Customer Attitudes to Security: The Perception and Reality Gap

Matt Smallman: So onto this afternoon’s session and introducing my guest, Steven Yap. Thank you so much for joining us, Steven. Steven is the Research Director at the Contact Center Management Association.

I think I’m getting that I’m sorry if I haven’t. And Steven is the, author of a research study that I look forward to being published every year, because whilst I am fascinated by the technology, it’s so much about the humans and human behavior and human attitudes that is important about how we design and implement security processes.

So Stephen’s survey was published just last month and he’s going to be talking to us today about some of those findings.

Introducing Stephen Yap

Matt Smallman: But before we do that, Stephen, do you just want to introduce yourself? Tell us a little bit about yourself before we get started.

Stephen Yapp: Absolutely. Thanks so much for having me, Matt, and congratulations on 16 webinars in your first year.

You’ve set yourself a very high bar, I think, for 2024, or should I say events webinars, events. It is actually the Call Centre Management Association, CCMA, whether or not it should be the Contact Centre Management Association is a subject of hot debate, but that’s that’s another conversation. It is.

But yes. I am, so I am the Research Director for the CCMA. I have the world’s best job. Your job is pretty good, Matt, but I think I have the world’s best job. I talk to people, whether it’s consumers or whether it’s people working in the contact center sector. I get to write about it and now and again I get to talk about it on during events.

Like this, what could be a better job than that? So I do a range of studies and as you said Matt for two years now I’ve run an annual study looking at authentication and fraud in contact centres. And we just published one last month which has yielded some quite interesting findings, which I’m really looking forward to discussing with you, Matt.

Matt Smallman: Awesome. And just how did you find yourself in this space before we start?

Stephen Yapp: Oh my gosh. That’s a really good question. So my background is market research. So I’ve been a researcher most of my career a survey researcher because research is a very broad church. Essentially consumer customer insights prior to.

My current role, I had done a lot of CX research working in the area of both sort of relationship experience as well as voice of customer, more transactional type customer experience. And I began my relationship with the CCMA in my previous role. And one thing led to another and I find myself now representing the CCMA.

I’ve been doing that for the last about four years and it’s it’s really been fantastic. Couldn’t speak more highly of the Contact Center community because I am myself not from that community originally, so I, it’s, I’m a recent sort of entrant into the world of Contact Centers and the people of Contact Centers, and guess what?

People who work in Contact Centers are incredibly helpful and want to help and really agreeable. And tend to be really responsive. It’s a pleasure working in this community.

Matt Smallman: Awesome, thank you. And what would you say, it’s often difficult, being a researcher, because you’re not actually there on the front line where the customer interaction is taking place, but I’m sure if you thought about some of the stuff you’ve done recently, what would you say would be your greatest professional achievement in terms of, What impact on customers or the impact of the research that you’ve done?

Any highlights there?

Stephen Yapp: It’s a really good question. tHat deserves a very considered answer. I’ll just give you one off the top of my head. It’s an honour and a pleasure, I would say, to tell the story of Contact Centres, both to people in Contact Centres, but also more broadly. I think our mission at the CCMA is to represent the industry in its best possible way and to tell the great stories that the industry has.

And CCMA does that through many different channels and platforms, awards training standards. And my particular area is through research, which is both quite structured research, as well as more to the journalistic type research, and the contact centre industry is One of those industries that the average layperson or the person who doesn’t work in that industry knows almost nothing about and yet interacts with on a, possibly a, if not a daily and certainly a weekly or a monthly basis.

It’s one of those industries that employs, it’s one of the biggest industries employing a vast number of people here in the UK. Actually, most people don’t know anything about. And if they do have a perception, it’s probably a perception. That is influenced by what they might read in the popular media, or as someone said to me, I thought quite aptly 80s sitcoms.

Where contact centres get, if you like, framed in a, what I would consider to be a somewhat non representative and outdated way that they are terrible places to work. Are essentially the modern versions of Victorian workhouses that slave drive and they burn people out and just terrible.

And… There might be still vestiges of that, in a few contact centres up and down the land, that might still exist in in the odd place here and there, but by and large, as somebody who’s come into the community relatively recently, has had the fortune to be able to talk to people at all levels of, not just the people who run the contact centres, but people on the front line and really get under the skin of what goes on I think there’s a lot of stories that, that not only we should celebrate within ourselves as a contact center community, but also I think the sort of the, the lay person, the wider public deserve to hear.

It is an industry that genuinely does a great deal to look after the wellbeing. It’s perhaps the most people, I’ve worked over the years, I’ve worked in many industries. I’ve had the opportunity to see a lot of industries from the inside. And I don’t think I’ve ever encountered a more people first industry than the contact center sector.

