A Cloud-Based Approach to

INTELLIGENT AUTHENTICATION
| Report »
 | Report »

A Cloud-Based Approach to »
INTELLIGENT AUTHENTICATION

••
‚ € •-
… „ƒ

»
May 2020
Dan Miller, Lead Analyst & Founder, Opus Research

Opus Research, Inc.

893 Hague Ave.
Saint Paul, MN 55104

www.opusresearch.net

Published May 2020 © Opus Research, Inc. All rights reserved.

2
A Cloud-Based Approach to Intelligent Authentication
»
50 Shades of Phone-Based Fraud: Pandemic Edition
There’s nothing like a first-ever global crisis to expose pre-existing performance problems and known security
vulnerabilities in the customer care fabric of brands around the world. According to a survey of contact center
managers conducted by ContactBabel in April 2020, agents working from home accounted for only about 14%
of seats at the beginning of 2020. By mid-April that figure had jumped to 87% and respondents expected that
total to stabilize at around 71% by mid-June.

As thousands of companies around the world scrambled to keep their customer care lines active, millions of
customers struggled to get in contact with their agents to change travel plans or modify payment terms for credit
balances, home loans and all manner of goods and services. Conditions will stabilize as both customers and
agents reach a new equilibrium. However, the short, dramatic imbalance exposes what security experts refer to
as an expanded “fraud attack surface” for criminals bent on gaining illegal access to an individual’s personal
account information or entitlements.

Common customer queries like “Can I get a refund?” “What are my healthcare options?” or “Tell me my balance
and whether I can change my payment terms” all share several attributes. They are complex, time-consuming
and involve personal information. In their rush to please customers or clients, even the best agents (some would
say “especially the best agents”) can pay short shrift to posing those nagging challenge questions in order to get
down to business. In a long-standing cat-and-mouse game, criminals employ variations of “social engineering”
to gain fraudulent access to existing accounts and personal information.

When the worst of the pandemic is over, we will learn which changes in common practice and workflows have
staying power. Agents will return to brick-and-mortar contact centers replete with Plexiglas barriers and wide,
well-marked walkways that enforce the six-foot distancing rules. Just as the flows of indoor foot traffic will
be permanently altered, the workflows for both agents and customers will be permanently changed as well,
including the introduction of swift, strong and “adaptive” caller authentication and fraud reduction.

WORKFLOWS FOR BOTH AGENTS AND CUSTOMERS WILL BE PERMANENTLY CHANGED

AS WELL, INCLUDING THE INTRODUCTION OF SWIFT, STRONG AND “ADAPTIVE” CALLER
AUTHENTICATION AND FRAUD REDUCTION.

Phone-based fraud saw an upswing as well. Account takeover fraud, for instance, was already showing year-
over-year increases in 2019 over 2018, up 26% for major credit cards and as high as 78% for new payment
services like PayPal. Yet 2019 also witnessed less frequent, but more ominous unauthorized access to highly
personal customer records. The number of data breaches increased by 17% and involved exposing over 164
million instances of PII. This was a significant reduction in total exposures, but 2018 results were distorted
because a single a breach of data at Marriott Hotels alone exposed 383 million personal records.

Social Engineering is the Starting Point

A recent poll of more than 1,000 Americans (18 and over) conducted by the Global Fraud & Identity Solutions
group at TransUnion showed that one-in-five had been targeted by online fraud related to COVID. The finding

3
A Cloud-Based Approach to Intelligent Authentication
»
corresponded with a measured 347% uptick in “account takeover” and 391% increase in shipping fraud
attempts, comparing 2019 results to 2018. The roots of these nightmare outcomes are most often traced to
phishing efforts involving email, hacking mobile phones or skimming data through card readers.

Fraudsters take advantage of the goodwill of conscientious agents using a technique called “social engineering.”
A number of companies have shared call recordings with Opus Research that demonstrate how easy it is for
criminals to charm agents or otherwise fool them into providing enough information to complete an account
take-over. They may know an unwitting person's name and address based on picking a receipt they of the
garbage. A call center agent may then provide “the last four digits” of a credit card number in the course of
an aborted sales call. With that information a fraudster may have all he or she needs to complete a purchase
through an e-commerce site or another vendor’s contact center.

Successful social engineering in contact centers enables fraudsters to change online passwords, PIN numbers
or email addresses. They can use this information to obtain a new credit or debit card, add a new user to an
existing account or even make changes to the physical address to which goods are delivered.

Spoofing and Virtual Calling Evolve

Contact center operators have long been on the look-out for spoofed ANI. “ANI” stands for Automated Number
Identification and it is the enterprise version of Caller ID. Yet the sort of ANI-spoofing used by criminals with
scare tactics surrounding auto warranties, social security eligibility or IRS violations is archaic when compared
fifl  
to evolving techniques that migrate voice traffic to “virtual networks” that mask their true location, be it Africa,
Eastern Europe, or anywhere.

