Better customer protection with biometric authentication

Foreword

The contact centers’ crucial role in creating seamless CX has been challenged over the last 24 months by the increase in hybrid working, changing customer sentiment, unavoidable attrition and new technology. Adding to this list, fraud of all kinds has risen exponentially, posing a significant risk for call centers worldwide.

We know that solid CX builds trust and boosts revenues, but how can CX leaders find and use actionable insights and information to ensure their hybrid or remote contact center technology, processes and governance structures will meet security best practices and keep customer data safe?

Knowledge-based authentication (KBA) questions such as “what is your mother’s maiden name?” are commonly used to protect account and personal information. Often, the answers to these KBAs are easily discoverable by malicious actors due to the breadcrumbs of highly personal information people tend to leave across the internet for anyone to find. The result is these KBA questions are easily hackable, posing a risk to both individual customers and the parties that hold this data.

Companies are acutely aware of these widespread security vulnerabilities, with 70 percent of businesses more concerned about fraud this year than last, according to Experian’s 2022 Global Identity and Fraud Report.

Among consumers, 55 percent regard security as the most critical aspect of their experience when interacting with organizations online. The survey questioned 1,849 business respondents and 6,062 consumers across 20 countries.

In this high-risk environment, security is everybody’s responsibility and the approach to its reinforcement has shifted. The CISO may be the security director and procurement manager, but this person requires support from the whole workforce. The understanding of security has also changed. The fortress approach of the centralized office is no longer relevant in this ever-evolving digital and omnichannel world. Instead, present-day security is about layers and barriers.

The situation places a new and substantial burden on CX leaders, who are now implementing sophisticated tools to support their frontline teams and protect the business against social engineering attacks.

Also read: Personalize CX with data driven self service

This report explores the impact of utilizing the customer’s voice to provide the first line of defense in the call center. With input from Citi Singapore, Mastercard, Econet Zimbabwe and Experian, it documents voice of the customer (VoC) insights on sophisticated security methods and the application of voice biometric solutions.

Understanding and mitigating risk

In PwC’s 2022 Global Economic Crime and Fraud Survey, 46 percent of 1,296 business executives reported fraud, corruption or other economic crimes occurring in the last 24 months. In the US, 2021 data from the Federal Trade Commission showed consumers reported losses of more than US$5.8bn due to fraud.

This upward trend is reflected in customer contact centers around the world. Research conducted by Forrester found that in retail, an average of one in every 142 calls was fraudulent in 2020. Those industries traditionally perceived as more secure (healthcare, financial services) experience a far lower rate of fraud (see Figure 1) due to their likelihood of implementing more sophisticated security solutions. As of 2021, however, 57 percent of respondents across all industries said fraud was still increasing.

Figure 1

The needle in the haystack: Total volume of genuine calls by industry for one fraudulent call

Eduardo Castro, managing director of identity and fraud at Experian UK and Ireland, says: “Fraud is an evolving space, and as a result, the technology and solutions to fight it are constantly evolving, too. There is no ‘future-proof’ solution, and the challenge of detection is compounded by the fact the vast majority of applications and attempts to access sites and services are genuine.”

He continues to say that this situation inevitably leads to “unnecessary referrals and investigation of genuine applicants”, which increases administration costs and disrupts the customer experience.

As detailed in Figure 2, managing compliance and risk falls at the intersection of customer experience, operations and security. It also influences the customer’s perception of a brand; a trend explored on page 7 of this report.

Utilize automation to increase employee engagement

As fraudsters evolve, so too must their targets. Pairing the prevalence of identity theft and fraud with the efficiency burdens cited by Castro increases the need to find practical solutions.

For contact centers, voice biometric authentication can combat this risk to stop bad actors in their tracks. Biometric security deployments protect the customer, reduce the risk of employees being targeted and can even be used to identify fraudsters.

Jennifer Bonacci, product marketing manager for compliance, security and business continuity solutions at Talkdesk, says: “Unlike voice recognition, which analyzes what is being said, voice biometrics identifies who is speaking.

“Voice biometrics does not record what a person is saying – meaning that nowhere is there a recording of a voice that could be used for malicious purposes. Instead, what is recorded are various data points unique to a voice, like the tone and inflection and it is this voiceprint that is then associated with the caller’s identity,” she continues. The next section of this report explores how the threats that exist at present translate to the contact center and the responsibility this places on contact center agents, who are the first line of defense against fraud and malicious account activity.

Figure 2

Intersection of CX, operational vulnerabilities and data security

How contact centers are responding

The current threatscape has placed a new urgency on contact centers to ensure they have robust and appropriate security checks in place to protect both customers and agents.

Whether it is a hybrid call center or one that is entirely centralized in a physical location, those which still depend on KBA security in the current environment are at a heightened risk from the many ways existing systems can be compromised. For example, fraudsters can easily pose as contact center personnel to acquire a customer’s KBA responses and then use these to gain access to an account.

