Addressing payment authentication risk in the contact centre

By Grant White

Shifting channel trends create new risks for customers

The ways in which we engage with our financial providers have changed dramatically in recent years. For some time now, banks have been driving more of their customers into direct contact channels – internet browser, mobile app and telephone – ostensibly to reduce costs. Twenty years of digital transformation, and the rise of the smartphone, have accelerated this shift as the range of services available through direct channels, and the willingness of a new generation of customers to engage with them, have both grown.

The COVID-19 pandemic continues to disrupt our lives, and has effectively turbo charged this trend. Shuttered away by waves of lockdowns, banking customers were unable to access branches, and, having learned to deal without them, they have been wary to return. In this way, the pandemic has firmly established direct channels as the primary contact method for banking customers in many developed economies.

Telephone banking is the oldest and most established alternative to branch banking, and while telephone transaction volumes have long since been surpassed by digital alternatives, contact centres remain a vital channel for customer communication. This is particularly true for ‘moments of crisis’, where the customer wants the reassurance of a human voice (e.g. to confirm a large payment has been made, or to confirm that a stolen card has been stopped) and even more so for certain demographic groups.

The 2020 ‘Financial Lives Survey’ published by the UK Financial Conduct Authority (FCA) found that, on average, around one-fifth (19%) of UK consumers had used telephone banking services in the previous 12 months. Only 10% of 18-24s had made use of the service, favouring mobile banking (88%) and ATMs (77%) instead. However, at the other end of the demographic scale, more than twice as many of over-74s (22%) were interacting with their banks by telephone, a rise of more than 50% since 2017 (14%). Indeed, in the face of the rapid disruption caused by the pandemic, for more vulnerable customers in particular, telephone banking emerged as a crucial lifeline connecting them with their finances.

As we approach the end of 2021, banking call centres have arguably reestablished themselves as a critical contact channel. However, telephone contact centre customers also remain amongst the most vulnerable to fraud, owing to a relative lack of robust security when compared to mobile and internet banking. Thanks to the growing use of voice biometrics, the staggering rise in telephone banking fraud seen during the depths of the pandemic has started to flatten. For example, latest data from UK Finance shows losses from telephone banking fraud fell by 7% to £7.3 million in the first six months of 2021, with a 50% drop in the number of reported cases as criminals found it harder to defraud victims and banks. Nevertheless, as Feedzai reported earlier this year, this is off the back of a sevenfold increase in global levels of telephone banking fraud (Q4 2020 to Q1 2021). And so, while progress is being made, there is still much more to do. After all, contact centres are vulnerable to a wide range of fraud typologies and, as one door closes, you can bet that criminals will be pushing on another.

PSD2 and the need for stronger customer authentication

Naturally, as a result of the pandemic, remote interactions with other types of providers – from utilities to retailers and local government offices – have spiked too, and any interaction involving a payment can be a target for fraud. In Europe, the EU’s second Payment Services Directive (PSD2) came into force in January 2019 with the intention of encouraging greater competition and innovation in the payments sector. It also aimed to enhance security and reduce levels of fraud through the introduction of Strong Consumer Authentication (SCA) for electronic payments. SCA has been in place for online and mobile banking for some time now, and will be extended to cover eCommerce transactions in the European Economic Area (EEA) from December 2021, and in the UK from March 2022.

In order to comply with SCA for card payments, firms must adopt a payment security protocol known as 3D Secure, which is baked into security systems such as Visa Secure and Mastercard SecureCode that may be familiar names to anyone who has purchased products online before. The system supports a wider range of fraud signals and also supports the use of biometrics. While it has its critics, the system has become one of the most visible aspects of SCA, with stronger authentication demanding extra effort from consumers undertaking electronic payments.

Under SCA, consumers must provide at least two of the three identity factors listed below:

Something they have (e.g. a physical or fully authenticated app-based random token generator)
Something they are (e.g. a biometric proof, like a voice print)
Something they know (e.g. a password, memorable date or a PIN number)

While most consumers will be familiar with some, if not all, of these methods (e.g. by using Apple FaceID to unlock their iPhone, or receiving a one-time code from their provider via SMS messaging to authorise a transaction) with SCA this doubling up of identity proofs is becoming the standard. And yet, while the added protection afforded by SCA should be good news for consumers, not all transaction types are covered.

