TECHNOLOGY WHITEPAPER

ArmorVox - Solving Call Center Identity Theft

How to use Voice Identification to Protect Global Call Centers Against Even Paper and Pencil Attacks

AURAYA SYSTEMS One Tara Boulevard | Nashua, New Hampshire 03062 | +1 603 123 7654 | twitter.com/armorvox | linkedin/in/armorvox

Solving the Call Center Identity Theft Problem

In August 2010, SC Magazine ran a series of articles on security perspectives in call centers. In those articles, cybercrime investigator, Charles Jeter, focused on the Hagen Case, where an enterprising Bank of America employee, using old fashioned paper and pencil, simply wrote down account holders names, birth dates, addresses and account histories with the intent of on-selling this information to criminal groups who would later use it to break into Bank of America customer accounts.

Whilst most security solutions focus on the threat from outsiders, the truth of the matter it is bank employees and contractor pose just as big a threat as those outside the organization. Statistics quoted in the SC Magazine article for identity theft in America suggest: Overall, 48% of all breaches in 2009 were attributed to users who abused their rights to access corporate information for malicious purposes. In addition, 90% of insider threat cases resulted from deliberate malicious activity, while just 6% each were caused by unintentional activity or inappropriate conduct. 51% of insider threat cases involved regular employees or end-users, while 12% involved both accounting staff and system administrators. Upper management caused 7% of insider incidents.

The problem of identity theft in call centers is not new or restricted to the USA.

Perhaps the biggest known case of identity theft dates back to 1999/2000 when credit card company help desk employee Philip Cummings used his password to simply help himself to thousands of credit reports which he then passed on to other criminal groups. In all around $100 million was stolen from around 30,000 victims.

In April 2005 twelve former employees of an Indian call center were arrested on suspicion of identity related fraud. It is alleged that the former employees had used Citibank callers personal credit card information to purchase various goods and services for their own personal gain and use. The alleged fraud took place whilst they were employees of the call center, working as call center agents. Whilst losses associated with this incident are relative low ($350,000), it does highlight the fact that the problem is a global one. Globalization of the call center market has also meant globalization of ID theft.

2
ARMORVOX ImpostorMaps 2012 Auraya Systems www.ArmorVox.com

The problem here is that offshore operators are no more dishonest than on-shore operators; it is a matter of whose law applies when a data breach occurs. The US has mandatory reporting of data breaches. But if identity theft occurs in an off-shore call center, then whose law applies? So how can organizations protect themselves from the old fashion call center Paper and Pencil attack? And how can they do this and still benefit from low costs offered by off-shore contact centers?

The Solution
The key to protecting customers personal information and preventing identity theft is to prevent call center agents from accessing customers personal identity information in the first place. But how do you authenticate callers without access to their personal information? The solution is ArmorVox, a voice biometrics system able to accurately authenticate the identity of a callers voice characteristics. Voice biometrics is a two stage process. The first stage requires that a caller register their voiceprint. This involves repeating a few words, for example their name and counting numbers. Subsequently, enrolled, a caller can confirm their identity by simply responding to a few voice prompts. In effect, by using their voice to confirm they can confirm they are who they say they are but without having to divulge their sensitive personal information to the call center agent. The capacity to limit call center agent access to the callers personal information is one of the major benefits of ArmorVox. Once authenticated through ArmorVox there is no need for the caller to disclose personal information to the call center agent and there is no need for the call center agent to even see the callers sensitive identity information. All the call center agent needs to know is that this callers voice matches the voiceprint associated with this financial record. Voice authentication, therefore, not only delivers a measure of call center efficiency by automating the upfront authentication process, but more importantly for the off-shore call center operators, it provides a level of security and privacy that prevents agents from stealing or misusing callers personal information.

3
ARMORVOX ImpostorMaps 2012 Auraya Systems www.ArmorVox.com

In addition, ArmorVox can also resolve the ambiguity over protection afforded by a particular countrys privacy legislation. Figure 1 shows the solution. By locating ArmorVox in-country, personal information stored and processed by ArmorVox is subject to local privacy laws. Once authenticated, the caller can be handed off to an off-shore call center anonymously without any personal identity information attached. Any privacy breach is then subject to the local privacy laws, i.e. the callers local jurisdiction. This not only solves the legal ambiguity problem, but more importantly provides an increased level of confidence to off-shore operators that breaches can be dealt with in the local jurisdiction, and that the international flow of personal information to off-shore call center is limited.

Authentication Gateway
Off-shore call centre

Customer database

International Telephone Network

Authentication server

In Country Telephone Network

Authentication database

Client/citizen handed to off shore call centre with personal information omitted Caller referred to through an alias

Client/citizen personal information authenticated and stored in country and subject to in country privacy provisions

Figure 1: Privacy Enhanced Call Center

4
ARMORVOX ImpostorMaps 2012 Auraya Systems www.ArmorVox.com

Conclusion
Banks spend million (if not billions) on encryption; firewalls and other security measures to protect their customers sensitive personal information only to have their employees and outsourcers use good-old paper and pencil to steal this information. Identity theft cost banks millions each year and the problem is only getting worse. And its not just the economic cost. It is also the loss of trust and the impact on brand that comes with insider identity theft. ArmorVox not only provides offers banks and financial services a way of reducing customers services, but more importantly provides an extremely cost effective solution to protecting customers personal information and protecting the bank from the insidious insider identity thief.

Next Steps
ArmorVox offers a Quick Start program for banks and financial services institutions. Working with our industry-trusted Authorized Partners, ArmorVox offers a quick start program for your voice authentication pilot project or in-depth analysis. Our partners will discuss your authentication needs

and work with your IT team to implement ArmorVox Speaker Identity System pilot program with your applications for:

Internal User PIN and Password Reset Consumer Identity Authentication

To get started, please visit: http://www.armorvox.com/quick-start-voice-authentication-pilot-project/

5
ARMORVOX ImpostorMaps 2012 Auraya Systems www.ArmorVox.com

About the Author Dr. Clive Summerfield is Auraya Systems Founder and Chief Executive Officer. Clive is an internationally recognized authority on voice technology and holds numerous patents in Australia, USA and UK in radar processing, speech chip design and speech recognition and voice biometrics.

As a former Founder Deputy Director of the National Center for Biometric Studies (NCBS) at University of Canberra, in 2005 Clive undertook at the time the worlds largest scientific analysis of the voice biometric systems leading to the adoption of voice biometrics by for secure services. That experience lead Clive in 2006 founding Auraya, a business exclusively focused on advanced voice biometric technologies for enterprise and cloud based services. Visit ArmorVox.com for Clive Summerfields full bio.

About Auraya Systems Founded in 2006, Auraya Systems, the creators of ArmorVox Speaker Identity System is a global leader in the delivery of advanced voice biometric technologies for security and identity management applications in a wide range of markets including banks, government, and health services. Offices are located near Boston USA, Canberra and Sydney Australia. For more information, please visit www.armorvox.com.com.

6
ARMORVOX ImpostorMaps 2012 Auraya Systems www.ArmorVox.com