Jaslyin Qiyu, head of client marketing, channels and content at Citi Singapore, part of Citigroup, says unnecessary risks can be eliminated through the application of biometric technology as it reduces the reliance on manual validation.

She explains: “If you think about the usual process of calling into call centers and how they usually ask you for info to validate your identity by asking about your personal information, including answers to your secret questions, scammers can easily pose as contact center personnel to get the very same information.

“If you digitalize this process in a secured environment, which requires customers to log in using their biometrics, customers can be assured that access is kept to just them and the company directly without going through another party,” she continues.

Agents are the first line of defense against such social engineering and phishing attacks. The fraudsters they are at risk of encountering could have the customer or company in their crosshairs. Call center agents are particularly vulnerable when working from home, where smart devices and potentially unsecured connections both heighten risk.

“If you digitalize this process in a secured environment, which requires customers to log in using their biometrics, customers can be assured that access is kept to just them and the company directly without going through another party.”

Jaslyin Qiyu

Head of client marketing, channels and content at Citi Singapore

Hazvinei Ashley Matsangaise heads contact center operations for Econet Wireless Zimbabwe and manages a 400-strong team of agents. She sees several advantages to using voice biometrics: improvements in the authentication process and overall CX metrics; more engaged and productive agents; shorter average handle times (AHT); increased productivity; and, of course, better prevention against fraud.

Matsangaise says: “With constant technological developments and new, advanced solutions hitting the market, voice recognition is now starting to trend as a way of simplifying authentication processes for both employees and customers to log into a service, application, or device.”

Fraud, social engineering and cyberattacks are not the only means by which data and credentials can be stolen from the contact center. Budget cuts, a common reality across the public and private sectors at present, can result in the procurement of inferior IT systems which introduce new risk, as do human factors such as error and care failures which often emerge from a lack of training.

A CISO who works in the government sector in the United Arab Emirates says that in addition to the customer and contact center being a target, communication channels can also be compromised without appropriate security.

Strengthening the business case for sophisticated biometric-based security, he advises: “Biometric authentication, with the emergence of AI, can help mitigate against multiple attack vectors, such as man in the middle, spoofing identity and repudiation threats.”

Although the business case for the contact center is clear, there is a belief that many consumers are still apprehensive about how and where biometrics are used.

The next section of this report assesses how customer attitudes to biometric security are changing and how the use of sophisticated security can enhance the customer’s perception of a brand in the marketplace.

“With constant technological developments and new, advanced solutions hitting the market, voice recognition is now starting to trend as a way of simplifying authentication processes for both employees and customers to log into a service, application, or device.”

Hazvinei Ashley

Matsangaise Heads contact center operations for Econet Wireless Zimbabwe

The voice of the customer

Consumers are rightly concerned about security and there are geographic and generational nuances to the trend.

Experian’s survey found 89 percent of those in Colombia, Chile, Ireland and South Africa believe security to be the most important aspect of their experience, compared with a global average of 83 percent. Among baby boomers, 95 percent rank security as most important, 10 percentage points ahead of Gen Z.

Around the world consumers are cognizant of their heightened risk and are becoming more adept both online and offline at using sophisticated security methods to protect their data and interactions. In fact, they are coming to expect better-engineered security practices embodying both convenience and effectiveness for a number of reasons.

KBA security is no match for these VoC trends as it creates unnecessary friction points by requiring customers to remember ever-changing PINs and passwords.

Also read: Driving customer loyalty and retention in financial services

Experian’s Castro says: “Trust in advanced authentication technologies is growing across all demographics, giving confidence and reassurance to consumers.”

As many as 81 percent of consumers ranked physical biometrics as the safest authentication method, up from 74 percent in 2021. PIN codes sent to mobile devices (77 percent) and behavioral biometrics (76 percent) were considered to be the next safest methods. It should come as no surprise that for a second consecutive year, traditional password authentication did not make the top three.

Layered security is perceived the most effective approach, especially when it combines passive and active solutions with phishing-resistant multi-factor authentication (MFA).

What is notable from Experian’s survey is that the more prominent a brand, the more trusted it is to provide a secure experience. These VoC insights signal a notable opportunity, particularly for mid-to large-size traders, who can raise their brand perception in the marketplace by deploying sophisticated security tools.

Talkdesk’s Bonacci says: “The most prominent brands lead the charge and gain customer confidence by leveraging best-practice security measures like biometric authentication. As a result of these investments, they are perceived as ‘more trustworthy’. Therefore, their mid- to large-size competitors can foster similar bonds of trust by implementing more sophisticated security, for example biometric authentication.”

It means that when leveraged appropriately, better security can help drive overall business growth and brand perception.

