move from KBA to MFA, there needs to be a balance between commercial benefit with quicker, more secure transactions and money saving,” she adds.
New way to secure
Customers are used to multi-factor authentication when browsing, where security solutions can cryptographically bind customers’ digital identities to unique instances of their mobile apps or web browsers. However, McKeaveney says this is also possible in the case of call centres.
“Without too much extra effort, the same principle could be applied to confirm the identities of callers during call centre interactions. Agents could authenticate the caller via the company’s app while on the call. Once verified, the agent would be assured of the identity and could confidently continue with the call. In-app authentication also facilitates additional verification via a PIN or biometrics,” McKeaveney explains.
For customers without smartphones, McKeaveney says companies can offer GSM authentication with USSD or SMS. This option also allows SIM age verification to ensure there has been no SIM xwap, and she adds that this option is also appropriate for those customers who prefer not to use apps.
While reinforced security within the call centre environment is the primary objective, this development can be used to not only sustain customer experience, but heighten it.
“The wonderful thing about the advances we have made in context-aware authentication, is that companies can deploy the best option for each customer. Understanding the customer's context could inform which of the authentication methods is used. If a person is active on the app, then in-app authentication would be ideal. If they are not, then the USSD may be better. We can also see if users are travelling internationally and avoid making any voice calls. There are many ways for companies to orchestrate a response depending on the channel that they're using and the customer's profile.”
McKeaveney says KBA is outdated and not in the interest of the call centre.
“Customers are frustrated by the knowledge-based authentication process. It’s time- consuming and most of us often can’t remember the last time we used a bank card or what we said our favourite food was. Up-front customer authentication can cut between 15 to 30 seconds off a call. And in some instances, where identity checks must go through multiple rounds, agents can save more than a minute. Getting the security out of the way before the call means agents can focus on addressing the customer’s issue which makes for a better experience all round.”