The Call Center and Customer Experience Blog

Court Says Bank Must Pay After Customer Is Hacked

2012-01-23T08:33:00.001-05:00

A Financial Institution Examination Council (“FFIEC”) court ruling last summer is causing banks to reevaluate the risk they may be putting their financial institutions, stock holders and customers for not putting in place a response to phishing attacks.

A US District Judge in Michigan on June 13, 2011 ruled in favor of Plaintiff against Comerica Bank of Dallas, Texas and issued a judgment in the amount of $ $560,000. The court found that the bank did not carry its burden of proving that it had acted in “good faith”, (as required under Uniform Commercial Code (UCC) Article 4A), in accepting and processing the fraudulent payment transfers submitted to the bank, even though the fraudulent transfers were initiated using valid customer credentials.

The fraudulent payment transfers were the result of a phishing-related fraud perpetrated on the Plaintiff. A phishing email tricked the Plaintiff’s employee into entering his confidential secure token identification and other online credentials, which allowed criminals to make 93 fraudulent payment transfers of $1.9 million from the customer’s account. The judge held that the bank had not proven that its employee’s acted in accordance with reasonable commercial standards of fair dealing in processing the fraudulent transactions – a necessary element of proving “good faith” saying, “A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.”

Under UCC Section 4A-202, the customer is responsible for unauthorized transfers if (1) the bank and customer agree that the bank will authenticate transfers through a security procedure, (2) the security procedure is commercially reasonable, and (3) the bank accepted the transfer in good faith.

According to the court, the bank satisfied the first two requirements of UCC Section 4A-202 needed to avoid liability, but the court held a bench trial on the remaining issue of whether Comerica accepted the wire transfers in good faith. The court found the bank had not provided enough evidence of the reasonable commercial standards of fair dealing “for a bank responding to a phishing incident” and Comerica’s compliance with those standards.

Despite the court held that “a bank dealing fairly with its customers would have detected and/or stopped the fraudulent activity earlier,” based on the volume and frequency of the orders, the customer’s limited prior wire activity, the large overdraft, and the destination and identities of the beneficiaries.

The case illustrates the risks of phishing attacks on banks and their customers. Beyond the UCC issues, the case shows the importance of the FFIEC’s June 28, 2011 new guidance on authentication in the Internet environment that may clarify industry standards for dealing with similar attacks. It also underscores NACHA’s (The Electronic Payments Association) efforts to combat corporate account takeover, a form of corporate identity theft where criminals steal online credentials from businesses.

Customers and losing confidence in their banks ability to protect them from loss caused by phishing attacks and similar scams. A follow up blog will address the customer's experience and what banks are doing or not doing to protect their customer's from fraud.

US Court rules a bank can be sued for their failure to adopt multi-factor authentication.

2009-09-22T15:23:00.000-04:00

Late last month an Illinois District Court ruled a bank can be sued for their failure to adopt multi-factor authentication and concluded the bank breached its duty to protect the Plaintiffs' account against fraudulent access, and if the bank's failure to adopt multi-factor authentication caused fraudulent access to plaintiffs' account, it could be held liable for negligence.

In 2007, a hacker gained access to the plaintiffs' online accounts by using the plaintiffs’ username and password. The hacker ordered a $26,500 advance on the plaintiffs’ home equity line of credit, which was transferred to a bank in Austria. When the theft was discovered and the funds traced, the Austrian bank refused to return the money.

Citizens Bank notified the plaintiffs that it intended to hold them liable for the harm. The online banking agreement between Citizens and the plaintiffs stated "We will have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice." Citizens billed the plaintiffs for the $26,500, and when failed to pay the balance on time, Citizens reported the account as delinquent to credit bureaus, and threatened to foreclose on their home, if the plaintiffs continued to refuse to make payments.

The plaintiffs sued Citizens, claiming that the bank's actions violated the Fair Credit Reporting Act (15 U.S.C. § 1681, et seq.), the Truth in Lending Act (15 U.S.C. § 1601, et seq.), the Electronic Funds Transfer Act (15 U.S.C. § 1693 et seq.) and constituted common law negligence.