And I think increasingly the mission and the sort of the raison d’etre of contact centers, which is to help customers to solve problems, is one that is not only commercially. critical, but it’s one that almost has, I would say, has a greater social and societal relevance today in a world that is increasingly uncertain, in a world that has many challenges, particularly as we all know in the last three to five years.

The role that contact centers play to help people get through, their challenges and resolve issues is such an important one. And it’s my, it really is my honor to, to help tell some of those stories.

Introducing the Survey and Its Findings

Matt Smallman: And I think you’re absolutely right, that human aspect, and that’s what we’re going to dig into now, it’s this is humans talking to humans about human problems, and inevitably, they’re going to be solved in a human way.

So the technology is one thing, but it’s people’s understanding of it, their perception of it, and their attitudes towards it, that are so important success. And that goes for both the agent side and the customer side of this interaction. So I would definitely echo those comments, having spent many a year sitting on a contact center floor.

So let’s jump into the survey and its findings. I think that the best way to start is to go to you, Steven, what were the big takeaways from your perspective from this year’s survey, and then we’ll dig into a couple of topics that I personally found really interesting.

Take it away.

Stephen Yapp: Absolutely. So just to explain what we did, we, the survey was actually two part. We did a consumer survey of a thousand people, a very representative snapshot of people all across the UK. But we also did depth interviews and had in depth conversations with people working in the content center sector as well as fraud.

Professionals. So we got the industry perspective as well as the consumer’s perspective. And we we put it all together, if you like. We tried to bring the two together to identify some of the the topics and the themes. And I just want to perhaps draw out three of them for now. And the one is very clearly, um, one that was consistently repeated throughout these conversations was the shift, if you like, from third party to first party fraud.

How Has Fraud Shifted From Account Takeovers to Authorised Transactions?

Stephen Yapp: So while third party frauds such as account takeovers, people stealing other people’s identities to, fraudsters essentially, logging in, and pretending to be genuine customers While that is and will continue to be a major part of fraud, what is very much on the up is first party fraud.

So that is fraud that is either knowingly or unknowingly committed by genuine customers who essentially are victims of scams. They’ve been scammed. And often times they don’t even know that they’ve been scammed and so they are, engaging in behaviors which ultimately are counterproductive not only to their providers but to themselves and they don’t even know it. They actually think they’re doing the right thing.

And so that’s a very different strategic challenge, if you like, compared with third party fraud. It’s not necessarily about securing the front door or authentication. It’s much more about identifying scams and protecting customers almost from themselves.

How do Demographics Impact Attitudes Towards Security and Fraud?

Stephen Yapp: The second, broad category of insights that emerged from this research this year was the difference between age groups in terms of two things, broadly attitudes to fraud, but both in terms of their awareness, of fraud attempts. So younger people tend to be more aware or tend to report more frequent attempts at fraud.

Or be aware more often of fraud attempts, and that might be because they’re more, more online, they are users of a wider range of media and so fraud is perhaps more visible to them.

Matt Smallman: So is it worth jumping to the slide on that,

Stephen Yapp: Stephen? Yeah, why don’t we do that? Young people are more likely to say they’ve experienced an unauthorized access attempt.

And this is the survey that I mentioned of a thousand people across the UK and I’ve cut the data by age groups. And as with any analysis like this, it’s a generalization. There will always be exceptions, but broadly you can see a trend. You can see in the green bars, the percentage of people saying, No, I haven’t to my knowledge, nobody’s tried to gain unauthorized access to any of my accounts. And you can see among people aged 55 percent 55 plus, that’s 65 percent. And among people aged 18 to 34 it’s almost a half of that, which is 37 percent. So people aged 18 to 34 I’m significantly more likely to say, yes, I have experienced an unauthorized access attempt.

So that’s one of the, if you like, the demographic differences. But we’ve, I think we’ve got a slide, haven’t we, Matt, that illustrates the other demographic difference. Younger people tend to use fewer passwords. So the question here is, which of the following best describes your approach to passwords?

Do you use the same three or fewer for all of your accounts? Do you use the same three to six for all of your accounts? Or do you use different passwords for every account? And what you can see here is that… 31 percent of people aged 13 to 34 say they use the same 3 or fewer passwords for all of their accounts.

Compared with people aged 55 plus who say, 16 percent who say they use 3 or fewer passwords for all of my accounts. Generally speaking, more mature people tend to have a wider portfolio or repertoire of passwords, and younger people tend to have fewer passwords, which very clearly suggests that younger people have a lower tolerance for friction in the authentication experience.

