Voice 'fingerprints' may plug call-center security leaks

You've heard such stories. Mat Honan, a reporter for Wired magazine had almost his entire digital life erased when a fraudster used social media account information to trick Apple and Google into allowing him access to Honan's account information.

Paul Allen, the billionaire co-founder for Microsoft fell victim to identity theft when an AWOL U.S. Army solider called Citibank and changed the address of Allen's card from Seattle to Pittsburgh, which he then used on a $15,000 shopping spree.

The common theme between these two high-profile stories is the way fraudsters were able to penetrate the contact centers of these big companies and misrepresent themselves as legitimate customers.

TAKING NOTICE: For the first time, a small data breach draws a big fine ($50K) 

MORE SECURITY: 12 must-watch security startups for 2013 

Call center fraud has recently become the hack-de-jour for fraudsters, some industry experts say. Shirley Inscoe, a fraud analyst at Boston-based Aite Group, says many financial institutions have beefed up their online defenses, particularly in response to new guidelines that have been released by the Federal Financial Institutions Examination Council (FFIEC) about how best to comply with existing regulations.

There has not been as close scrutiny on call center security though. "Many banks have really shored up their defenses in the online channel in the last two to three years," she says. "As a result, now we're seeing fraudsters go to the call center, where there it's perceived to be an easier target with fewer defenses."

Not only have organizations focused their security efforts outside of the call center, but information fraudsters can use to launch attacks is much easier to obtain online. Knowledge-based authentication - "what's your mother's maiden name?" -- are far from private. Inscoe says she's heard of databases listing the maiden names of individuals. Even more dynamic questions such as what street did you used to live on or what high school did you attend are not fail-safe. "People post that information on Facebook," Inscoe says. Easier access to information combined with the call center being perceived as a weak link has left the contact center vulnerable, she says.

There are a variety of new tools being used in contact centers today and perhaps one of the most promising is voice biometrics. Today, NICE Systems, a provider of both contact center software and fraud prevention, released a voice biometrics product as part of its Contact Center Fraud Prevention product.

Like a fingerprint, each person's voice is unique, which can be used to identify known fraudsters, says Ori Bach, director of solution management for NICE. The voice biometrics system cross-references the callers against a list of known criminals. The system also analyzes the rate of calls coming into the contact center, talking patterns of callers and emotion. Fraudsters, for example, often yell at call center agents in an attempt to portray an angry customer, coercing the agent into agreeing to the fraudster's demands.

MOBILE MADNESS: Mobile attacks top the list of 2013 security threats 

TALK ABOUT BIG DATA: How the Library of Congress can index all 170 billion tweets ever posted 

The move was a natural progression for NICE Systems, says Sheila McGee-Smith, a unified communications analyst. NICE focuses on banking and financial institution security, which is where it developed the voice biometrics technology, now it's broadening the technology to serve its contact center business.

Contact center service providers are beefing up their systems in specialized ways. One trend is that instead of subjecting all customers to these enhanced security procedures, instead alerts are created to identify which callers should be screened for additional authentication. For example, caller ID systems can alert the call center agent to whether the caller is calling from an unknown number. Queries of the phone system can inform the call center as to whether a stolen cell phone is being used. If a flag is cued, then the call center operator may take additional authentication measures, such as using the voice biometrics. Don Van Doren, president of Vanguard Communications, a unified communications consultant, adds that voice biometric systems can have flaws too - weak connections, cell phones and having a robust voice registry of criminals are all challenges

Most of this security work is done by specialized third-party vendors though and not the major contact center service providers, says Van Doren. "It's a very specialized area, and frankly it's a distraction for the vendors," he says. The Ciscos Avayas and Siemens of the world have bigger fish to fry managing the migration from PBX to next-generation, mobile-first UC systems. They leave security up to customers to pursue with niche providers.

Vendors in the space include Nuance on the voice recognition side while providers like TrustID have caller ID services. Inscoe believes this could all change soon though. If attacks become more frequent and losses for organizations mount, more customers will look for security tools for the contact center and vendors will respond, she predicts.

Network World staff writer Brandon Butler covers cloud computing and social collaboration. He can be reached at BButler@nww.com and found on Twitter at @BButlerNWW.

Read more about software in Network World's Software section.