May 4, 2018
Fighting Fraud With Multifactor ID
by Patrick Cox
Bank customers must use both a physical debit card and a PIN. For increased security, insurers need similar multifactor identification.
Insurance companies, like many other businesses, are extremely concerned – and rightly so – about cyberattacks that could result in the theft of the personal information of customers and employees. To protect themselves against data breaches and other threats, they companies are implementing physical and network security controls that include both the latest technology-based solutions and security awareness training for employees, who are all too often the weak link.
But while these security measures are certainly necessary, they are not enough, because insurance companies also face a second type of risk: the risk that criminals who have gained access to customer information from other sources will use it to hijack accounts.
Most account takeovers occur via social engineering, where fraudsters use hacked customer data they have purchased on the dark web or information they have gleaned from social media to impersonate legitimate customers and trick call agents into making account changes. To prevent this type of fraud, insurers need more robust customer authentication processes.
Many insurance companies continue to rely on so-called knowledge-based authentication (KBA) to grant access to accounts, meaning that customers verify their identity by demonstrating knowledge of personal information such as their account number, date of birth, mother’s maiden name and so on. But any business that protects financial assets by authenticating customers in this way is vulnerable to fraud because, thanks to data breaches, criminals have easy access to that information. And the rise of social media means that even the answers to common challenge questions (for example, “What was the name of your first pet?” or “Where
did you attend elementary school?”), are often readily available to skilled and patient fraudsters.
See also: Draining the Swamp of Insurance Fraud
The proliferation of customer information on the dark web and on social media means that insurance companies need to rethink how much, if at all, they will rely on customers’ knowledge of personal information to verify their identities. Because criminals have such easy access to customer data, insurers need to implement more reliable ways to identify their customers, whether the contact is via the web, a mobile app or phone.
So how can insurance companies make sure that a person logging in to change account details or calling customer service to initiate a claim is a legitimate customer?
Multifactor authentication is a best practice that adds an extra layer of security to the identity verification process. This approach requires that knowledge (something the user knows, such as a Social Security number or account number) be combined with inherence (something the user is, such as a voice print or retina scan) or ownership (something the user has, such as a trusted phone or a driver’s license). ATM access is a good example of a type of transaction requiring multifactor authentication: Bank customers must use both a physical debit card and a PIN.
For increased security, insurers should apply this same principle to their customer authentication processes. Apps and websites, for instance, should not grant account access based simply on user IDs and passwords – both pieces of information that can be hacked. A wide variety of more secure authentication methods are available, and many of them, such as dynamic PIN code generators and one-time password lists, are not particularly costly or complicated to implement.
Compared with online access, the phone channel continues to lag when it comes to security. Identity interrogation is still the dominant means of authentication used by customer call centers, and this obviously poses a significant risk in the age of increasingly sophisticated fraudsters who are adept at social engineering.
Fortunately, new tools are emerging that make reliable multifactor authentication possible. One approach is to use the caller’s phone as a physical ownership-based authentication token. With this method, a network forensics system analyzes the phone call within the global telephone network and verifies that the customer is calling the call center from his or her personal phone. The process is virtually invisible to callers (it requires no action or enrollment) and allows callers to be automatically authenticated before their calls are even answered. With this technology, the only way a fraudster could spoof a call would be to physically steal and unlock the customer’s mobile phone or break into the home to use a landline. These are not easy tasks to accomplish.
Multifactor authentication can also use biometrics – voice prints, specifically, in the case of phone calls. Voice-biometric systems compare a caller’s voice with a previously enrolled recording of the account holder’s to make an authentication decision. Biometric voice authentication will be one of the ways callers are authenticated in the future, but today there remain several sizable roadblocks to widespread adoption. Most notably, it is a lengthy task for contact centers to gain the permission and initial recording from their entire base of members.
Remaining stagnant and continuing use of single-factor authentication based on KBA may seem simpler in the moment, but the risks – not only losses to fraud, but also potential penalties from regulators and lawsuits from affected customers – greatly outweigh the short-term discomforts associated with technology change, which will ultimately bring with it reduced costs and complexity.
See also: Global Trend Map No. 11: Fraud
Consumers are living more and more of their lives online, and they clearly value the convenience and connectedness of the digital world. However, the steady stream of headlines about data breaches in every industry, as well as social media companies’ improper handling of personal information, is rapidly eroding trust. Many consumers have little confidence that their information will not be hacked and fall into the hands of criminals. If insurance companies wish to retain customer trust, they must take information security seriously and implement multifactor authentication.
The good news is that many of the new authentication technologies are not only more accurate than identity interrogation but also result in a better immediate customer experience. Customers who call their insurance company are often already stressed, and they just want to resolve their problem without having to jump through hoops. Reducing reliance on identity interrogation also reduces operating costs as agents can spend more time helping customers
instead of grilling them about their identity. Selecting the right authentication technology can thus be a win-win that results in more satisfied customers and decreased costs.