It’s time to replace knowledge-based authentication (KBA) in contact centre

To stay ahead of increasingly sophisticated fraud, contact centres will need more than traditional KBA methods.

It’s time to replace knowledge-based authentication (KBA) in contact centre

To stay ahead of increasingly sophisticated fraud, contact centres will need more than traditional KBA methods.

Richard Atherton
Richard AthertonSenior Manager, Cloud Contact

ReliaQuest reports that the dark web currently has over 24 billion username and password combinations for sale, equivalent to four for every person on the planet.

This vast sea of illegally obtained credentials grows every day as fraudsters develop more sophisticated ways to harvest personal information. This helps them build profiles on potential victims or create synthetic identities to open new fraudulent accounts – and then, the damage continues.

Unfortunately, contact centres are prime targets for obtaining this information. Typically, criminals carry out a range of different exploits – from social engineering and psychological manipulation on agents, to Interactive Voice Response (IVR) mining which finds flaws in automated systems that reveal customer details.

With so much valuable information getting into the wrong hands, how confident can agents be that any caller is who they claim to be?

To be sure, organisations need to rethink how they authenticate their customers.

Traditional KBA isn’t enough in today’s fraud environment

Many contact centres still rely on traditional knowledge based authentication (KBA) as their default strategy for identifying customers, but these measures are also the fraudster’s favourite loophole. Asking security questions or requesting specific personal details only prove that the caller has access to the right information, and these credentials are often available to buy illegally.

To make KBA more secure, organisations establish large libraries of different KBA questions to make their protocols less predictable. But in practice, agents rarely use these banks to their full potential. Instead, they learn from experience that more obscure questions cause issues and slow down transactions. They opt for the ones that accelerate service – especially if they’re under pressure to reduce call handling times.

The flaws in multi-factor authentication

A logical security upgrade from KBA questions is using multi-factor authentication methods like One Time Passcodes (OTPs) that verify device possession in addition to knowledge. But, in recent years, we’ve started to see these measures being bypassed by criminals – HSBC revealed that 37% of successful fraud attempts in 2021 involved the use of an OTP.

HSBC is just one of the major banks to put out a warning to their customers about fraudsters increasingly tricking people into revealing OTPs. Common methods of accessing OTPS include criminals impersonating a trusted organisation by ringing up customers or sending a ‘smishing’ text that requests the code.

We’re also seeing even more intrusive tactics, such as malware that compromises devices to covertly intercept passcodes as they’re sent out, or SIM swapping, where a customer’s messages are hijacked by assigning their number to a new SIM card – exploits that are very difficult to detect in real time.

Contact centres need to focus on inherent characteristics

A more thorough method of authentication is to adopt a multi-layered, as opposed to multi-factor, approach. This focuses on a combination of key qualities which are much harder to separate from the customer, like the inherent, unique characteristics of a caller’s voice. The fact that these characteristics are so personal and individual makes them much more secure than any knowledge based approach alone.

A passive caller authentication and fraud detection solution provides the first layer of defence to analyse calls as they come in – looking carefully at the call signalling, caller behaviour and comparing the number against a global database of confirmed fraudsters and previously flagged activity.

Then, for calls which reach an agent, a layer of voice biometric authentication can be integrated into the experience. Biometric security analyses inherent characteristics that can only be attributed to a specific caller’s identity – namely, the unique subtleties of their voice and language patterns. These distinct metrics have proven extremely difficult for criminals to replicate, even with the latest deepfake technology. In fact, according to Experian’s Global Identity and Fraud Report, 80% of consumers ranked biometrics as the safest authentication method currently on the market.

Authenticate with confidence

By combining Nuance Gatekeeper with Smartnumbers Protect, you can upgrade your contact centre authentication to this more secure, multi-layered approach. The solutions work together brilliantly – Smartnumbers Protect analyses calls as they come in, and then once the call is answered or connected to the IVR, Nuance Gatekeeper provides seamless biometric authentication based on the customer’s voice.

This approach can help you improve customer experiences, reduce costs and increase IVR containment through seamless self-service, with considerably less risk.

We’re proud to offer these as part of our world-renowned security portfolio. Find out more about our flexible and easy-to-manage contact centre security solutions.

Related content

lady at desk holding phone talking to colleagues
IP TECHNOLOGY
December 18, 2023
Retail bank Smartnumbers case study
computer programmer working from home
BUSINESS SECURITY
July 16, 2021
Who’s that knocking on your door?
people in business meeting
CONTACT CENTRES
November 29, 2022
Taking a multi-layered approach to contact centre security
lady at desk holding phone talking to colleagues
IP TECHNOLOGY
December 18, 2023
Retail bank Smartnumbers case study
computer programmer working from home
BUSINESS SECURITY
July 16, 2021
Who’s that knocking on your door?