12th November 2021
Mind the gap:

Addressing payment authentication risk in the contact centre

By Grant White

Shifting channel trends create new risks for customers

The ways in which we engage with our financial providers have changed dramatically in recent years. For some time now, banks have been driving more of their customers into direct contact channels – internet browser, mobile app and telephone – ostensibly to reduce costs. Twenty years of digital transformation, and the rise of the smartphone, have accelerated this shift as the range of services available through direct channels, and the willingness of a new generation of customers to engage with them, have both grown. 

The COVID-19 pandemic continues to disrupt our lives, and has effectively turbo charged this trend. Shuttered away by waves of lockdowns, banking customers were unable to access branches, and, having learned to deal without them, they have been wary to return. In this way, the pandemic has firmly established direct channels as the primary contact method for banking customers in many developed economies.

Telephone banking is the oldest and most established alternative to branch banking, and while telephone transaction volumes have long since been surpassed by digital alternatives, contact centres remain a vital channel for customer communication. This is particularly true for ‘moments of crisis’, where the customer wants the reassurance of a human voice (e.g. to confirm a large payment has been made, or to confirm that a stolen card has been stopped) and even more so for certain demographic groups. 

The 2020 ‘Financial Lives Survey’ published by the UK Financial Conduct Authority (FCA) found that, on average, around one-fifth (19%) of UK consumers had used telephone banking services in the previous 12 months. Only 10% of 18-24s had made use of the service, favouring mobile banking (88%) and ATMs (77%) instead. However, at the other end of the demographic scale, more than twice as many of over-74s (22%) were interacting with their banks by telephone, a rise of more than 50% since 2017 (14%). Indeed, in the face of the rapid disruption caused by the pandemic, for more vulnerable customers in particular, telephone banking emerged as a crucial lifeline connecting them with their finances.

As we approach the end of 2021, banking call centres have arguably reestablished themselves as a critical contact channel. However, telephone contact centre customers also remain amongst the most vulnerable to fraud, owing to a relative lack of robust security when compared to mobile and internet banking. Thanks to the growing use of voice biometrics, the staggering rise in telephone banking fraud seen during the depths of the pandemic has started to flatten. For example, latest data from UK Finance shows losses from telephone banking fraud fell by 7% to £7.3 million in the first six months of 2021, with a 50% drop in the number of reported cases as criminals found it harder to defraud victims and banks. Nevertheless, as Feedzai reported earlier this year, this is off the back of a sevenfold increase in global levels of telephone banking fraud (Q4 2020 to Q1 2021). And so, while progress is being made, there is still much more to do. After all, contact centres are vulnerable to a wide range of fraud typologies and, as one door closes, you can bet that criminals will be pushing on another.

PSD2 and the need for stronger customer authentication

Naturally, as a result of the pandemic, remote interactions with other types of providers – from utilities to retailers and local government offices – have spiked too, and any interaction involving a payment can be a target for fraud. In Europe, the EU’s second Payment Services Directive (PSD2) came into force in January 2019 with the intention of encouraging greater competition and innovation in the payments sector. It also aimed to enhance security and reduce levels of fraud through the introduction of Strong Consumer Authentication (SCA) for electronic payments. SCA has been in place for online and mobile banking for some time now, and will be extended to cover eCommerce transactions in the European Economic Area (EEA) from December 2021, and in the UK from March 2022. 

In order to comply with SCA for card payments, firms must adopt a payment security protocol known as 3D Secure, which is baked into security systems such as Visa Secure and Mastercard SecureCode that may be familiar names to anyone who has purchased products online before. The system supports a wider range of fraud signals and also supports the use of biometrics. While it has its critics, the system has become one of the most visible aspects of SCA, with stronger authentication demanding extra effort from consumers undertaking electronic payments.

Under SCA, consumers must provide at least two of the three identity factors listed below:

  • Something they have (e.g. a physical or fully authenticated app-based random token generator)
  • Something they are (e.g. a biometric proof, like a voice print)
  • Something they know (e.g. a password, memorable date or a PIN number)

While most consumers will be familiar with some, if not all, of these methods (e.g. by using Apple FaceID to unlock their iPhone, or receiving a one-time code from their provider via SMS messaging to authorise a transaction) with SCA this doubling up of identity proofs is becoming the standard. And yet, while the added protection afforded by SCA should be good news for consumers, not all transaction types are covered.

Exclusions and exemptions create a further gap for criminals to exploit

While SCA greatly increases the security of authentication for electronic transactions, it carries a number of exemptions. For example, transactions with a value of less than €30 are not covered by the SCA regime, and nor are those below €500 where the merchant has secured a ‘low risk transaction’ waiver and maintains a low average rate of fraud. Other transactions outside of the scope of SCA include direct debit-style repeat payments (i.e. Merchant Initiated Transactions or MITs), so-called ‘One Leg Out’ transactions, where the card issuer or merchant acquirer sits outside the EEA and, crucially, Mail Order and Telephone Order (MOTO) transactions involving contact centre payments. And, to make matters worse, transactions made with anonymous payment instruments, such as prepaid gift cards, are also not subject to SCA. Hence, telephone purchases made with gift card codes present a ‘perfect storm’ for fraudsters seeking to exploit the gaps left by PSD2 and the SCA regime.

So, what happens next? Inevitably, we will see criminals refocusing their efforts on easier avenues of attack to continue to commit fraud, with transactions that are out of scope of SCA being prime candidates. As we noted in a previous blog post Authorised Push Payment (APP) scams, which are complex ruses that sidestep SCA completely, are on the rise. APP fraudsters con unwitting victims into transferring money from their own accounts to accounts controlled by the criminal, utilising a wide range of elaborate techniques. This one type of fraud alone drove more than £400 million in fraud losses for UK customers in 2020, off the back of a 103% jump in incidents since 2017. In this context then, the vast gap in SCA coverage that exists in call centre payments simply makes a difficult problem worse.

Addressing the payment authentication risk in vulnerable contact centres

In APP, fraudsters harvest sensitive information associated with potential victims through call centres, using bots to defeat the bank’s Interactive Voice Recognition (IVR) systems, and social engineering tactics to gain vital security information from contact centre agents. However, as this piece shows, the vulnerability of contact centres extends far beyond this to encompass a range of transaction types that are unprotected by the PSD2 regime, falling outside the remit of SCA. 

However, criminals are not having everything their own way. Leading firms are fighting back with new technology to address the vulnerabilities that exist in their telephony channel defences, including the implementation of Smartnumbers Protect. The system provides real-time detection of high risk calls entering the call centre before the call is even answered. This ensures threats of all kinds are quickly spotted and neutralised, allowing fraud operations teams to step in before a crime can be committed. While at the same time providing confidence that the call has not been spoofed so can provide possession-based authentication for legitimate customers.

Stopping fraudsters early in the attack cycle is the best defence against the wall of telephone channel related fraud that has followed in the wake of the pandemic. By being fully aware of the risks, and in particular by not relying on SCA as the only weapon in your arsenal to fight electronic payments fraud, leading firms can better protect their customers and staff, and turn the tables on the criminals.