And I’ve seen this in other areas outside of authentication. Generally speaking, as a rule of thumb, younger people tend to have a lower tolerance for friction in their digital experiences. So they are more likely to want to trade off some security or more likely to be willing to take risks in exchange.

for less friction, despite the fact that they are, at the same time, more likely to be aware of potential fraud attempts.

Matt Smallman: I just find this fascinating, yeah, that they, at the same time, they are… The biggest victim or they perceive themselves to be the biggest victim, but they knowingly take less measures themselves.

And I don’t know whether that’s, I know there’s some other research that I’ve seen that suggests that particularly in that demographic, there’s a certain kind of abdication of responsibility or a kind of helplessness that they feel that regardless of what other steps they took, they wouldn’t necessarily be able to do anything to mitigate it.

So it’s that security is a cost of doing business and they’d rather have the convenience of fewer passwords.

Stephen Yapp: Yeah, I think one of the things I have learned is that seamless experiences are absolutely everything. And that friction in the experience even a little bit of friction, um, will attract attempts to avoid, if you like, avoidance attempts.

Yeah. Particularly digitally savvy people, which, again, the generalization that younger people tend to be comparatively digital savvy. They know, they’ll find ways to get around. friction, and if necessary, they’ll just switch provider. If they think that they’re getting too much friction from the experience of a provider, they’ll just find another provider that is, is a more frictionless experience.

And so I think the challenge is getting the balance right between security and friction, knowing particularly that younger customers have a very low appetite for friction.

And just something I want to add here, Matt, is I think there is a common perception that the the customers that are most vulnerable to fraud tend to be older customers, tend to be ones who are less digitally savvy. If you like, there is this trope that that older customers are easier to scam. That may or may not be true. But one thing that I didn’t know before this latest piece of research, and I really only learned through the conducting this research is that equally young customers are extremely exposed.

Partly because as we’ve just discussed, they have a lower appetite for friction and, if you like, a greater risk appetite. So they tend to be more on the, I’ll take risks with my security side of the balance, if you like. But also because, frankly, they do, the younger people, as a general rule, tend to spend more time online.

And a lot of the scams, a lot of the first party fraud attempts are now. We’ve seen the rise of crypto scams, for example, money mule scams targeting highly digitally savvy people. And yes, while perhaps younger people might have less money in the bank and for that reason might not be as attractive to fraudsters, at the same time, a lot of these digital scams are… these sort of get rich quick type scams.

So if you will just help me move this money from one place to another, you can earn a lot of money very quickly. And that’s particularly attractive if you’re a young person with not a lot of money in the bank. So I think we need to revisit our trope, because there is a lot of evidence that younger people, even super savvy young people, are also very vulnerable to particularly first party digital scams.

So that was the point of demographics.

How Do Customers Perceive Different Security Methods?

Stephen Yapp: I’ll just close off my third point in terms of the themes, from this year’s research. And it’s fair to say this is a good general rule of thumb with any survey research is that you shouldn’t take anything that you see from a survey at face value.

And unfortunately there’s an awful lot of misinterpretation of surveys by people who are taking survey results at face value, whether it’s a political poll or whether it’s any kind of survey, including a fraud survey, you need to try to read between the lines.

And certainly you should never choose your authentication methods based on what a consumer tells you is their preferred authentication method. What was really interesting is we did ask consumers what their preferred authentication methods were. And There’s a big piece here around familiarity. I’ll just explain how this works.

What do these numbers mean? We offered a choice of eight different authentication methods. And just to be clear, we’re talking about telephone authentication here. When you’re calling into… a contact center and you have to prove your identity you can choose many of these authentication methods and which one would you say are most convenient for you.

The way the question was asked was you have 100 points to distribute across all of these eight methods and please allocate more points to the method that you find most convenient. I could go into a long sidetrack around why we ask the question in this way but it’s the best way to ask the question, trust me.

So basically the more points the more convenient consumers consider. The authentication method, and as you can see here, the highest score, 20 point 8 out of 100, was allocated to SMS OTPs. And if you compare that with some of the, much less, highly rated authentication methods, we can see Automatic Voice Recognition is on the other side at 6 point 4. Automatic Phone Number Recognition, which… You can make a case to say that either voice biometrics or automatic phone number recognition is actually a lot more convenient than OTPs. It’s a lot more frictionless than OTPs. You don’t have to do anything compared with OTPs. And yet OTPs are considered much more convenient by consumers.

