Weitere ähnliche Inhalte Kürzlich hochgeladen (20) Armor vox call-centers-and-pencil-and-pen-attacks1. TECHNOLOGY WHITEPAPER
ArmorVox - Solving Call Center Identity Theft
How to use Voice Identification to Protect Global Call Centers
Against Even “Paper and Pencil” Attacks
AURAYA SYSTEMS
One Tara Boulevard | Nashua, New Hampshire 03062 | +1 603 123 7654 | twitter.com/armorvox | linkedin/in/armorvox
2. Solving the Call Center Identity Theft Problem
In August 2010, SC Magazine ran a series of articles on security perspectives in call centers. In those
articles, cybercrime investigator, Charles Jeter, focused on the “Hagen Case”, where an enterprising
Bank of America employee, using old fashioned “paper and pencil”, simply wrote down account holders
names, birth dates, addresses and account histories with the intent of on-selling this information to
criminal groups who would later use it to break into Bank of America customer accounts.
Whilst most security solutions focus on the threat from outsiders, the truth of the matter it is bank
employees and contractor pose just as big a threat as those outside the organization. Statistics quoted
in the SC Magazine article for identity theft in America suggest:
“Overall, 48% of all breaches in 2009 were attributed to users who abused their rights to access
corporate information for malicious purposes. In addition, 90% of insider threat cases resulted
from deliberate malicious activity, while just 6% each were caused by unintentional activity or
inappropriate conduct. 51% of insider threat cases involved regular employees or end-users,
while 12% involved both accounting staff and system administrators. Upper management
caused 7% of insider incidents.”
The problem of identity theft in call centers is not new or restricted to the USA.
Perhaps the biggest known case of identity theft dates back to 1999/2000 when credit card company
help desk employee Philip Cummings used his password to simply help himself to thousands of credit
reports which he then passed on to other criminal groups. In all around $100 million was stolen from
around 30,000 victims.
In April 2005 twelve former employees of an Indian call center were arrested on suspicion of identity
related fraud. It is alleged that the former employees had used Citibank callers’ personal credit card
information to purchase various goods and services for their own personal gain and use. The alleged
fraud took place whilst they were employees of the call center, working as call center agents.
Whilst losses associated with this incident are relative low ($350,000), it does highlight the fact that the
problem is a global one. Globalization of the call center market has also meant globalization of ID theft.
2
ARMORVOX – ImpostorMaps™
© 2012 Auraya Systems www.ArmorVox.com
3. The problem here is that offshore operators are no more dishonest than on-shore operators; it is a
matter of whose law applies when a data breach occurs. The US has mandatory reporting of data
breaches. But if identity theft occurs in an off-shore call center, then whose law applies?
So how can organizations protect themselves from the old fashion call center “Paper and Pencil”
attack? And how can they do this and still benefit from low costs offered by off-shore contact centers?
The Solution
The key to protecting customers’ personal information and preventing identity theft is to prevent call
center agents from accessing customer’s personal identity information in the first place. But how do
you authenticate callers’ without access to their personal information?
The solution is ArmorVox, a voice biometrics system able to accurately authenticate the identity of a
caller’s voice characteristics.
Voice biometrics is a two stage process. The first stage requires that a caller register their voiceprint.
This involves repeating a few words, for example their name and counting numbers. Subsequently,
enrolled, a caller can confirm their identity by simply responding to a few voice prompts. In effect, by
using their voice to confirm they can confirm they are who they say they are but without having to
divulge their sensitive personal information to the call center agent.
The capacity to limit call center agent access to the caller’s personal information is one of the major
benefits of ArmorVox. Once authenticated through ArmorVox there is no need for the caller to disclose
personal information to the call center agent and there is no need for the call center agent to even see
the caller’s sensitive identity information. All the call center agent needs to know is that this caller’s
voice matches the voiceprint associated with this financial record.
Voice authentication, therefore, not only delivers a measure of call center efficiency by automating the
upfront authentication process, but more importantly for the off-shore call center operators, it provides a
level of security and privacy that prevents agents from stealing or misusing callers’ personal
information.
3
ARMORVOX – ImpostorMaps™
© 2012 Auraya Systems www.ArmorVox.com
4. In addition, ArmorVox can also resolve the ambiguity over protection afforded by a particular country’s
privacy legislation. Figure 1 shows the solution. By locating ArmorVox in-country, personal information
stored and processed by ArmorVox is subject to local privacy laws. Once authenticated, the caller can
be handed off to an off-shore call center anonymously without any personal identity information
attached. Any privacy breach is then subject to the local privacy laws, i.e. the caller’s local jurisdiction.
This not only solves the legal ambiguity problem, but more importantly provides an increased level of
confidence to off-shore operators that breaches can be dealt with in the local jurisdiction, and that the
international flow of personal information to off-shore call center is limited.
Authentication
Gateway
Off-shore call centre
In Country
International Authentication
Telephone
Telephone server
Network
Network
Customer
database
Authentication
database
Client/citizen handed to off Client/citizen personal
shore call centre with
information authenticated and
personal information omitted
stored in country and subject
to in country privacy
Caller referred to through an
provisions
alias
Figure 1: Privacy Enhanced Call Center
4
ARMORVOX – ImpostorMaps™
© 2012 Auraya Systems www.ArmorVox.com
5. Conclusion
Banks spend million (if not billions) on encryption; firewalls and other security measures to protect their
customers’ sensitive personal information only to have their employees and outsourcers use good-old
paper and pencil to steal this information. Identity theft cost banks millions each year and the problem
is only getting worse. And it’s not just the economic cost. It is also the loss of trust and the impact on
brand that comes with insider identity theft.
ArmorVox not only provides offers banks and financial services a way of reducing customers services,
but more importantly provides an extremely cost effective solution to protecting customers’ personal
information and protecting the bank from the insidious insider identity thief.
Next Steps
ArmorVox offers a Quick Start program for banks and financial services institutions. Working with our
industry-trusted Authorized Partners, ArmorVox offers a quick start program for your voice
authentication pilot project or in-depth analysis. Our partners will discuss your authentication needs
and work with your IT team to implement ArmorVox Speaker Identity System pilot program with your
applications for:
Internal User – PIN and Password Reset
Consumer Identity Authentication
To get started, please visit: http://www.armorvox.com/quick-start-voice-authentication-pilot-project/
5
ARMORVOX – ImpostorMaps™
© 2012 Auraya Systems www.ArmorVox.com
6. About the Author
Dr. Clive Summerfield is Auraya Systems’ Founder and Chief Executive Officer.
Clive is an internationally recognized authority on voice technology and holds numerous
patents in Australia, USA and UK in radar processing, speech chip design and speech
recognition and voice biometrics.
As a former Founder Deputy Director of the National Center for Biometric Studies (NCBS) at University
of Canberra, in 2005 Clive undertook at the time the world’s largest scientific analysis of the voice
biometric systems leading to the adoption of voice biometrics by for secure services. That experience
lead Clive in 2006 founding Auraya, a business exclusively focused on advanced voice biometric
technologies for enterprise and cloud based services. Visit ArmorVox.com for Clive Summerfield’s full
bio.
About Auraya Systems
Founded in 2006, Auraya Systems, the creators of ArmorVox™ Speaker Identity System is a global
leader in the delivery of advanced voice biometric technologies for security and identity management
applications in a wide range of markets including banks, government, and health services. Offices are
located near Boston USA, Canberra and Sydney Australia. For more information, please
visit www.armorvox.com.com.
6
ARMORVOX – ImpostorMaps™
© 2012 Auraya Systems www.ArmorVox.com