The Court ruled, "In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access[,]" and if the bank's failure to adopt multi-factor authentication caused fraudulent access to plaintiffs' account, it could be held liable for negligence.”

How does this case help technology providers that address the multi-factor authentication requirement?

Speaking only for the voice biometrics industry, the bank could have installed a speaker verification application for multi-factor authentication. The application replaces the CSR manual account authentication process, and you can read more about this process on by blog at http://glenyou.blogspot.com/2009/08/is-your-contact-center-protected-from.html. Furthermore, each phone or internet voice verification can be recorded, and saved to a file to protect the bank from future multi-factor authentication claims.

There are other methods to address the multi-factor authentication process, but from a practical and cost effective method voice biometrics is the most secure and user-friendly method for banks to protect their customer’s identity and assets.

The $8.3 Billion Case for Multi-Factor Authentication

2009-09-11T13:02:00.000-04:00

A recent study by the Javelin Strategy & Research revealed that 67 percent of US consumers do not bank online because they fear identity theft. Fifty-three percent of those surveyed would like to see their bank’s use identity protection software, and 33 percent would like to see their bank use biometrics. The study concluded that banks could add $8.3 billion per year through customer loyalty by making identity protection software available to their customers.

What is Muti-Factor authentication in an online banking environment?

Multi-Factor authentication (a form of security based on “what you know” and “who you are”) combines two or more different security methods for authenticating a user’s identity. The security method combines “what you know,” password’s, PIN’s, DOB, SSN, mother’s maiden name, and “who you are,” biometrics technology such as voice authentication, fingerprint and iris.

How does voice authentication work in an online banking transaction?

The customer will first need to enroll in their bank’s online banking. After, the customer will need their account number, credit or debit card number issued by the bank, the card’s PIN number, Social Security Number, phone, and internet service to create a voice print.

There are a number of voice biometrics technologies and methods to perform voice authentication for online banking. One common method requires a phone, computer and internet access, the other only requires a computer and internet access.

The first method the customer will need to enroll into the bank’s online banking service. At the end of the enrollment the customer would enter their immediate phone number on the bank’s website to initiate an out-of-band phone call from the bank to the customer and begin the voice authentication enrollment process. The customer will be asked to enroll into the voice authentication system by asking them to repeat a number or phrase to create a voice print. To access the account online the customer will need to enter their account number and immediate phone number on the bank’s website. The bank will launch an out-of-band call to the customer, and the customer will verify their account by repeating a number or phrase. The customer will gain access to the account online, after their voice has been authenticated.

The second method the user would download a small piece of software onto their computer from the bank’s website, after successful completion of their online enrollment. The customer will enroll into the voice authentication software and create a voice print "at" their computer. To access the account online, the customer will need to enter their account number on the bank’s website and click a voice authentication button. The customer will get a pop-up message to authenticate their voice and will verify their account by repeating a number or phrase. The customer will gain access to the account online, after their voice has been authenticated.

Identity Theft Protection and Voice Biometrics Partnership Checklist

2009-08-24T14:18:00.000-04:00

Identity theft protection/identity risk management/risked-based solution providers, add the following to your checklist before partnering with a voice biometrics technology.

- Leadership passion for voice biometrics technology.

- Solid voice biometrics industry experience and commitment.

- Ability to execute a voice biometrics strategy.

- Reputable voice biometrics analyst recommendation.

- Financial services/banking experience and reference able customers.

- On premise IVR (Genesys, Avaya, Nortel, Cisco) integration and delivery experience.

- Experience delivering voice biometrics solutions.

- Contact center experience.

Is your contact center protected from identity theft?

2009-08-09T12:47:00.000-04:00

The FBI calls identity theft one of the fastest growing crimes in the United States and estimates that 500,000 to 700,000 Americans become identity theft victims each year.

