Interactive Voice Response (IVR) banking is prevalent. If you have ever dialed your bank to check your account balance or make a payment, chances are you have used it. Besides these fundamental self-help tasks, customers can utilize bank IVRs to report fraud, update personal details, access their transaction history, or modify their PIN without waiting for a representative.
Having a range of choices like these makes utilizing IVR a convenient substitute for visiting a physical branch or enduring lengthy caller hold periods.
Customers are not the only ones to benefit from these systems — financial institutions can also capitalize on the advantages by reducing routine customer service inquiries and devising innovative ways to cater to customers beyond regular business hours.
Many of the leading VoIP phone services available currently include IVR as part of their offerings. This implies that banks using these services probably already have access to tools and integrations for data collection, analytics, and advanced security aspects such as voice recognition.
All these perks of IVR come with some inherent risks of additional vulnerabilities that must be evaluated and resolved before implementation. Without appropriate safeguards in place, IVR technology could potentially be exploited for identity theft, phishing scams, and data breaches.
How do cybercriminals target IVR banking services?
While busy consumers and companies appreciate a reliable IVR system, malefactors are always on the lookout for loopholes to gain unauthorized access to the system.
They aim to obtain credit card information, attempt to seize control of customer accounts, and exploit the personal data linked to financial records.
Common tactics involve deceiving the IVR into perceiving the hacker as a genuine customer, launching phishing schemes using automated phone calls or social manipulation techniques, spoofing voice biometrics, and identifying vulnerabilities in IVR software to infiltrate the system.
Effective authentication approaches for IVR banking
If a system is adequately fortified, whenever a customer contacts a banking IVR, they are mandated to authenticate their identity using at least one validation method before accessing any account services.
The crucial aspect here is ensuring that the IVR is not only compliant and secure enough to deter cybercriminals but also not overly complex to the extent that it hampers legitimate customers from accessing their own banking data effectively.
For heightened security, banks frequently enforce multiple layers of authentication that are crafted to thwart various forms of attacks.
Six methods of authentication for IVR banking
Knowledge-based verification
Knowledge-based verification is a technique for confirming a person’s identity by prompting them about details only known to them. For example, if an individual calls a bank using KBA, they might be asked by the bank to provide a previous address or the location where they first met their partner.
For KBA to be effective, banks need to ensure they use data that is not easily obtainable or deducible through social engineering, and they must also ensure that the questions are distinct enough for customers to remember their responses.
Employing overly specific questions can result in frustration, so it is crucial to keep the questions broad enough for easy utilization while maintaining security. Some systems allow end users to set their own questions and responses.
Passcode-based validation
Passcode-based validation is a prevalent method for customers to access their accounts by inputting unique 4-6 digit codes only known to them.
When utilized with a banking IVR, the system automatically verifies the customer’s entered passcode against the one associated with their account. If the codes match, the remainder of the IVR is accessible, and the customer can utilize the services.
While passcode-based authentication can be robust for data protection, it has its flaws, particularly when customers use easily guessable or common passcodes. This includes instances where customers utilize consecutive four numbers or common sequences like 1234.
If employing passcode-based validation, it is essential to remind customers to avoid using numbers linked to other crucial data, such as the last four digits of their phone number or social security number, as this heightens the risk of unauthorized access in case of an IVR breach.
Additionally, incorporating features in the IVR that automatically lock the account after repeated failed attempts is crucial. This counteracts brute-force attacks, where malefactors use software to make numerous login attempts.
Voice pattern recognition
Voice pattern recognition is a modern technology that functions when a customer recites a specific passphrase or set of words into the phone. The IVR records the speech and matches it against a previous recording set up by the caller. Upon a successful match of the passphrase and voice patterns, the customer gains access.
Voice pattern recognition is effective when functioning correctly, but issues like poor voice capture quality and erroneous analysis can lead to false negatives and false positives. The former is irksome for customers, whereas the latter poses a significant risk to the bank.
If opting for voice pattern recognition, partnering with a high-quality system possessing excellent pattern recognition is vital. Educating customers on providing clear voiceprints during passphrase setup is also advisable.
One-time passwords
One-time passwords are temporary codes dispatched to customers via SMS, email, or a phone call to authenticate their identity. When a customer calls in, the IVR sends a code via their preferred registered method. If the correct code is entered within the stipulated timeframe, they can proceed with further services.
While this security verification is typically deployed in the initial IVR phase, it can also be leveraged later as added security when managing high-risk operations, such as transferring substantial sums of money to another party.
The most effective one-time passwords are time-bound, ensuring they only remain valid for a brief period, diminishing the likelihood of unauthorized access by malefactors. If implementing one-time passwords at your establishment, ensure customers maintain updated contact information to receive codes at the correct phone number or email address.
Caller identification validation
One automated way of authenticating callers is matching their caller ID details with the phone number linked to their bank account. If the information aligns, the customer can proceed past this stage without any additional action.
While caller identification validation can be beneficial for customers consistently using the registered phone number, it proves ineffective for individuals calling from unregistered numbers like work lines or a friend’s phone. Consequently, most systems employing this authentication method must offer additional alternatives.
Caller ID data can be manipulated, so banks should contemplate integrating supplementary security measures alongside caller ID authentication to confirm the genuine customer’s identity.
About Author