Voice biometrics-based caller authentication has also proven effective for authenticating a caller’s claimed
identity by matching characteristics of the caller’s voice and speaking patterns with stored voiceprints or profiles
in the course of a conversation. There are also solutions that detect suspicious attributes, such as background
noise or an echo that signals suspicious origin.
These calls can be detected and directed away from IVRs or live agents where fraudsters try to gain illicit access
to customer data.

DeepVoice and DeepFakes Pose Growing Threats

In the face of hardened defenses against fake ANI and virtual calls, fraudsters have moved on to employ highly
refined synthesized voices (known as DeepVoice) to fool rudimentary fraud detection and call handling systems.
The technique came to global attention when a commercially available system was used to fool an aide to
a large company’s chief executive officer to transfer hundreds of thousands of dollars to a fraudster’s bank
account. That set off a chilling feeling among contact center managers at large financial services companies. As
criminals continue to refine their techniques and Opus Research counsels contact center operators to employ a
combination of voice and other biometrics with fraud detection resources and call-handing logic to protect their
customers from the latest fraud.

4
A Cloud-Based Approach to Intelligent Authentication
»

That means it is more important than ever to employ technologies that detect synthetic voices as attackers shift
from using IP-telephony channels to spoof existing numbers to These are legitimate calls that can be placed
from many devices from anywhere in the world. This anonymity makes them the perfect choice for criminals.
And because they are legitimate calls, they easily bypass older technology built to find spoofed calls. Modern
authentication solutions must identify 100% of virtual calls in order to be effective.

The IAuth Checklist

The threats described above are taking shape in the context of Conversational Commerce. Customers or
prospects initiate voice calls as part of ongoing, asynchronous conversations that span search, social networks,
websites and mobile apps. When they finally pick up the phone or click on a voice link in a mobile app, they
want to be accommodated quickly and authenticated with zero effort.

To fulfill on that promise, contact centers must incorporate solutions that adhere to the following attributes:

Real-time
Risk-aware
Adaptive
Multifactor (including behavioral)
Multilayered
Creates a “blacklist” of known imposters’ voices
Deployed within the contact center infrastructure

 Real-time: Stopping imposters requires continuous vigilance that enables companies to detect imposters
in real-time, 24 hours a day. It must do so seamlessly (from both the caller and the agent’s point of view)
and at scale.

5
A Cloud-Based Approach to Intelligent Authentication
»

 Risk-aware: Refers to the ability to recognize the level of risk associated with a user (the level of confidence
that the person is who he or she claims to be) as well as the actions of that user. For example, checking a
bank balance involves less risk than a command to transfer a large sum of money out of an account.

 Adaptive: With criminals developing new ways and approaches to spoofing authentication systems, it is
important to have mechanism to respond to the latest criminal techniques in the perpetual cat-and-mouse
game between companies and imposters.

 Multifactor: Passwords and challenge questions are “something you know” a set of factors that are falling
out of favor because they are time consuming and sometimes hard to remember. “Something you have,”
refers to another set of factors that, in enterprise settings, often referred to physical dongles that could
display one-time-passwords. But increasingly, this refers to the smartphone that originated a call. Biometrics
are “something you are” and include voice, fingerprints or face recognition, but “behavioral biometrics” are
gaining importance as solution providers are able to recognize different ways that people hold their phone or
key-in information.

 Multilayered: In the proper circumstances, an individual may be subjected to multiple authentication

methods. It often refers to “step-up” procedures that require a caller to answer a question or provide new
biometric input in order to carry out a particular activity. It can also refer to the use of multiple factors and
protocols to discourage false acceptance of imposters or false rejection of legitimate customers.

 Blacklist: On the fraud prevention side of the line, a solution provider should have the ability to analyze
inbound calls and their outcomes in order to identify frequent callers who are known imposters. Their
attributes should be stored and tagged as “known imposters” whose future calls are escalated to fraud
prevention personnel or resources.

 Deep Integration (with contact center, CRM, Analytics, WFO resources): Combining caller authentication and
fraud prevention has real advantages for companies looking for opportunities to improve agent efficiency
and customer satisfaction without sacrificing security. Imposters are getting very sophisticated and counter
measures to their success involve the use of algorithms and rules that govern call routing, agent supervision
and, soon enough, automated virtual assistants or chatbots.