In a recent 2008 survey Zogby International found that two-thirds of consumers are worried about identity theft and 43 percent is worried about falling victim to fraud-related crimes. The survey also reveals that 50.6 percent of respondents either was, or know someone who has been a victim of identity theft.

This article is written to help CEO’s understand how identity theft is occurring in the contact center, and multiple levels they can choose to protect their customer’s personal information.

What is identity theft?

The U.S. Department of Justice defines identity theft and identity fraud as all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception, for economic gain.

How much is identity theft costing Americans?

The 2009 Identity Fraud Survey Report stated the annual fraud amount jumped 7% from $45B to $48B in 2008.

How is identity theft occurring in the contact center?

Criminals are using social engineering, non-technical methods through human interaction, to deceive the Customer Service Representative (CSR) and obtain a customer’s personal information. For example, a criminal using social engineering would try to persuade the CSR they are the account holder without providing the necessary security information to gain account access. I have met criminals convicted of defrauding well-known citizens of millions of dollars by starting out the conversation by discussing the weather; obtain a single piece of account information, before politely ending the call. The fraudster would call back in a few days; obtain a different piece of account information, before politely ending the call. The process would be repeated until he built a profile to gain access of his victim’s account. He would even call the account holders local health provider to obtain additional information the contact center would not provide him. After the necessary account information was gathered, the criminal would phone the contact center, provide the necessary account information to gain account access, and bilked the account owner. He did this over and over, before getting caught, tried, and convicted.

Consumers are also overflowing with multiple account Passwords/PINs, and are having a hard time managing them. Family, friends, and dumpster divers are the leading culprits for Passwords/PINs compromise. Also, due the amount of account Passwords/PINs to remember, password reset calls are the leading call type into a contact center.

Other reasons for identity thefts are banks using single factor authentication such as name, address, DOB, last four digits of SSN, to gain access of account information. Some or all single factor authentication information can be found over the internet.

How to protect your contact center?

Companies should evaluate Single Factor, Multi-factor, and Risk-Based authentication to determine which degree of security is best suited for their contact center.

Tier 1 or Single Factor/Multi-Item authentication (a form of security based only on “what you know”) is the current standard method for consumers to gain access of their account over the phone or internet. Callers into a contact center are asked or prompted by the IVR to provide their account number and PIN. They may be also asked a challenge question such as their DOB, SSN, mother’s maiden name, and ZIP Code of their mailing address.

The problem with Single Factor/Multi-Item authentication is it can be compromised by social engineering, theft or forgotten by the account owner.

Tier 2 or Multi-Factor authentication (based on “who you are”) is a much secured method for consumers gaining accessing their account over the phone or internet. Tier 1 authentication applies, plus the use of voice biometrics technology.

Voice biometrics is the technology, and speaker verification is the application of the technology. Speaker verification is the automated verification process of a caller based on the callers unique voice characteristics, and replaces the CSR manual account verification process. The call flow begin with the customer phones the contact center, the IVR prompts them to say or key in their account number, after validation of the account number, the speaker verification application prompts the customer to repeat a random or unique identifier such as, a set of numbers, phrase or however, the contact center configures the application. The caller’s speech utterance is compared with an existing voice print, and the call is allowed access into the account or transferred to a live agent.

The automated speaker verification process on average takes 10 seconds with no possibility of a criminal social engineering the process, and the manual account verification process on average takes 50 seconds with the possibility of human interaction. An added value of voice biometrics in the contact center is a reduction in Average Handle Time (AHT).

Password reset is a huge cost to large enterprises and contact centers costing $10 - $40 per reset, and a fully automated speaker verification password reset application average $1 per reset. Other use cases for voice biometrics in the contact center are account inquires, Move/Add/Changes (MAC), credit card activation, money transfer and over the telephone purchases. Finally, voice biometrics technology can be used in the public sector with parolee tracking, and any sector can use it for employee/contractor time in attendance verification.