That to me suggests that familiarity plays a huge role in driving consumer perceptions and preference in terms of authentication methods that because we’re so used to OTPs now, we don’t even think about them. We can do them with our system one brains turned on. We don’t actually require concious effort To to execute an OTP.

And if we just go back to the previous slide, Matt I just wanna share a supporting point here. So the question here was, please rate the the each type of provider according to the experience that you have with authentication and the green bars, represent in a dark green, very good, and light green, quite good.

anD it’s banks that top the list in terms of consumer perception. So the most positive experience, according to consumers, is with banks. And it’s actually quite far ahead, as you can see here in terms of experience ratings. And you’ve got travel companies on the other side of the equation with the least positive rating, comparatively.

So what’s going on here? Is it that banks are just much better in terms of delivering great, seamless, frictionless authentication experiences? Perhaps. I think that’s probably true to a certain extent. I also think that familiarity is playing a role here because think about how often you interact with your bank versus how often you interact with an airline or an insurance company.

Because we’re familiar, most of us, not all of us, but most of us will now be using self serve methods to interact with our bank, um, we might even be using an app. So just like OTPs, we’ve got used to it because we do it, and we do it so often. And once the familiarity is there, then the positivity starts to follow.

So is it that banks are objectively doing a better job of verification, perhaps? Is it that actually we think that banks are doing a better job just because we interact with our banks more often and we’re just more familiar with their methods? I think that’s also a factor. I believe familiarity is a thing and that also when any provider tries to introduce any new type of experience or method, there’s going to be a period of time when there’s going to be a certain amount of resistance from consumers because of the lack of familiarity.

I think about when ATMs, I’m old enough to remember when ATMs were new and a lot of people were really sceptical. About the security of ATMs. Obviously, now no one ever gives a second thought to the security of ATMs. We know that fraud exists on ATMs, but ATMs are just taken for granted now. It’s just really interesting to unpack that and understand what goes on to drive these perceptions and the importance of familiarity in creating positive perception.

Why Is Their Such a Gap Between Perception and Reality of Security Methods?

Matt Smallman: These two charts are the ones that fascinate me the most, because I think if we came up with some objective measures for both security and convenience, we’d choose stuff like time, cognitive effort and chance of a bad guy guessing or being let through the process, and we could objectively measure each of those methods and come up with a score functionally based on science and observation, but it’s so far away from what customers really perceive to be going on.

And that’s why, for me, this customer perception of the security process is almost as important as the reality of its execution. Now, the reality of its execution will have an impact on actual fraud or loss or risk, but the perception of whether it’s consistent with what people are expecting or consistent with what they demand has a huge impact on satisfaction and engagement with the process.

And SMS OTP is just this kind of classic I used to, think about how have we have trained customers over the years to equate friction with security to the extent that you could probably replace the 48 percent and the 26 percent with time in seconds to complete authentication on this process.

And you would see that chart because the organizations at the bottom of this chart probably have the shortest authentication processes because they’re the lowest value at risk, et cetera, et cetera. I, it’s just. Just fascinating this disconnect and therefore how important it will be for implementers of new technology and improved technologies to think about this as they communicate and they educate consumers. It’s a huge disconnect between consumer perception and the reality. And that is where we are. So we have to deal with it. So it’s fascinating. And thank you so much for the for the contribution to the discussion on it as well.

Stephen Yapp: And just to add to that, Matt I couldn’t agree more.

Why is Consumer Education Important?

Stephen Yapp: And I think. The perception of some friction contributing to one’s comfort level. If it’s too easy, if it’s completely automated, I don’t have to do anything, how secure can it really be?

Perhaps a little bit of security theatre can help to drive perceptions of efficacy, perhaps. But as you said, perception is everything, and it’s all about how, particularly when we are introducing new methods, how do we educate? How do we communicate to consumers? And it’s not just about the customer’s own satisfaction.

It’s also about customers talking to other customers. And we know that reputation, is a key driver here because it drives word of mouth. If people have a good experience with authentication, if people have a bad experience with authentication, then people will talk about it, to other people. So it’s not just affecting the customer’s own perception, it’s affecting potential other customers perception through word of mouth.

There was a prominent television campaign going on from Kit Katt, which is all built around painful friction within authentication.

It was all built around how many passwords you had to remember and obviously the creative idea was life is hard, life is difficult, life is painful and you need to take a break, therefore have a KitKat. But I just thought that was a really interesting example of how it’s now entered the mainstream consciousness.

It’s an example of how authentication is not just a niche topic that fraud enthusiasts and authentication and security enthusiasts love to talk about. It’s a mainstream topic that drives mainstream debate.