Everyday biometrics

The growing consumer acceptance of biometrics can be attributed to the normalization of sophisticated biometric security checks in mobile, payments, airports and even hospitality experiences. Perceived as overly sophisticated and invasive in early deployments, they are now widely appreciated for their unmatched ability to prove identity.

In hospitality Nine Zero Hotel, a luxury property in Boston, US, was an early pioneer of iris scans. As long ago as 2008 it introduced iris scans as a premium experience option for VIP guests, as well as employees. Facial scans have been tested in China by the likes of Shangri-La Hotels and Resorts and Marriott International.

In the UK in 2014, British Airways passengers traveling via Gatwick Airport were introduced to similar technology. Its trial involved an iris scan being recorded at bag drop and then called on during passport control, security and boarding.

Today, the fingerprint unlock is well established on mobile devices, on mobile devices and, as demonstrated, iris and facial and facial scans are becoming increasingly popular. In the world of digital payments, for example, facial recognition can now be used to authenticate both Google Pay and Apple Pay.

Siva Thiagarajah, director, B2B governance and strategy at Mastercard, says that the adoption of any new technology naturally sees “early adopters, early majority, late majority and laggards” emerging. When it comes to the growing prevalence of voice biometrics in contact centers, however, he notes global brands can secure an advantage by starting their deployments in markets that are likely to be more accepting of the technology.

Referencing customer acceptance of voice biometrics across Asia-Pacific, he says: “Contact centers should launch these initiatives, in my opinion, in markets which are more open to change as a testing ground. These markets are experiencing phenomenal year-on-year growth and they are more open to experimentation which makes them the perfect testing ground for biometric acceptance.”

The next section of this report explores the difference between active and passive voice biometrics and how to secure buy-in from customers in all locations.

“Trust in advanced authentication technologies is growing across all demographics, giving confidence and reassurance to consumers.”

Eduardo Castro

Managing director of identity and fraud for Experian UK and Ireland

Enhance security, reduce friction

Every CX leader is responsible for ensuring customer communications, data and systems are secure across the organization. This is essential both for the overall user experience, as well as compliance.

Providing teams with the right tools and training each team member on new digital and physical security protocols is essential for a secure contact center, whether it is hybrid or physical.

As documented in earlier chapters contact centers are increasingly turning to voice biometric technology (VBT) for its dual ability to provide an additional layer of security while reducing authentication time. Additional customer authentication pain points can be addressed by leveraging VBT for authentication automation flows in orchestration with interactive voice response (IVR) systems.

Once a customer gives their consent, they enroll directly in VBT either by repeating a set phrase, as with active VBT, or indirectly by allowing elements of their voice to be captured in the background throughout the course of a conversation. These voiceprints can be used for future security checks in isolation, or as part of MFA.

The two types of voice biometrics can be defined as follows:

• Passive

Customers enroll by allowing their voiceprint to be captured while they talk, without having to explicitly repeat a phrase. An additional benefit of passive voice biometrics is that it can be used to continually monitor the voiceprint of the person speaking to ensure the phone has not been passed to someone else after the initial authentication.

• Active

Customers enroll by repeating a phrase, which is captured by software like Talkdesk’s Identity and then analyzed to create a voiceprint. Customers repeat the passphrase at the start of each call, with software such as Identity validating the authenticity of the caller.

Either passive or active VBT can be coupled with streamlined two-factor or phishing-resistant MFA processes.

Bonacci says: “Misconceptions still abound, but the reality is VBT is a security best practice that also offers customers a frictionless way to authenticate themselves, especially when coupled with two-factor or phishing-resistant MFA.”

Hand in hand with the established security benefits, Bonacci says CX itself can directly benefit from implementation by automating complex security checks and authentication time, while mitigating the risks of common threat vectors.

This has been particularly evident in financial services. Before Barclays Bank deployed voice biometrics in the UK, it saw up to 10 percent of genuine customers being turned away after failing KBA security checks. Voice biometric security eliminated this problem and reduced average call time by 15 percent.

HSBC UK prevented fraud losses of £400mn ($436mn) in 2019 and a further £208mn through January to October 2020 by deploying voice biometrics. Today it is piloting this technology in the US.

Mastercard’s Thiagarajah says: “For the customer the benefits include the ease of not remembering a password and the confidence that credentials can never be ‘stolen’. A fully verified customer will be easy to deal with as the contact center agent will no longer be required to verify the customer – a part of the interaction that is often met with resistance, resulting in poor experiences. Hence the removal of this pain point certainly helps to drive a better end to end consumer experience.”

Also read: Customer experince in telecoms

In addition to its own voice biometric deployments, Mastercard is currently testing biometric fingerprints for credit cards to provide secure transactions during in store purchases.

Mother’s maiden name

Although there is a clear and established customer demand for more stringent security practices, customers need to be aware of any widespread changes the organization plans to make.

