Who do you think you are: voice recognition in the call centre
Even organisations with impeccable security credentials know that they are not immune to identity fraud. A security breach at one organisation can quickly ripple out and cause chaos in another, severely damaging customer relations. Albert Selzer, MD, Spescom UK explains how biometric voice recognition technology can reduce the incidence of identity fraud and add competitive advantage to organisations that use it.
Identity fraud is big business in the UK. CIFAS, the country’s fraud prevention service, reported that cases of false identity and impersonation fraud grew by 600 per cent between 1999 and 2004. In addition, data provided by members of CIFAS showed that in the first months of 2006 there had been a quarter-on-quarter increase of 17 per cent in identity fraud – which represents 16,077 victims of impersonation in the three-month period. Figures from APACS, the banks’ clearing service in the UK, showed that a fraudulent transaction took place every eight seconds in 2004. And all this despite a high-profile media campaign to educate members of the public on the subject.
The amount of money involved is staggering. CIFAS estimates that the 120,000 cases reported in 2004 alone cost the British economy £300 million. For the same year, APACS reported that fraud worth £500 million had been carried out on UK-issued plastic. Of this £150 million related to ‘card not present’ fraud – up 24 per cent from 2003. APACS states that this crime most commonly involves the theft of genuine card details to make a purchase through a remote channel such as the telephone or the internet.
The following scenario illustrates this point: a mobile phone operator calls a customer up and offers him a great end-of-contract upgrade. It’s a bargain – so he hands over his credit card details, and anticipates a new phone arriving on his doorstep sometime that week.
A day later his bank calls him to verify the transaction. He believes this to be a genuine call and, naturally, because it’s the bank, he answers the security questions asked. He hands over his mother’s maiden name and date of birth – but the new phone fails to materialise. Then it dawns on him, he has been a willing if unknowing victim of fraud. Criminals now have all his relevant personal data, and they have used it to call the bank’s contact centre and move money from his account. To make matters worse, the security details on his account have also been changed and the bank no longer recognises him. This is a problem with long term consequences: the essential trust between the customer and all suppliers will have been broken down.
The rise of identity fraud
For many people it doesn’t take any imagination at all to picture this situation because they have already been the victims of identity theft. This particular story is based on real-life events that not only caused the customer a great deal of inconvenience, but cost his bank £5,000 plus the costs of the ensuing investigation.
The criminals knew that identifying someone over the phone is often the weakest link in a firm’s security infrastructure, and took advantage of it accordingly by extracting personal details and using them when calling the bank.
Identity fraud like this is a symptom of the increasing number of everyday transactions that take place online, or over the telephone through contact centres. As personal interaction becomes rarer, the ability to confirm someone’s identity by their physical presence lessens. New methods need to be employed to ensure that an individual’s identity in the virtual world is as secure as it is in the physical one.
Preventing fraud is obviously in everyone’s interest: the consumer, the bank, the phone company and the call-centre that acts as an intermediary.
On a more long term basis, all parties need mutual reassurance that the other party involved in any transaction is exactly who they say they are. Without it, confidence in the whole system becomes undermined, and customer loyalty is diminished.
But does this lack of confidence necessarily have to be the price that we pay for greater convenience and lower cost services?
A new layer of security
Of course, requiring customers to prove their identity is not a new idea. In March 2004 new anti-money laundering regulations were introduced under the banner Know Your Customer. These require all UK businesses to prove customer identity and verification through at least two forms of written documents. However, it does slow down the account opening process, for example, and obviously does not protect either the bank or the customer in the course of daily phone-based interaction.
Which is why companies rely on passwords or other personal data. But although much quicker, this is not entirely foolproof. As we have seen, they can be circumnavigated with a little social engineering and a lot of determination.
It’s clear that existing tools for managing identity need to be enhanced by additional layers of security that will increase the probability of a positive identification. But in a call-centre any identity validation methods must not slow down the call handling process, since these organisations are used precisely because they are cost-effective, convenient and efficient. Any time-consuming security process inevitably increases costs and reduces revenue, counteracting the centre’s very raison d’être. It needs to be unobtrusive and, ideally, invisible to the customer if they are not to be deterred from using cost-effective telephone-based services.
Security experts frequently talk about two or three-factor authentication. We have all become familiar with passwords – ‘something you know’ – as a method of protecting our virtual identity. But additional layers, like biometrics, add ‘something you are’ to the security equation and, in combination with existing tools, offer the best opportunity for positive identification.
However, the only biometric that works with a telephone call is automatic voice recognition. A biometric measurement of a voice can be achieved by mathematically modelling the vocal chords, to create a voice print: the vocal equivalent of a fingerprint. A biometric based system would work by making a voice print of a genuine customer, and recording this with their file. Whenever the customer calls back the system will create a new voice print and compare it to the one stored on file. If the prints match the caller is genuine.
The reality of voice recognition
There are a number of benefits associated with the use of voice recognition technologies. First of all, the prints do not change with language, nor can they be disguised with regional accents. Although age does have an impact, the change is gradual – so new recordings would only be required every ten years or so, minimising customer inconvenience.
Unlike speech recognition technologies, which are already widely used in automated and self-service situations, voice recognition is text independent. In other words, it does not require the user to repeat a specified stock phrase, so the new print that is created with each incoming call can be generated through the course of normal conversation. There is less chance of recorded messages being used to defraud the bank as a result – and the whole process is non-invasive and does not detract from the convenience of the call-centre.
As an additional advantage, voice recognition can be used to validate the identity of the call agent as they log in. This also acts as an extra layer of security and can even provide call-centres with a competitive differentiator. Customers will respect the call-centre, and have the confidence that individual call handlers are who they are supposed to be and cannot use personal information inappropriately without detection.
However, no biometric is 100 per cent exact – even DNA matching allows for errors, albeit infinitesimal ones. But, in a call-centre, the agent simply has to confirm a positive match in a one-on-one comparison, and in the majority of cases this shows clearly whether the prints match. In the relatively few cases where uncertainty exists, the system can be set up so that it indicates this to the operator, who can then use more conventional authorisation practices to validate the caller.
Furthermore, bad lines and static may create interference and affect the quality of the voice print. However a number of systems can be ‘trained’ on both mobile and fixed lines to handle these situations, and the technology can filter out excessive background noise to give a clearer print.
Nonetheless, companies need to understand what their own risk parameters are when using voice biometrics. Are they prepared to spread their nets wide, and catch all impostors, on the understanding that certain genuine customers will also be caught up in the process? Or will they be a little less stringent, and ensure that all genuine callers are let through – and possibly a few fraudulent callers with them. There is a pay-off to be made, which means that other forms of identity management cannot and should not be abandoned completely.
Returning to our earlier example, with voice recognition technology in place the bank would have known that the fraudster was not a genuine customer, regardless of all the personal details they had to hand. Furthermore, the bank would have had a voice print of the fraudster on file that could be used in any criminal prosecution that ensued. In an interconnected world, voice biometrics may provide the security solution – and the mutual confidence – that everyone is looking for.