Identity proofing finds its voice

When it comes to data security and protection of subscriber information, financial institutions have a surplus of standards and best practices. Yet hardly a week goes by without a story surfacing about data leaks, lost subscriber records or identity theft.

Barely two weeks into 2008, Barclays Bank in the UK had an embarrassing security breach. A man using personal information found online posed as Barclays chairman Marcus Agius and persuaded a contact center representative over the phone to give him a bank card. The fraudster then used the card at one of the bank’s branches and walked away with around $20,000. By policy, the bank refunds such losses to its customers and chalked it all up to ‘human error’ on the part of the clerk who issued the card.

Nonetheless, the episode highlights the need for stronger ‘identity proofing’ – a need, Opus Research argues, can be better filled by applying voice biometric authentication at the point of transaction.
You don’t have to be chairman of the bank to have your card loss recovered. Most banks limit or eliminate customer losses due to such fraud. The ‘breakage’ is part of the cost of doing business. Most ordinary citizens would find such loss to be astronomical, yet it is never publicly reported. This indicates, at least in a financial reporting sense, that the loss is immaterial. That’s their story, and they all stick by it.

Meanwhile, mitigating the revenue loss would require investment in a broad spectrum of software and services in order to achieve rock-solid, multi-factor authentication of bank customers. This includes a commitment of time, money and dedicated personnel. That formula for organizational inertia has kept alternative methods for preventing false acceptance of imposters on the back burner of IT security priorities for banks, while four-digit personal identification numbers (PINs) are ubiquitous. PIN-based authentication is something with which both banks and identity thieves have become comfortable. The result has been an increase in card fraud.

Voice biometrics has the potential to prevent fraud and to do so in an increasingly user-friendly way, especially over the telephone. Security experts could live with PINs as one factor in identity proofing, but they are well aware of the need for other factors to tackle identity fraud. The fact that bank examiners are starting to put teeth into their guidelines for multi-factor authentication plays a role as well. But under the present system, PINs accompanied by the capture of the originating phone number (so-called PIN+ANI) suffice as a means of authentication for a low-risk interaction, like a balance inquiry.

If an action by a caller raises a yellow flag in the risk-profiling software (such as multiple withdrawals, high-value transfers or a call originating an unfamiliar telephone number) more information is often sought in the form of challenge questions as part of a ‘knowledge-based authentication’ regimen. These have been the major forms of identity proofing to support consumer authentication.

The high-profile data losses and examples of identity theft have put a spotlight on banks and card issuers to show increased rigor in fraud reduction. As a result, some are moving toward more tangible solutions – where ‘tangible’ takes on a literal connotation of ‘something that you can touch’. Computer chips have been added to credit cards. More recently, circuitry that supports ‘one-time password’ solutions has been reduced to a size that can be baked into a card. For wireless phone-based commerce, iris scanners and fingerprint readers are under serious consideration.

But while these initiatives are under investigation, voice biometric-based solutions are already designed to leverage or complement existing infrastructures for fraud detection, risk management and theft prevention. Voice-based biometric authentication fits these requirements on many levels. It requires no special software or equipment. It should work on any phone (wireless or traditional) in any location. While getting customer consent and obtaining initial voiceprints has been a concern, several worldwide deployments have shown increasing enrollment numbers.

Accelerating growth

Opus Research sees enterprise and government spending on voice biometric-based authentication growing from roughly $80 million in 2006 to $780 million in 2011. The forecast envisions steady adoption by commercial banks and credit unions on behalf of their account holders and in support of card-based payment systems (including credit cards, debit cards and chip-and-PIN implementations).

Implementation challenges still revolve around certain intangibles, such as building public trust and creating very positive user experiences. For sustained growth and viability, vendors acknowledge that they must make interactions – from enrollment through routine authentication – as painless as possible for callers.

High-profile identity theft cases, such as the recent snafu at Barclays, serve to underscore the security need. It’ll be up to the community of solutions providers to continuously address issues of affordability, convenience and trust, in addition to high levels of security, for voice biometrics to truly become a mainstream solution in preventing bank fraud.

Dan Miller is senior analyst and founder of Opus Research. Derek Top is research director with Opus Research.