When implementing any change to processes or security, businesses must proactively communicate the change with their customers. In the case of biometric deployment, if customers understand why and how their most sensitive data cannot be protected with their mother’s maiden name, successful implementation of new security protocols is ensured.

Once your business is ready to implement any technological changes that help increase customer self-service and provide more secure interactions, it is helpful to look at the tactics used by some earlyadopter organizations that successfully onboarded their customers to use other new technologies.

Shep Hyken, CX specialist, author and chief amazement officer at Hyken Productions, says: “Delta Airlines was one of the first to introduce online reservations. In the years since all airlines have followed this and it has now become the primary way to book. But at the time, the only way for Delta to get its passengers to use that new way of booking a flight was to train them to do so.”

Incidentally, in late 2021 Delta Airlines introduced an express bag drop service for its customers enrolled in TSA PreCheck, which uses facial recognition via the Fly Delta app.

Similarly, organizations looking to enhance their security posture need to educate and train their customers on self-service authentication through voice biometrics, which will therefore reduce the risk posed by overused PINs and weak passwords.

The next section of this report explores how to project manage a biometric security deployment.

“A fully verified customer will be easy to deal with as the contact center agent will no longer be required to verify the customer – a part of the interaction that is often met with resistance, resulting in poor experiences”.

Siva Thiagarajah

Director of B2B governance and strategy at Mastercard

Strategic steps to implementation

Organizations that have implemented voice biometrics have often adopted a win-win approach to their customer communications by taking time to explain to their customers the benefits of increased privacy and faster time to service.

For example, an insurance company in the UK implemented Talkdesk’s Identity and built a promotional campaign around enrollment, which encouraged all its customers to call in and proactively enroll in voice biometric authentication.

Bonacci says: “Next time, when it’s necessary for a customer to call the company to resolve an issue, they waste no time getting connected to an agent or their account because they have already enrolled and are immediately authenticated.”

Bonacci says this education piece should be supported with similar employee programs which include information on how voiceprint data will be secured, how to enroll and the value voice biometrics can offer.

“Always put your customers at the heart of your implementation plan. Do not wait until your new technology is implemented to begin educating your customers about voice biometrics,” she adds. As with all security and technology deployments, business objectives must also be aligned. This includes the decision to select active or passive biometrics, or incorporate both, followed by the related security and storage considerations.

Bonacci advises organizations to consider the anticipated volume of voiceprints that will be generated over specific time period (for example a week or month) and to then calculate how this number is likely to grow as more customers are educated and enrollment increases. The outlook for the pace of this growth will inform decisions around security and storage to ensure adequate solutions are in place to support deployment.

Finally, when capturing voice biometrics, Citi’s Qiyu says inclusive UX is imperative to ensure different accents can be recognized without compromising the effectiveness of the solution. Bonacci adds that consideration should also be given to background noise and the quality of the call center connection.

Once these steps are complete, the onus falls back to the organization to ensure the captured voiceprints are themselves secure in line with relevant local, national and regional regulations.

Discover how to decrease monthly AHT in the contact center and save call costs with this voice biometrics kit, which includes an ROI calculator.

The hybrid contact center security checklist

Best practice security standards for hybrid or remote contact centers:

• Access control and systems management

Distributed workforces increase the attack surface of the enterprise. To mitigate this, source a system that provides phishing-resistant MFA, single sign-in and/or end-point management.

• Agent oversight and compliance management

The absence of in-person management can increase the risk of fraud. Strong onboarding processes, however, coupled with continuous learning and tools to enable compliance can empower remote employees to work securely and productively.

• Vendor selection and management

Partner with a CCaaS provider that meets the regulatory and operational needs of the business. Vendors should adhere to common security frameworks, comply with global privacy standards, integrate with the identity management and access control system, prevent caller ID spoofing, and use encryption or MFA to secure customer data.

Final remarks

Customers in all markets face a heightened risk when interacting with brands and service providers and KBA no longer provides adequate protection. While there are many types of threats, when the contact center is involved, there are few solutions that can effectively eliminate these threats.

Evidence shows the introduction of voice biometric security in contact centers, however, has the power to change this dynamic. As demonstrated in Figure 1, industries such as insurance and financial services, when compared to retail, experience a far lower rate of fraudulent calls per 1,000 customer calls. This is because they are more likely to deploy voice biometrics and the fraudster knows they are less likely to be successful. The fraudster could even be caught in the process of attempting to breach the system.

The result is that fraudsters are now turning their attention away from industries such as insurance and financial services to focus more on those industries which have less stringent call center security as standard. This increases the urgency for leaders in these fields to implement biometric security solutions and enjoy its benefits, such as those cited by HSBC UK and Barclays Bank.

In addition to the compliance and CX gains, brands also benefit from biometrics – customers have a higher regard for brands that implement more sophisticated and less cumbersome identity checks.

Read the PDF report here