Why Do Consumers Correlate Security With Friction?

Stephen Yapp: The friction is the only thing that the customer can see and experience.

So it’s the only measure they really have of what’s going on. So in service design, we talk a lot about what’s called the line of customer visibility, which is the stuff they, the stuff above the line is the stuff they can see about the process, the communications, the things we say to them and stuff below the line, like almost like the swan on the river.

It’s really ugly underneath the water, but you don’t want to show that to the customer because it give’s them a negative impression and so Security is one of those things where, by its very nature, you don’t want to show very much to the customer, because it’s also observable by bad actors as well. So the only thing they can observe is friction in their own efforts. So it’s almost natural when you think about it for them to correlate that with the effectiveness of the process.

Now we as professionals know that’s not necessarily true, but it’s so easy to forget when we’re chasing the latest technology that gives us zero seconds of handle time to authenticate people to really high confidence levels.

It’s so easy to forget that. And it does remind me of a story back probably decades ago now that was in a, in an online banking service we could, you could I think someone did buy an oil rig or transferred the money for an oil rig in a corporate structure using a smart card authentication, getting perfectly happy with that, but the transaction to pay their kid’s birthday money was something they wanted to do by phone and speak to a human about, and that they felt there should be a bit more security about it than there actually was, even though we used biometrics and all sorts of things in the background to make sure they really were who they claimed to be. That, that friction just makes it feel secure.

Security theater was a term you used before, which was coined by Bruce Schneider just after 9 11 to describe some of those security things in kind of air travel.

And I’ve long been anti security theater, and I’m certainly anti it in terms of the way in which we use pins and passwords, which have no security value, but an almost pure theater or farce, as I’d prefer to call them. But I think when we’re designing less friction for the experiences, we do definitely need to think about that that aspect of it.

And yeah, this survey just is a classic and I won’t forget it for bringing that point home. Thank you, Stephen, again.

What Is the Role of Analytics in Security?

Stephen Yapp: I think the distinction between above and below the line is super relevant. And it’s made me think of, it’s not exactly above and below the line, but it’s a slightly, it’s a slightly different idea where as more and more fraud is first party fraud.

It becomes not just about, , securing the front door and building a big moat. And then once you’re in the castle, you can do anything you want. It’s about actually, you still got to have a moat, you still got to have a locked front door, but you’ve increasingly, as first party fraud committed unwittingly by genuine customers. Proliferates, it’s identifying fraud once people are in the front door and that’s where analytics and increasingly AI is actually starting to play a role. So using those analytics to identify unusual behavioral patterns, red flagging when people are on a path that deviates from their, if you like, their normal happy path.

And then it goes back, it goes back from below the line to above the line where you’ve got to, you’ve got to bring it in front of the customer. Now we’re familiar with really simple, I think predominantly we’re still doing quite simple implementations of that. We all, most of us, I would say, are familiar with the experience when you’re trying to make a bank transfer using your…

favorite bank app or online banking interface. Do you really want to make this transfer? And all the questions that you get asked. And I think speaking for myself, I’m always at the point where I’m now in system one. I just know exactly, I don’t even read the questions. I just know exactly what to take to get me as quickly as possible to the transfer.

But as those capabilities, as those analytics become much more intelligent, we can start to really identify those exceptional behaviors and then escalate it and flag it. And then. Identify the most appropriate intervention when we think there might be something suspicious going on that isn’t just following a really generic tree, but is actually tailored to an individual customer’s specific profile and behavior.

And that’s interesting. Also, I think interventions are going to be interesting, particularly when the customer is actually unwitting. This is something that came up in the research. There is.

Can Call Centre Agents Be Expected To Identify Fraudulent Authorised Transactions?

Stephen Yapp: There is, if you like, a pressure and a contradiction on the contact centre advisor on the front line whose main job is to deliver a great experience to the customer.

If we’re now asking them to call out the customer as well, who may unwittingly, not to their own knowledge, they might be thinking they’re doing a genuine thing, but we actually think they might be committing fraud. Who actually is the person? What is the right intervention and right communication to the customer?

When that happens, does it have to be, should it be escalated to, should it go back to the fraud team, for example, what is the right language, how do you communicate sensitively and sympathetically to a customer who actually doesn’t know that? They’re actually committing fraud.

Oh yeah. Oh yeah.

It’s a really, it is a really challenging, challenging area. And I think there’s one other we’ll come back to in a second, which is the kind of the mutual authentication and trust side, but I think when we’re talking about the front door security clearly, and we see some states, certainly in financial services, I think is at now at the point where the reason fraudsters are going to these first party type attacks or going to the customer and getting them to initiate the transaction is because the security has reached a point where that is the easiest path. Lowest effort, greatest reward is currently from targeting consumers.