Why Move to The Cloud

Cloud-based contact center and CRM resources played an invaluable role in business continuity efforts during
the hectic days that started in March 2020. At that time, the move to cloud was already well underway. In
the prior three years, the number of agent seats powered by CCaaS had been growing at over 30% annually.
ContactBabel’s survey reflected an additional bump in the number of firms moving to cloud-based resources,
especially among medium-to-large companies. Respondents cited “Improved Scalability”, “Disaster Recovery
Planning” and “Increased Functionality” as the top three reasons for the move, reflecting the fact that the long-

6
A Cloud-Based Approach to Intelligent Authentication
»

term trend toward cloud-based solutions attaches greatest value to flexibility, saving capital expenditures and
the ability to add new capabilities.

Cloud-based deployment models enable companies to employ the levels of computer processing required to
support strong, continuous authentication and fraud prevention. In the cloud, fraud detection, risk assessment
logic and biometric-based authentication can be deployed in conjunction with core telephony, contact center
operations and CRM systems.

Cloud-Based Solutions Rise to the Challenge

The threats described herein are both dynamic and fast-changing. Technologies that respond to those threats
must be equally robust and agile. They must detect and, ideally, predict criminal activity and do so in ways
that do not disrupt the activities of legitimate customers. Contact center operators recognize that cloud-based
solutions give them the opportunity to implement the latest technologies for intelligent authentication and fraud-
loss prevention. They do so in a way that conforms with evergreen objectives that include reducing capital
expense, maintaining flexibility to scale up and scale down and recovering from unforeseen disasters, in addition
to tightly coupling call handling and security technologies.

Among those capabilities are resources for heightened security and fraud prevention. Fraudsters keep
upping their game by introducing new threats that combine human ingenuity and technological innovations
to fool contact center representatives. Contact center operators must exhibit heightened flexibility to combat
emerging threats. Flexibility and innovation are recognized hallmarks of cloud-based contact centers. While
these solutions can be offered via premises-based solutions, in the cloud, authentication and fraud detection
resources can be deeply integrated with robust resources that support call routing, workforce optimization,
analytics, automation and artificial intelligence.

Different Flavors of the Cloud

NICE's Real-Time Authentication and Fraud Prevention (RTA) solution supports different flavors of the cloud to
support the needs of contact centers in their journey: from full CCaaS to hosted solutions.

NICE's CXone, is the only CCaaS suite offered by a contact center solution provider that includes real-time
authentication (branded "Customer Authentication") solution and workforce optimization (WFO) apps, in
addition to the basic IVR and call routing functions. Introduced in 2017, its basic capabilities are foundational
for providing a high-quality customer experience and high levels of agent productivity, thanks to the ability to
understand and respond to each caller’s intent. And a fast time to value given that the solution is part of a full
CCaaS offering that includes the telephony and the CRM.

In addition, RTA can detect that a voice on a call is not natural. By leveraging the machine-learning aspects of
the Fluent biometrics' engine, the model "learns" to detect synthetic speech. To date, none of the synthesizing
software available was able to fool RTA. Moreover, NICE's RTA can outsmart such tool by detecting that the
speaker has changed dusting the conversation.

7
A Cloud-Based Approach to Intelligent Authentication
»

The solution also performs what it calls “proactive fraud detection" to detect call attempts by repeated
fraudsters. It is able to build a “blacklist” of known fraudsters and prevent them from carrying out their nefarious
activities. It also pursues an approach that exposes unknown fraudsters, based on behavioral analytics of
existing call recordings to detect repeat callers, even if calls originate from fictitious numbers.

Now NICE customers can authenticate their customers in the background so that an agent can say “how may
I help you?” instead of “what’s the name of your first pet?” That’s a big stride toward Intelligent Authentication
(IAuth).

About Opus Research

Opus Research is a diversified advisory and analysis firm providing critical insight
on software and services that support multimodal customer care. Opus Research
is focused on “Conversational Commerce,” the merging of intelligent assistant
technologies, conversational intelligence, intelligent authentication, enterprise
collaboration and digital commerce.
For sales inquires please e-mail info@opusresearch.net or call +1(415) 904-7666
This report shall be used solely for internal information purposes. Reproduction of this report without prior written permission is
forbidden. Access to this report is limited to the license terms agreed to originally and any changes must be agreed upon in writing.
The information contained herein has been obtained from sources believe to be reliable. However, Opus Research, Inc. accepts no
responsibility whatsoever for the content or legality of the report. Opus Research, Inc. disclaims all warranties as to the accuracy,
completeness or adequacy of such information. Further, Opus Research, Inc. shall have no liability for errors, omissions or inad-
equacies in the information contained herein or interpretations thereof. The opinions expressed herein may not necessarily coincide
with the opinions and viewpoints of Opus Research, Inc. and are subject to change without notice.
Published May 2020 © Opus Research, Inc. All rights reserved.