Exclusions and exemptions create a further gap for criminals to exploit

While SCA greatly increases the security of authentication for electronic transactions, it carries a number of exemptions. For example, transactions with a value of less than €30 are not covered by the SCA regime, and nor are those below €500 where the merchant has secured a ‘low risk transaction’ waiver and maintains a low average rate of fraud. Other transactions outside of the scope of SCA include direct debit-style repeat payments (i.e. Merchant Initiated Transactions or MITs), so-called ‘One Leg Out’ transactions, where the card issuer or merchant acquirer sits outside the EEA and, crucially, Mail Order and Telephone Order (MOTO) transactions involving contact centre payments. And, to make matters worse, transactions made with anonymous payment instruments, such as prepaid gift cards, are also not subject to SCA. Hence, telephone purchases made with gift card codes present a ‘perfect storm’ for fraudsters seeking to exploit the gaps left by PSD2 and the SCA regime.

So, what happens next? Inevitably, we will see criminals refocusing their efforts on easier avenues of attack to continue to commit fraud, with transactions that are out of scope of SCA being prime candidates. As we noted in a previous blog post Authorised Push Payment (APP) scams, which are complex ruses that sidestep SCA completely, are on the rise. APP fraudsters con unwitting victims into transferring money from their own accounts to accounts controlled by the criminal, utilising a wide range of elaborate techniques. This one type of fraud alone drove more than £400 million in fraud losses for UK customers in 2020, off the back of a 103% jump in incidents since 2017. In this context then, the vast gap in SCA coverage that exists in call centre payments simply makes a difficult problem worse.

Addressing the payment authentication risk in vulnerable contact centres

In APP, fraudsters harvest sensitive information associated with potential victims through call centres, using bots to defeat the bank’s Interactive Voice Recognition (IVR) systems, and social engineering tactics to gain vital security information from contact centre agents. However, as this piece shows, the vulnerability of contact centres extends far beyond this to encompass a range of transaction types that are unprotected by the PSD2 regime, falling outside the remit of SCA.

However, criminals are not having everything their own way. Leading firms are fighting back with new technology to address the vulnerabilities that exist in their telephony channel defences, including the implementation of Smartnumbers Protect. The system provides real-time detection of high risk calls entering the call centre before the call is even answered. This ensures threats of all kinds are quickly spotted and neutralised, allowing fraud operations teams to step in before a crime can be committed. While at the same time providing confidence that the call has not been spoofed so can provide possession-based authentication for legitimate customers.

Stopping fraudsters early in the attack cycle is the best defence against the wall of telephone channel related fraud that has followed in the wake of the pandemic. By being fully aware of the risks, and in particular by not relying on SCA as the only weapon in your arsenal to fight electronic payments fraud, leading firms can better protect their customers and staff, and turn the tables on the criminals.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_182830_12	1 minute	Set by Google to distinguish users.
_gat_UA-182830-12	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjSession_1990635	30 minutes	No description
_hjSessionUser_1990635	1 year	No description
_hjShownFeedbackMessage	1 day	Hotjar sets this cookie when a user minimizes or completes Incoming Feedback so that the Incoming Feedback loads as soon as it is minimized if the user navigates to another page where it is set to show.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
_OG_GDPR_COOKIE_	session	No description available.
AnalyticsSyncHistory	1 month	No description
li_gc	2 years	No description

Addressing payment authentication risk in the contact centre

By Grant White

Consumer Duty is driving contact centre fraud prevention approach

Fraudsters are using the phone more than you realise

In fraud prevention the customer is the weakest link

Smartnumbers doubles down on Amazon partnership through AWS ISV Accelerate Program and Connect Ready designation

Shifting channel trends create new risks for customers

PSD2 and the need for stronger customer authentication

Exclusions and exemptions create a further gap for criminals to exploit

Addressing the payment authentication risk in vulnerable contact centres