And the kind of the… The stopgap solution of are you sure this payment is genuine and you’re sending it to the right place is only that, it’s a stopgap. The first time you make that transaction, you might read it. The next time it’s just click click. Oh, it’s gone. Good. But I also have real issues with.

Putting responsibilities on frontline content center agents, call center agents to make that determination, because it reminds me of just going all the way back to where we were with authentication, maybe a decade ago, where like the customer got the password correct and they answered the demographic correct, characters correct.

But when we listened to it three months later, when the fraud was discovered, it was very obvious that the customer, the caller was not genuine and the the agent really should have noticed it and done something about it.

And I think that’s a really unfair load to put on the agents. Like inevitably that’s, organizations do that as stopgaps because it’s quickest to put the responsibility on somebody like that who’s flexible than it is to design systems and processes that overcome it.

But I think you’re absolutely right. It’s the analytics. It’s the out of character transactions that we need to identify and have means of intervening in appropriate ways, and maybe that is the call center agent, but we can’t allow them to, we can’t put responsibility on them to detect the incident.

We have to have tools and analytics that identify it and then prompt the intervention that they’re trained for.

Maybe I can respond to both those points in order. What I’m hearing actually is something slightly different, which is that because fraudsters are becoming so adept at social engineering, and you’re absolutely right to say that the fact is in many situations today, the customer is the weakest link, so rather than try to hack the, the authentication platforms, let’s hack the consumer because it’s just easier to do it that way. and because fraudsters are so adept at social engineering, they are now, it’s not, it’s much easier to get an OTP by social engineering the customer than it is to try to brute force an OTP.

sO ironically, it is that also that shift to first party fraud that is undermining the efficacy of traditional authentication methods. And for that reason, many organizations are basically moving away from OTPs, because they’re just no use at securing because it’s so easy to to get the customer to tell you the OTP.

So a lot of banks, for example, or financial institutions in general, trying to move towards, apps for authentication, which is an environment they can control much more than relying on OTP. So that was the first point.

What Challenges Prevent Call Centre Agents Identifiying Fraud?

Stephen Yapp: And the second point around the front line. Yeah I really hope there aren’t any contact centers today , who are holding their front lines accountable, because, as you say, it is, that is just a weak, um, supplement to actually designing properly secure systems.

And let’s face it, people on the front line have enough to think about. If you’re working in the contact center on the front line, you’re probably dealing with, if you’re lucky, you’ve got five systems and screens. If you’re unlucky, you left 20. It’s not unknown for contact center advisors.

They’ve got scripts to think about. They’ve got quality measures that they’ve got to worry about. Chances are the customers irate talking to them, which is a function of the general environment in which we’re operating, but also the predominance of self serve. Because what’s happened in the last few years when self serve has really become much more commonplace is a whole new class of demand coming into the contact center where… Increasingly, customers are being delivered to the contact centre lines in a state of education because they tried to self serve and they failed. We’ve all had that experience. We all know how frustrating it is when you try to self serve your career and you fail and you’re forced to dial in as a result.

And you’re already, your patience is wearing thin by the time you get there.

And then you had to queue to get there.

You had to queue to get there. So on top of all of that, which the frontline has to deal with, then holding the frontline accountable, I think, is nonsense. And the technology exists today, in different states of readiness, but the technology exists today to be able to, as you said, Matt, to flag exceptions and to at minimum provide intelligence to the frontline to say this is this, this might be somebody who you need to escalate.

So we should absolutely not be holding the frontline fully responsible for identifying potentially fraudulent behavior because they’ve got enough to think about.

Yeah, I know I completely agree, but it’s an inevitable knee jerk reaction in some of these. Situations. Just moving on slightly to a related topic.

The weak spot is the customer, but again, we’ve trained the customer to not be that security conscious. What we call mutual authentication, the act of asserting back to the customer that I am a representative of the organization I claim to be a representative of.

So many. Customers don’t really think about that when they’re contacted. And That is challenging for both fraud teams who are trying to carry out those interventions, but it also opens a door for, fraud via the customer. And I think one area we’ve not really focused on as a, as an industry really is that mutual authentication.

How do we assert back I saw last week, or maybe it was the week before actually, Monzo Bank doing a really good example out there. They’ve got a new feature in their app we are on a call with you, or we’re not on a call with you. So you can literally go to your app and if someone says they’re calling from Monzo, you go to the app and it says, yes, we’re on a call with you.

