Identity fraud is where it's at if you're a digital criminal looking to make money. Javelin Strategy & Research states in its latest identity-fraud study that $16 billion were stolen from 12.7 million victims in 2014. I've been told that Gartner suggests over 30% of all identity fraud attacks start out with phone calls.
Besides losing money to the actual fraud, there's another cost that's more than a little alarming. According to this ContactBabel report (PDF, page 145), in 2014, the total cost for agent-handled security and identification checking by US businesses came to $10.6 billion. To put it simply, companies are spending more than $10 billion to determine if callers are whom they say they are.
Guess who pays for that?
I recently became aware of a company, Pindrop Security, that is known for its innovative authentication and anti-fraud detection technology in the call center industry. To learn more, I contacted its CEO and CTO Dr. Vijay A. Balasubramaniyan, who cofounded the company with Dr. Mustaque Ahamad (chief scientist). For my first question, I asked Balasubramaniyan about the dramatic increase in phone identity fraud.
He said it may not seem like it, but it is getting harder for bad guys to get past the multiple security road blocks on computer networks. They do, of course, but at a much lower return on their investment. "That is not the case when it comes to call centers authenticating individual callers," says Balasubramaniyan. "The only thing standing between the fraudster and access to the victim's account are a few questions."
The ContactBabel report suggests between 20% and 50% of the typical authentication questions are easily circumvented by fraudsters. Balasubramaniyan agrees. "Most of the information required to answer the questions is found on the internet," explains Balasubramaniyan. "For example, your date of birth can be found on Facebook. Your mother's maiden name is available on Ancestry.com. Even for some of the hard questions, with all the data breaches recently, fraudsters can easily find a plethora of information about you."
Balasubramaniyan has been working on a solution for several years. It, in fact, was part and parcel of his Ph.D. thesis. His idea: acoustically fingerprint phone calls and associate that data with the phone number.
Balasubramaniyan and his team at Pindrop Security have isolated 147 audio characteristics associated with phone calls — for example, line noise, artifacts left behind from packet loss, and the spectrum of the call.
He said the company has access to telco databases from around the world. So, after analyzing millions of global phone calls, assigning each one an acoustic fingerprint, and using machine learning to grind all that information into usable content, Balasubramaniyan and the people at Pindrop Security on any given phone call know, at a minimum, what kind of phone is being used, the telco provider, and where the call is coming from.
Balasubramaniyan provides the following example. A call comes in from a known number, checking the telco databases Pindrop Security's automated system determines the call should be from a landline in Atlanta, Georgia. If the audio characteristics advise anything other than that, for instance, a Skype call from Europe, the call's risk score signifies the call is likely fraudulent.
Pindrop Security has additional tools that update the company's fraudulent call database with relevant information:
- Phoneypot: A telephone honeypot that allows researchers to collect data from millions of calls to unlisted numbers such as robo-callers, debt collectors, and telemarketers.
- Topic Modeler: A proprietary online complaint collection tool that aggregates data on suspicious numbers from complaint sites, online communities, and web forums.
Put all this together, and Balasubramaniyan feels Pindrop Security has a market advantage because of its ability to:
- detect and prevent fraud on the first phone call;
- notify the call center representative of a call's fraudulent nature without alerting the fraudster; and
- access multiple detection factors.
Know a phone's location
I understand how researchers at Pindrop Security determine many of the audio characteristics; however, location eluded me. I asked Balasubramaniyan about that. He chuckled, saying my question reminds him of his Ph.D. candidate days. His adviser had concerns that Balasubramaniyan, who was making so many phone calls, would never finish his paper.
Simply put, international telephony standards do not cover every aspect of the technology. It seems each country has distinguishable differences in their network. Knowing the differences allows Pindrop Security personnel to discern the country of origin. For example, the voice frequency range is not standardized. It varies widely around the world. Balasubramaniyan told me the different voice frequency ranges, plus other country-based variations, allow them to locate a phone within an area about the size of France.
Increased security and better for customers
Balasubramaniyan pointed out something interesting. Technologies such as phoneprinting can be considered a win-win situation. If a service like Pindrop Security's is in place, before answering the phone, call center operators receive a risk score for that particular call and can base the amount of authentication required on the score. This is incredibly important, as very few customers appreciate being quizzed about their mother's maiden name and favorite grade school teacher.
- IRS sets up dedicated cybercrime unit to combat identity theft (ZDNet)
- Ten tips to avoid identity theft (ZDNet gallery)
- Stop thinking of fraud as taboo, and start addressing this critical IT security topic
- Identity theft: Businesses are at risk
Information is my field...Writing is my passion...Coupling the two is my mission.