Introduction
In the 16 years since the iPhone was launched, the smartphone has moved from a handy communications device to the centre of our digital and physical lives. For better or worse, your mobile phone is now the key to your friendships, finances and maybe even your home. When we need help, if we can’t find it online, we will almost certainly use the device already in our hands to call for help.
So why is it that most organisations treat calls to and from these devices as if they were from dumb old handsets? Soon-to-be-published research suggests that more than 80% of inbound phone calls to organisations originate from mobile phones. So why has adopting Mobile First Security been such a challenge in leveraging these powerful devices to enhance the contact centre experience?
In this article, I’ll explore the limitations of traditional telephone number-based authentication in the call centre, identify the key risks and discuss the approaches for organisations to mitigate them:
Traditional Telephone Number Based Authentication
Using a mobile telephone to provide authentication is most often a form of possession-based authentication. We want to make sure that the caller is in possession of the device and, by doing so, increase our confidence that they are who they claim to be. There are three main approaches in use today:
Caller Line or Automated Number Identification
Very few genuine consumers now withhold their phone number when calling organisations, and regulatory requirements for number portability mean that most customers now keep the same number for a lot longer than they keep the same address. This makes customer’s mobile phone numbers an ideal universal identifier.
There are, however, two significant risks when relying on an incoming phone number to assert a customer’s identity:
- SIM Swap – The number is no longer in possession of the genuine customer. In practice, the number is the property of the phone network, and they can reassign it to a different device if they want. From compromising retail employees to tricking the telco call centre, there are many ways a fraudster could trick a telecommunications provider into assigning the number to a different SIM card and device.
- Spoofing – The network is tricked into presenting a specific number even though the call didn’t originate from the genuine user of that number. Fraudsters most often use overseas or telecommunications providers with lax identification processes to achieve this. Very few organisations receive calls from maliciously spoofed numbers today, but I suspect that’s mostly because there is little incentive for fraudsters to do so. The same can not, however, be said for consumers who are frequent recipients of spoofed calls despite attempts by regulators to reduce them.
Finally, it must be said that even if you are certain the number is genuine and still associated with the device, there is still the risk that the device has been physically stolen or that another (often related) party has gained access to it. This is a challenge of all possession-based authentication methods.
It can, therefore, be invaluable for identification but shouldn’t be trusted for authentication without investing in spoofing detection services.
SMS One-Time Passcodes (OTP)
We are all now familiar with the four, five or six-digit numbers being sent to us as text messages. Whilst these started with online and mobile apps, they can also be used in call centres and voice self-service systems to confirm a caller’s identity. As a result of the user repeating the code to the agent or IVR, we can have some confidence that they are in possession of the device to which we sent the message.
Unfortunately, as the sender, you don’t actually know where it was delivered to, so it could have been intercepted or diverted somewhere in the network without you knowing. The above SIM Swap attack also means that the device may no longer even be in control of the genuine customer, and finally, it’s hard to be sure your customer hasn’t unwittingly provided it to a third party who is just relaying it to you.
It’s also quite a poor user experience for the customer, who has to contort themselves to read a code, repeat it, or re-enter it all while trying to talk to someone on the same device. Your expensive agent also has to hang around waiting for the customer to receive the message and then repeat it.
Secure Call or Click to Call
The most effective current use of customers’ mobile phones as a key to unlock customer service is through secure call features built into organisations’ mobile apps. This approach can leverage all of the security features available to the app (including inherence-based authentication like fingerprint or facial recognition) to create a secure communications tunnel using either a data connection and Voice over Internet Protocol (VoIP) or the device’s own dialler to make an inbound call to a special contact centre number that can then be authenticated with an audible code.
Many banks and financial services firms have implemented these capabilities into their apps, and they are enthusiastically used by a significant minority of customers. Unfortunately, some customer are almost too enthusiastic in their use, calling more often than they would otherwise have done. For organisations whose customers install their apps, the biggest challenge is that customers often don’t know the feature exists, and when they do, they don’t always use it.
Many organisations, however, have far lower levels of day-to-day engagement than retail financial services, so if they have their own app, the number of customers installing it and completing the required set-up process, let alone the above challenges of knowing the feature exists and remembering to use it means that they are unlikely ever to represent a significant volume of calls. For some, this may be the answer, but for many customers, this is not Mobile First Security.
Best Practice: Use mobile phone numbers to identify (but not authenticate) callers
Using the incoming phone number to remove the often cumbersome identification step from your call centre security processes is still possible. If you can avoid asking your customers for impersonal account or reference numbers when they call, you will improve their perception of the experience and increase your chances of successfully automating the call by avoiding keying or speech recognition errors.
You should, however, ensure that your subsequent authentication processes are strong enough for the types of calls you take. If your organisation deals with higher-risk calls, you should also make sure that the automated treatment of recognised and unrecognised numbers doesn’t tip off fraudsters using spoofed numbers that the caller is an account holder without other authentication.
Network Authentication is the Key to Mobile First Security
The answer to these problems is a set of technologies, which I refer to as Network Authentication. Using data from the telephone network and device to increase confidence that the caller is calling from the device they claim to be calling from or to identify suspicious behaviour. There are two different approaches to this:
Signalling and Behavioural Analysis
As well as the number you get, a huge amount of additional data is associated with each call, allowing the network to route the call and maintain the connection between your call centre and the customer’s device. By analysing patterns in this data, it is possible to ascertain whether the caller is who they claim to be or a fraudster pretending to be your customer. Even if you are not using the number as part of an authentication process, this approach can also help identify suspicious and potentially fraudulent callers. It even works for fixed line numbers. I discussed this technology in far more depth with Chris Wade from Smartnumbers in the Modern Security Community session (Network Authentication and Fraud Prevention 101).
Deterministic Checks
As the often eye-watering price makes clear, mobile phones are packed with some of the most sophisticated electronics available, and your monthly airtime bill maintains huge amounts of network infrastructure. Whilst telecom providers have always been able to make sure that only correctly authorised devices can make calls and that everyone who helps route the call gets paid, it’s historically been very difficult for anyone else to access this information.
There are two basic checks that network operators can allow end users to conduct that mitigate the two risks. A SIM Swap check can tell whether the number has been reassigned recently, and an on-hook check can tell whether the number is currently engaged in a call and sometimes what direction the call is (i.e. did the phone really call out or has it received an inbound call). So that you don’t have to maintain a relationship with every carrier and telco, these services are often aggregated together and resold by intermediaries who may also have other useful data relating to the number, such as the user’s name and address, their porting history, roaming and divert status.
These services are available today from aggregators like Telesign and Transunion and CCaS providers like Vonage and Twilio. There is also an emerging set of capabilities, such as Silent Authentication, which I talked to Vonage about in our Modern Security Community webinar, The Power of Mobile Authentication. This is a significantly more secure and easier-to-use replacement for in-app SMS OTP verification, but as it depends on the user being “on-net” (connected to the carrier’s data network), it’s not easily applicable to the call centre use case.
However, a range of standards being developed by the industry under the CAMARA Alliance should significantly increase the applicability of these tools in the future. Deutsche Telekom’s partnership with Vonage’s (link) is, hopefully, just the first wave of these.
Conclusion
In a world where mobile phones are central to our daily interactions, it’s time that organisations adopt Mobile First Security in their call centres. Traditional methods are rapidly becoming obsolete, and Network Authentication technologies stand as the modern answer for secure, streamlined caller verification. As customers grow accustomed to the seamless experiences provided by apps, the pressing question for organizations is not whether to adopt Mobile First Security but how quickly they can implement it to uphold customer trust and fortify security.