And if it doesn’t say that, then you known you need to hang up and call their security team. So I think there’s still a lot of work to be done in that mutual authentication space. But again, we haven’t trained customers particularly well.

How Do We Increase Consumer’s Understanding of the Security and Convenience of New Security Methods?

Stephen Yapp: The question that came in was for me in the familiarity space, just interested in your insight.

So obviously a lot of people in our audience group are interested in some of these. Modern security technologies like voice biometrics and phone based authentication. How do we get people to understand the, or how do we improve people’s perception of both the security and convenience that they deliver?

What would you suggest?

That’s a great question. I’ve not, let me start by making another point, which isn’t directly addressing the question, but I think. As um, the predominance of first party fraud continues to rise, I think there’s going to be, it’s raising questions about biometrics, because obviously biometrics doesn’t protect against first party fraud, it only protects against account takeovers.

Yep. And ID theft. So that’s again where you need to supplement, if you like, the locks on the front door with the right measures when people are in the castle using the analytics that we’ve discussed. How do you educate? I think… For me, there’s a, education is inclusive of not just the right methods that you use for authentication, but increasingly, as we’ve talked about in the current fraud environment ensuring that people are vigilant against potential scams.

And it does seem to me there is more mainstream coverage of this. I, maybe it’s just because I’ve become, I’ve been doing this research, I’m more attuned to the topic than I used to be, but it does seem that I notice it more perhaps in the mainstream media, which is a good thing, but I think it’s really important to use the right channels in the right language for the audience and going back to the demographic differences that we talked about.

If you’re trying to… Educate a younger customer, whether it’s around authentication and protecting themselves or whether it’s about about educating them against scams that they might be vulnerable to. You’ve got to use the right channel and use the channels that the fraudsters use. So if the fraudsters are on social media, use social media, use the right language, use the right spokespeople.

The sorts of language and channels and spokespeople that you might use to target someone aged 60 plus is not necessarily the same as you might. You target someone in their 20s. As with anything, the right language, the right medium is really extremely important. And I think there is ultimately no substitute for just, making people use it.

If you like. I know that’s not perhaps the most strategic answer but if you put something out there, people, there’s always going to be resistance because people don’t like change and there’s always resistance to the new, but if you stick with it over time, people get used to it.

That’s just a fact and that’s something that I’ve learned to realize is with authentication. You have to obviously put something together, you have to try to get the balance right as we talk about between not too much friction but ensuring that there’s protection within there. But once you decide what the balance is, once you get it out there and , and it’s shown to be effective in terms of protection, then over time people, will get used to it.

I guess the question is, once you get it out there, if you’re seeing that you’re losing customers, if you’re seeing that it’s driving lots of negative word of mouth, then perhaps you need to make some tweaks or some changes there. But rather than do huge amounts of testing up front or sandboxing, do in market testing. Do it on the fly. Do it in market. Go live with something and iterate it on the fly.

There are some constraints legally around doing some of those things, but I think you’re absolutely right. You just have to get it out there and in front of people and then let them touch, feel and experience it themselves.

I think that definitely is something though, to the observability points. There’s always a balance between different levels of education, like how much do you tell people about what’s actually happening underneath the scenes versus let them trust you. And we’ve seen very different levels of trust inferred to different types of organizations.

The classic quote I always remember is you own half my house and all my money’s with you, so why wouldn’t I trust you to make the right choice about security for a bank? Versus a telco who is charging me exorbitant fees and all the rest of it. So different levels of trust flow into how people perceive those services as well, which I think is a, is a point that needs to be borne in mind, but yeah, interesting. Good thoughts.

If I could just add Matt, actually, I think this is a point of view that I’m still cogitating on. Consumers tend to be savvier than we give them credit for, and consumers understand. Providers doing things for their own protection, but often, I use the example again of the questions when you try to do anything with online banking. Are you sure? Are you sure? Are you sure?

Once you’ve done that for the tenth time, which only takes two weeks for most people, you’ve got used to it and you don’t even pay attention to those questions anymore. You just know exactly what options to pick. So the value of those questions I think very quickly diminishes and yet the friction is still there.

And then it creates a certain amount of, if you like, cynicism. on behalf of the consumer. Now, I’m not saying dispense with the front door locks entirely, but I think if we can ultimately create an entry experience or authentication experience that is as frictionless as possible but dial up our ability to identify fraud in the moment as it might be happening, that might be the better way to address the challenge.

Rather than making it incredibly difficult to get in, Make it as easy as possible to get in, but make sure that your ability to address the fraud in the moment is as strong as it can be.

