As more personal information about individuals becomes available online, financial services companies should be concerned about the risk of identity fraud when clients telephone to access their accounts.

According to U.S.-based technology solutions provider Opus Research, the number of fraud incidents may be declining but losses from identity theft continue to grow at roughly 5% a year in the U.S.; this year, costs of identity theft will reach US$56.6 billion.

The race is on to authenticate callers with more confidence and to minimize account hijacking. One solution to the problem often posited by security experts is two-factor authentication using something you know (such as a PIN), along with something you have (such as a smart card or electronic token).

Some devices, such as the SecureID from security company RSA Security Inc. , for example, come in the form of an electronic key fob that displays a frequently changing set of characters synchronized with a similarly changing system at head office. A caller might be asked to read the characters currently on the key fob’s LCD screen to confirm his or her identity.

But such devices can be expensive to distribute, and if one is lost, it would have to be revoked and a new one issued.

Another idea gaining ground is the use of biometrics — the combination of something you know with something you are.

Some companies, such as Halifax-based Diaphonics Inc. , are proposing voice biometrics as a way to authenticate callers. Diaphonics is one of several companies selling systems that analyse voice patterns from callers and compare them against voice samples collected from the customer at an earlier date.

“All the technology is at the back end, and you’re not making the users do anything unusual. They’re not having to carry around something else on their key chain or something else in their wallet,” says Diaphonics co-founder Jeremy Bernard.

It takes about five seconds for customers to enrol themselves on the system, providing a voice sample against which future calls are measured, Bernard says. When a client calls to access an account, it may only take a second or two to get through the challenge and response system, he says.

One obvious concern that security officers have is about the accuracy of such systems. According to Bernard, the system will be unable to analyse a caller’s voice 1% to 2% of the time, causing a challenge to be repeated, or the caller to be handed off to a human operator. Of more concern, however, is the possibility that fraudsters might accidentally get authorization, or that genuine account holders might be rejected incorrectly.

“The worst outcome is false acceptance,” Bernard says. “You can adjust the system so that there are virtually no false acceptances — but then the rejection rate of valid users will increase.” Rejected callers can, however, be handed off to human employees and presented with a stringent set of questions.

Louie Gasparini, chief technology officer for the consumer business unit at RSA, suggests applying even more rigour to biometric voice authentication by coupling it with behavioural analysis. For example, he suggests cross-referencing data about incoming callers with information about access patterns on their online accounts, to see if they have recently attempted to log in from any location they don’t normally visit.

Similarly, systems should be able to raise alarms if, for example, someone calls for telephone access to their account from Canada, and then another call is made a short time later to try to access the account from overseas.

RSA recently launched its own caller authentication product that combines biometric voice analysis with other data about the phone call to help raise possible fraud alarms.

But biometric voice analysis has its challenges. Although experts agree that biometric voice analysis systems will still identify callers’ voices when they have a cold, things are less certain when dealing with different types of phone systems. For example, says Idan Shoham, chief technology officer and co-founder of Calgary-based identity management company
M-Tech Information Technology Inc. , if a client enrols his or her voice using a land line and then calls up for access using a mobile phone, the voice quality may be different enough to confuse the system. Consequently, it may be more advisable to enrol customers multiple times for each channel. This adds a layer of complexity for the customer.

@page_break@Another potential issue for companies using biometric call authentication is how to manage the enrolment process in a secure and convenient way, warns Shoham. “I’ve seen many organizations send out e-mail messages, asking users to call a number and dial a PIN to enrol`. That’s very insecure. E-mail is very vulnerable, and PINs are short, so they are susceptible to brute force attacks.”

Shoham also hears about users enrolling only when they need access to a system, digging out the PIN and enrolling so that they can have access. “That’s absurd,” he says. “You have to manage enrolment before the user has problems.”

Enrolment can be better managed using a longer PIN that expires after a short time, and capturing the user’s attention by asking them to enrol for the biometric voice analysis system when they are already in contact with an organization. For example, when they successfully log into their online account, the system could present them with a PIN that is valid for a few minutes, and then ask them to dial a telephone number and enrol, he suggests.

Even with such complexities, analysts believe that the time has come for voice biometrics to enter the mainstream. “Voice verification biometrics technology is definitely shaping up,” says Sapna Capoor, an industry analyst in biometric global markets at market watcher Frost & Sullivan. “Some of the first implementations in financial institutions have started. ABN AMRO has started adopting voice biometrics solutions in Europe.”

Capoor points to a Frost & Sullivan report predicting that the worldwide financial expenditures on voice biometrics in the financial sector will grow at a compound annual rate of 41% between 2004 and 2011. That would put expenditure at about $193 million in 2011 — not a world-shattering investment by any means, but a promising sign for advocates of the technology. IE