Contact Center ID Verification Growing More Complex, Costly
Even if not mandated by law, some contact centers are leaning toward stricter caller identification standards, said Ron Settele, product marketing manager for Intervoice. "We are finding the preferred solution is to not have the agent manage verification but to do it automatically. That way, it takes social engineering cons out of the equation."
Have a question for your credit card company? Feel free to call. First, though, you must answer a series of questions -- which can range from your father's middle name to your city of birth to the name of your first boyfriend -- to prove who you are.
Consumers have gotten used to the drill, if not the growing obscurity of the questions (mother's maiden name and social security number are passť). Still, from the consumer's perspective, the logic of the questions isn't a compelling issue.
Of the 43 billion calls that U.S. contact centers will receive in 2007, 41 percent will involve a contact center agent asking identity verification questions at the beginning of the call, according to the report.
This process will take between 20 to 30 seconds to complete -- at a cost to the U.S. contact center industry of US$11.7 billion and more than 11,000 years of contact center agents' time in 2007 alone.
It's a surprising finding, Steve Morrell, principal analyst at ContactBabel, told CRM Buyer. "I think it is a hidden cost for a lot of contact centers. These companies routinely look at their costs -- look at what they are spending on post call wrap-ups, for example, or how to best put the right information in front of the agent. But identification verification is mandated by law in many cases, and certainly expected by the consumer. I don't think many contact centers have paid much attention to that part of the call."
That is changing, for a number of reasons -- including evolving regulatory requirements. Contact centers are realizing that the future time allotted to manual verification will only get longer, Morrell said. "There are better ways for them to spend the money."
The use of voice recognition technologies is one avenue companies are investigating, he continued. While it may seem self-serving for a study that is cosponsored by a voice recognition vendor to promote this concept, Morrell and others in the industry insist it is the next step in tech evolution that contact centers will be forced to master. Indeed, in some cases, it may not be enough to satisfy the more rigorous requirements that are sure to be introduced in the coming years.
For banks, the looming taskmaster is the the Federal Financial Institutions Examination Council (FFIEC), which last year issued a supplement clarifying what it considered to be true multifactor authentication -- the gold standard for secure telephone banking. Basically, it requires verification in two of three categories of factors, including what you know (such as your father's middle name), what you have (such as a token to be inserted in a security device), and who you are (a biometric application).
Voice recognition is part of multifactor authentication, said Steven Gordon, a professor of information technology management at Babson College.
"Almost all call centers use the first factor, what you know, asking the user questions such as their birth date, social security number, favorite pet, or maiden name of their mother," he told CRM Buyer.
"The second factor, what you have, is difficult for contact centers to verify, because they are typically operating at a distance," Gordon acknowledged. "But, if caller ID is available, the contact center can verify that the user is calling from a recognized phone. What the person has, in this case, is a phone."
There are some contact centers -- serving doctors at hospitals, for example -- that require the caller to have a token that displays a password, which changes every few minutes, he added. "If the caller doesn't have this token, the caller will not be authenticated."
Who You Are
Voice recognition and other biometric systems verify the third factor -- who you are. "It is generally impossible to fake someone else's voice," Gordon said. "Typically, the caller is asked to repeat a random phrase so that an impostor cannot use a tape recording of someone else's voice to fool the system . Voice fraud-monitoring systems can also recognize a caller's level of stress, and this can be used to screen potential problems."
The downside is that voice recognition systems do not work well when the caller is hoarse or has a cold. In these cases, Gordon said, the contact center has to rely on other authentication factors.
Even if not mandated by law, some contact centers are leaning toward these stricter standards, said Ron Settele, product marketing manager for Intervoice.
"We are finding the preferred solution is to not have the agent manage verification but to do it automatically," he told CRM Buyer. "That way, it takes social engineering cons out of the equation."
A fraudster might be able to con an agent, he said, but certainly not a machine.