I did send you a copy of the book, yeah? That was the best advert I heard in a long time, but yes.

I’ve been reading it.

Maybe it’s in there in my head.

Stephen Yapp: Awesome. thEre was one, we’re just coming up on time and unless there are any other questions, one I’m going to try and, it’s a difficult and potentially controversial one as well.

What is the role of Social Networks and Telecommunications Firms in Preventing Fraud?

Stephen Yapp: The debate we’ve been having is about these two parties, yeah, an organization that has some assets that need protecting and a consumer or user of those services needs to access them and the potential for a third party bad actor to be involved.

But what we see with a lot of certainly these first party type attacks is that there are other enablers of this whether that be intentionally or unintentionally or just ignorantly whether that be social media networks, whether that be telcos and mobile carriers that are, by absence of action, enabling this fraud to take place and potentially the trust that people have in those organizations is co-incidentally inferred onto people who messaged them from a platform or whose adverts are seen on the platforms or who, which call who, which arrives on the device.

I, I dunno was there any insight from consumers or from call center leaders about, about the role of these enablers?

It’s not a topic that we’ve explored yet. It might be one for a future iteration of the research.

One that I’d need to think about, if I could offer you, in the absence of insights or data, I’ll try to offer you an opinion, and this is very much an off the cuff hot take , and my my opinion might change next time you ask me this, after I’ve thought about it some more.

As somebody who believes that, generally speaking, the likes of social networks, um, need a lot more regulation and a lot more oversight than they currently do. I do not in any way buy the, the traditional sort of argument that they’re just damn pipes, not at all, right?

They are profiting from at the same time as causing an untold amount of harm in many different ways. I’m not sure whether that, having just said that necessarily applies. . I think ultimately, it’s, I don’t feel like, if the regulations aren’t there, you can’t blame the social networks or the telcos for doing what they need to do to maximise shareholder value.

It’s up to the regulators and the people who have the power to make a difference, to bring in the regulations, to mitigate against harm.

Now, I think it’s a really valid point as an I kind of take my 20, 000 foot view of the last decade or so of security and fraud prevention, you can see.

In financial services in the UK, the US, North America and Europe the burden of work being like the harm is to the harm is to the consumer, but actually the consumer isn’t in a position to do much about it. And it’s the organization, the enterprises that need to take more responsibility for that. And they’ve gradually shifted over time, direct financial responsibility to those losses. And we see that in the UK with APP, the push payment frauds now squarely coming down on, on, on the industry side of responsibility, even though there isn’t. As you say they’re authenticated. They’re authorized by genuine customers.

It’s only when it moves in that way that we actually see the kind of analytical action, the investment, the incentive to do anything because 40 million consumers are not going to spend time, effort and money figuring out how to what’s an exceptional payment or an out of character transaction. It has to be centralized in some way.

So I think it is a role for regulation to, to find out what that right balance is. But, and, but there is a point where there is. There are no more levers to pull.

So if we want to reduce the harm to consumers, then some other levers need to get pulled, I guess is where my kind of head goes on that.

And it’s different, isn’t it? And it’s not all the same. Can we hold a telco accountable for a fraudulent SMS, a phishing SMS? I would argue that’s probably, that is a dumb pipe scenario and the telco has no control.

It’s an SMSs. Yeah. How can you expect the to have any control over the content of SMS? It’s a very different situation when it is a social network that accepts a paid campaign for what we’ve all seen them. Yeah. On our favorite social networks paid campaign for what is obviously fraudulent content.

What is obviously, inviting, unwitting, a complex area of people. And the social network is promoting that, and they’re receiving money for it, and they’re promoting that, through algorithms. That’s a very different scenario, where I do think there is a lot of accountability.

So it depends.

Summary and Conclusion

Stephen Yapp: No, it’s very, it is a complex area. I’m sure we’ll come back to it as well. Stephen, thank you so much for joining us this afternoon. Again, thank you for your contribution with this research. It is, for all of us who spend our days and lives thinking about security. We’re so close to the subject that we just miss the bigger picture that the users of the process and technology we design are humans. They have a natural set of biases and tendencies, and actually their perception of the services that we’re delivering is almost as important as the objective functionality of them.

We’ll include a link to the CCMA’s website and how to download that in the email we send out afterwards, and I do encourage you we’ve only just shown a snippet of the findings that that the team came up with, so please download that and have a look at the detail.

I just want to thank everyone else who’s joined us this afternoon. Thank you so much again for everything in 2023, and we will see you sometime in 2024 with the next edition of the Modern Security Community.

So thanks very much for joining us, everyone, and have a great afternoon.