There has been a significant increase in call centres looking to move away from knowledge-based authentication (KBA) to multi-factor authentication (MFA) to boost security without compromising customer experience. The move comes on the back of a growing incidence of fraud targeting call centre agents, using social engineering to access customer information and even their accounts.
Research from Nuestar, a TransUnion company, shows that the majority of US call centres had seen a year-on-year increase in call centre fraud. The company said targeting of agent-led authentication methods over the phone channel had grown by 70% in 2021, amounting to a $5.8 billion increase in fraud.
“We are seeing a growing number of queries from South African corporates looking to beef up their call centre security. Unfortunately, many local call centres still rely on knowledge-based questions to verify customer identity. Not only does this mean the customer and agent have to spend more time on each call, but it exposes call centres to phishing attempts,” explains Shelley McKeaveney Senior Vice President: Growth, MEA Region at Entersekt.
McKeaveney says the rise in call centre breaches is largely due to tighter security across other digital channels.
“Whenever you tighten up one channel against security breaches, the fraudsters find another way in. Companies have spent a good deal of time locking down their websites and their apps with multi-factor authentication, but that will sometimes leave the call centre as the most porous channel,” she says.
A new way of securing call centres
Customers are used to multi-factor authentication when browsing, where security solutions can cryptographically bind customers’ digital identities to unique instances of their mobile apps or web browsers. However, McKeaveney says this is also possible in the case of call centres.
“Without too much extra effort, the same principle could be applied to confirm the identities of callers during call centre interactions. Agents could authenticate the caller via the company’s app whilst on the call. Once verified, the agent would be assured of the identity and could confidently continue with the call. In-app authentication also facilitates additional verification via a PIN or biometrics,” McKeaveney explains.
For customers without smartphones, McKeaveney says companies can offer GSM (mobile network) authentication with USSD or SMS. This option also allows SIM age verification to ensure there has been no SIM Swap, and she adds that this option is also appropriate for those customers who prefer not to use apps.
The USSD option has already been successfully implemented by African Bank, which was spending up to two minutes per call just on caller verification before they implemented the new Entersekt system. McKeaveney also points out that companies can make use of both systems, using one as a fallback option.
“The wonderful thing about the advances we have made in Context-Aware authentication, is that companies can deploy the best option for each customer. Understanding the customer's context could inform which of the authentication methods is used. If a person is active on the app, then in-app authentication would be ideal. If they are not, then the USSD may be better. We can also see if users are travelling internationally and avoid making any voice calls. There are many different ways for companies to orchestrate a response depending on the channel that they're using and the customer's profile,” she says.
Better security can actually boost customer experience
McKeaveney is quick to point out that not only do the multi-factor solutions add to the security of customer data, but customer service gets a big boost too.
“Customers are frustrated by the knowledge-based authentication process. It’s time- consuming and most of us often can’t remember the last time we used a bank card or what we said our favourite food was. The outdated process is also not in the interest of the call centre. Up-front customer authentication can cut between 15 to 30 seconds off a call. And in some instances, where identity checks have to go through multiple rounds, agents can save more than a minute. Getting the security out of the way before the call means agents can focus on addressing the customer’s issue which makes for a better experience all round,” McKeaveney says.
Given the security and customer authentication gains, it is unsurprising that the Nuestar research found that 60% of financial institutions plan to supplement knowledge-based authentication with multi-factor authentication, and more than one-third of non-financial organisations plan to replace KBA entirely.
“It is the responsibility of companies to keep their customers’ information safe. But they also have a responsibility to protect their call centre agents from fraudsters who are experts at manipulating agents into thinking they are dealing with legitimate callers. When the best security solution also offers the best customer experience, it begs the question of why companies wouldn’t make the change,” McKeaveney sums up.