[ad_1]
IVR banking is ubiquitous. If you’ve ever called your bank to check your account balance or pay a bill, you’ve probably used it. In addition to these basic self-service tasks, customers can use their bank’s IVR to report fraud, update personal information, view transaction history, and even change their PIN number without having to wait for an agent.
With access to these various options, using an IVR can be a convenient alternative to visiting a physical branch or waiting on hold for long periods of time for callers.
Customers aren’t the only beneficiaries of these systems – banks can enjoy the benefits of reducing the number of routine customer service inquiries and finding new ways to serve customers outside of normal business hours.
Many of today’s top VoIP phone services already include IVR in their packages, which means banks using these services likely already have access to tools and integrations for data collection, analytics, and advanced security features like voice recognition.
All of these benefits of IVR come with some additional vulnerability risks that need to be considered and addressed before implementation. Without proper protections in place, IVR technology can be used for identity fraud, phishing attacks, and data breaches.
How Hackers Attack IVR Banking Services?
While busy customers and companies love a good IVR system, hackers love a bad one. IVR hacking requires targeting certain weaknesses to gain unauthorized access to the system.
They will steal credit card data, attempt to take control of customer accounts, and even exploit personal information related to financial history.
Some of the most common methods include tricking the IVR into thinking it is a legitimate customer, launching phishing attacks through automated calls or social engineering tactics, using voice biometric spoofing, and finding vulnerabilities in the IVR software to break into the system.
IVR Banking’s secure authentication method
If the system is properly secured, every time a customer calls the bank’s IVR, they will be required to verify their identity using at least one authentication method before they can access any account services.
The key here is to ensure that the IVR is both compliant and secure enough to deter hackers, but not so complex that it frustrates legitimate customers and affects their ability to access their banking information.
For added protection, banks often require multiple layers of authentication to block different types of attacks.
6 authentication methods for IVR banking
Knowledge-based authentication
Knowledge-based authentication is a method of verifying a person’s identity by asking them something that only they know. For example, if a person calls a bank using KBA, the bank might ask them for one of their previous addresses or the city where they first met their spouse.
For KBA to work well, banks need to ensure that the data they use cannot be easily found or inferred through social engineering, and they also need to make the questions unique enough that customers can actually remember their answers.
Providing only overly specific questions can be frustrating, so questions need to be broad enough to be easy to use, yet specific enough to be safe. Some systems even allow end users to set their own questions and answers.
PIN-based authentication
PIN-based authentication is a very common method where customers access their accounts by entering a 4-6 digit code that only they know.
When used with a bank’s IVR, the system automatically compares the PIN entered by the customer with the PIN associated with their account. If the two numbers match, the rest of the IVR is unlocked and the customer can use the service.
While PIN-based authentication is a strong method of data protection, it is often unreliable because customers set common or easily guessed PINs. This includes customers using the same four-digit number consecutively or default combinations such as 1234.
If you use PIN-based authentication, be sure to remind your customers to avoid using numbers associated with other important data (for example, their phone number or the last four digits of their Social Security number) because this increases the chances of a hacker gaining access to their account if the IVR is compromised.
It’s also important to build an element into your IVR that automatically locks out accounts after a certain number of failed attempts. This will help prevent brute force attacks, where hackers use software programs to automatically try thousands of guesses to log in.
Voice biometrics
Voice biometric authentication is a relatively new technology that works when a customer speaks a password or a series of predefined words into the phone. The IVR captures the recording and compares it to a previous recording set by the caller. If the password and voice pattern match, the customer is allowed to proceed.
Voice biometrics works great when it works, but low-quality voice capture and poor analysis can sometimes lead to false positives and false negatives. The former is extremely annoying for customers, while the latter is hugely risky for banks.
If your bank chooses to enable voice biometrics, it’s important to work with a high-quality system that has excellent pattern recognition capabilities. It’s also a good idea to educate your customers on the importance of providing a clear voiceprint when setting up their passwords.
One-time password
A one-time password is a temporary code sent to customers via SMS, email or phone to verify their identity. When a customer calls, the IVR will send the code via their preferred registered method. If the customer enters the correct code within a specified time, they can proceed to the next stage of service.
While this security check usually occurs at the beginning of the IVR process, it can also be used again later as an extra security measure when dealing with something high risk, such as sending a large sum of money to another person.
The best one-time passwords are time-sensitive, meaning they only work within a few minutes or an hour, reducing the chances of being accessed by someone with bad intentions. If you implement one-time passwords at your company, be sure to remind your customers to keep their data up to date so that the IVR can send the code to the correct phone number or email address.
Caller ID Verification
One way to automatically verify the identity of a caller is to match the caller ID information with the phone number associated with the bank account. If the information matches, the customer completes this step without any active action on their part.
While Caller ID verification is great for customers who only use a phone number registered with the bank, it doesn’t really work for customers who have to use an unregistered number, like a work number or a friend’s phone. Therefore, most systems that use this authentication method must also offer other options.
Caller ID data can also be falsified, so banks should consider implementing additional security measures alongside caller ID verification to ensure that it is indeed the customer answering the call.
[ad_2]
Source link
