Friday, January 11, 2008

Security, Call Centres and Fraud

Fraud, especially around identity theft, is one of the hot topics in the UK at the moment.

Obviously, the UK government department HM Revenue & Customs losing the data of 25 million people has made it a more commonly discussed topic than it was before. Then this week, anyone in the UK who still didn't think loss of personal data was serious now has the example of Jeremy Clarkson to consider. Clarkson (a television show host & newspaper columnist) was so sure that the impact of lost data was over-exaggerated that he published his bank account number and bank sort code in his weekly national newspaper column, claiming that there was nothing to fear. As is now reported, he did have something to worry about. One of the readers of his column used his details to set up a monthly £500 direct debit from his account, as the charity the British Diabetic association is one of the many organisations that does not require a signature when setting up a direct debit.

All of which is jolly good knockabout fun, but risks obscuring a more interesting and more serious story (and one more relevant to the European Contact Centre blog).

Also this week, in a less reported story, an identity fraudster managed to persuade Barclays call centre to issue a credit card to an existing customer called Marcus Agius. This identity fraudster then used the credit card to withdraw £10,000 pounds from a Barclays branch. The more startling point of this is that Marcus Agius is not any customer of Barclays but is the chairman of the bank and has been on the board since September 2006.

I'm not surprised that a call centre agent didn't recognise the chairman by name (though alarm bells should perhaps have rung when he found at the employer during the application process!), as new or junior staff may not be very interested in executives at that level. The two things that do stand out for me in the Barclays case are that firstly the card could be applied for and sent out to an address that was (at best) open to interception and (at worst) totally different from that used normally by an existing customer of the bank. The second is that security measures like passwords failed completely to verify the applicant.

Now you may assume that in a call centre environment verification will always be a problem when a physical signature can't be presented and you can't see the face of the applicant. This is not the case.

I've written previously about Natural Language and Automated Speech Recognition (for example "Speech market share - the role of non-European languages"), and identity verification by voice is a natural extension of this technology. The problem with passwords is that they verify what you know, not who you are. Should what you know not be only known to you, then that knowledge ceases to become verification as to who you are.

Voice prints, or similar techniques of deriving a unique identifier from a voice, offer a much better way of verifying identity. I've mostly had experience with IBM and Nuance in this field but lately I've been very taken with the approach of VoiceVault. VoiceVault do seem to have taken a purer security approach to the problem of voice verification and I rather like that. There do seem to be significant variations in how each vendor approaches the verification problem and so far (though this is early days), I've been very interested in how the different approaches produce results. All of these potentially work with voice portal technology (though I'm primarily interested in applying them with CVP, the Cisco Voice Portal).

The big advantage of voice portals is that they provide an environment where applications can be combined and hence you can have layers of security. So for example, it's unlikely that speaker verification alone would be adopted, even if it could achieve 99%+ rates of verification. Instead, a combination of password, speaker verification and other measures could be deployed relatively easily in a portal environment to provide layers of security. That way even if one security measure is defeated others are likely still to work.

Would speaker verification alone have been enough to prevent the Barclays situation? I doubt that it would have prevented the situation by itself, but it could have highlighted the anomaly of the situation to the agent, and could have triggered further security checks and processes. In the end good processes will provide the security, what technology can do is enhance them and make it harder for them to be defeated.


Linus said...

What about recording someone's voice and then using it for verification? Couldn't be too hard, so you are definitely right that relying on voice recognition only would be a big mistake.

Alex said...

Hi Linus,
Recording is certainly a risk, but generally the need to interact dynamically makes recording very difficult, unless you have a recording of all the speech options you need.

The risk is much greater if verifcation is only done on a single phrase or password, in which case recording would be a very real risk. Most of the speech recognition vendors say their technology can identify recording, but I feel the best defence is layers of security and processes, rather than a technology solution alone.
Best wishes,