Surveys have shown customers want this type of technology, if it can reduce identity theft and secure their personal information stored in the contact center. The other important benefit to voice biometrics is the ease of use to securely access their account, no more remembering passwords, resulting in an improved caller experience.

Tier 3 or Risk-Based authentication is the best method for a contact center to deter fraud identity. Tier 1 and 2 authentication applies, plus the use of score-based authentication.

Risk-Based authentication is a layered set of risk solutions that identify potential fraud based on behavior and access patterns. Risk-Based authentication solutions can be scored based on IP-geolocation, behavior and access patterns, calls from a non-account phone number (ANI), high risk location, account changes or MAC, and other high risk activities. The solutions are typically networked as an information-sharing service, and managed by a single vendor.

Call to Action

CEOs should review their contact center caller authentication procedures with their Chief of Customer Service, consider a technology assessment to determine if a higher level of authentication would better protect their customer, reduce cost, and improve their customer experience.

Transform Your Contact Center From A Cost Center To A Profit Center

2009-07-29T14:32:00.000-04:00

CEO’s looking to transform their contact center from a budget line item to a top line profit center should consider the following strategies.

Differentiate your contact center – Customer service can serve as the primary competitive differentiator to solve problems, and Customer Service Representatives (CSRs) should add a personal touch to every interaction.
Become proactive – When customers call with questions or complaints, contact center agents are often unable to answer questions or solve problems because they are unaware a problem exists. Marketing, sales, R&D, product development, field service, finance and legal must proactively inform the contact center so that agents can respond to customers.
Use Key Performance Indicators (KPIs) – Organizations cannot afford to wait until the annual customer survey is completed to assess the current state of service in their contact centers. Customers do not wait until surveys are completed to defect or raise problems. Companies should utilize leading, (customer churn, profitability, wallet share, customer loyalty), rather than lagging KPIs so that they can take immediate action to fix problems. Daily reports on the types of calls from customers should be reviewed by the CEO so that he/she can determine what corporate action, if any, is needed to address problems and concerns.
Focus on the customer, not the agent – Rather than analyzing if agents followed the script, measure their impact on the customer’s experience. Focus on the impact to customer loyalty, rather than the quality of the agent.
Reinforce brand awareness – Each interaction with your contact center represents an opportunity that you can fulfill a promise you have made to the customer through marketing. Customers expect the actions of a customer service representative will reflect your brand. Marketing should educate the contact center how to fulfill the brand promise.

Call to Action

Evaluate your contact center; build on what you have in place and working successfully. There are three strategic actions, which you should consider.

Align your contact center goals and KPIs, with corporate revenue and profits objectives.
Assess your contact center technology infrastructure, procedures and processes, with your goals and KPIs. Check for ROI, and update your technologies to drive top line profits.
Provide comprehensive sales training for your contact center agents.

In summary, do not throw out what is working successfully in your contact center; consider building on your existing strategies. In addition, you need to hire the right people, monitor their performance, and provide coaching to improve their effectiveness. Finally, reevaluate your existing contact center technologies for effectiveness and ROI. Done correctly, this can be extremely profitable – aligning goals, KPIs, training, implementing correct process, and updating your contact center technologies.

Blog Mission Statement

2009-07-13T10:22:00.000-04:00

The purpose for creating this blog is to provide information about internet security to prevent identity theft and theft of corporate data.

Glen is a Vice President of Sales and a 15 year subject matter expert in the Authentication Services and Internet Security fields. His focus has been providing enterprise and contact center solutions to reduce identity theft, and resulting in more efficient company operations while improving the customer experience.

The enterprise pains I address are:

- Negative PR from phishing attacks
- Corporate identity theft
- Fraud cost from data breach
- Disruption to corporate and partner web services

The contact center operations pains I address are:

- Negative PR from phishing attacks
- Customer identity theft
- Online fraud losses
- Disruption to customer web services

The customer’s pains I address are:

- Identity theft and the cost to restore their identity

Glen hopes this forum will develop into a resource allowing companies to prevent identity theft and profit from how they differentiate their services to customers over the internet.