Personalise your experience

Get the latest insights relevant to your sector.

Blog · 16 Feb 2023

It’s time to replace knowledge based authentication (KBA) in the contact centre

To stay ahead of increasingly sophisticated fraud, contact centres will need more than traditional KBA methods.

Richard Atherton
Senior Manager, Cloud Contact

Right now, there are more than 24 billion username and password combinations for sale on the dark web – that’s the equivalent of four for every person on the planet.

This vast sea of illegally obtained credentials grows every day as fraudsters develop more sophisticated ways to harvest personal information. This helps them build profiles on potential victims or create synthetic identities to open new fraudulent accounts – and then, the damage continues.

Unfortunately, contact centres are prime targets for obtaining this information. Typically, criminals carry out a range of different exploits – from social engineering and psychological manipulation on agents, to Interactive Voice Response (IVR) mining which finds flaws in automated systems that reveal customer details.

With so much valuable information getting into the wrong hands, how confident can agents be that any caller is who they claim to be?

To be sure, organisations need to rethink how they authenticate their customers.

Traditional KBA isn’t enough in today’s fraud environment

Many contact centres still rely on traditional KBA as their default strategy for identifying customers, but these measures are also the fraudster’s favorite loophole. Asking security questions or requesting specific personal details only prove that the caller has access to the right information, and these credentials are often available to buy illegally.

To make KBA more secure, organisations establish large libraries of different KBA questions to make their protocols less predictable. But in practice, agents rarely use these banks to their full potential. Instead, they learn from experience that more obscure questions cause issues and slow down transactions. They opt for the ones that accelerate service - especially if they’re under pressure to reduce call handling times.

The flaws in multi-factor authentication

A logical security upgrade from KBA questions is using multi-factor authentication methods like One Time Passcodes (OTPs) that verify device possession in addition to knowledge. But, in recent years, we’ve started to see these measures being bypassed by criminals - 37% of successful fraud attempts in 2021 involved the use of an OTP.

HSBC are just one of the major banks to put out a warning to their customers about fraudsters increasingly tricking people into revealing OTPs. Common methods of accessing OTPS include criminals impersonating a trusted organisation by ringing up customers or sending a ‘smishing’ text that requests the code.

We’re also seeing even more intrusive tactics, such as malware that compromises devices to covertly intercept passcodes as they’re sent out, or SIM swapping, where a customer’s messages are hijacked by assigning their number to a new SIM card - exploits that are very difficult to detect in real time.

Contact centres need to focus on inherence

A more thorough method of authentication is to adopt a multi-layered, as opposed to multi-factor, approach. This focuses on a combination of key qualities which are much harder to separate from the customer, like the inherent, unique characteristics of a caller’s voice. The fact that these characteristics are so personal and individual makes them much more secure than any knowledge based approach alone. 

A passive caller authentication and fraud detection solution provides the first layer of defence to analyse calls as they come in – looking carefully at the call signaling, caller behaviour and comparing the number against a global database of confirmed fraudsters and previously flagged activity.

Then, for calls which reach an agent, a layer of voice biometric authentication can be integrated into the experience. Biometric security analyses inherent characteristics that can only be attributed to a specific caller’s identity — namely, the unique subtleties of their voice and language patterns. These distinct metrics have proven extremely difficult for criminals to replicate, even with the latest deepfake technology. In fact, 80% of consumers ranked biometrics as the safest authentication method currently on the market.

Authenticate with confidence

By combining Nuance Gatekeeper with Smartnumbers Protect, you can upgrade your contact centre authentication to this more secure, multi-layered approach. The solutions work together brilliantly - Smartnumbers Protect analyses calls as they come in, and then once the call is answered or connected to the IVR, Nuance Gatekeeper provides seamless biometric authentication based on the customer’s voice.

This approach can help you improve customer experiences, reduce costs and increase IVR containment through seamless self-service, with considerably less risk.

We’re proud to offer these as part of our world-renowned security portfolio. You can find out more about how we can help you strengthen security by adopting these technologies in your contact centre here.