This is the third article in our series covering the emergence of Voice Biometrics as a game-changer for customer experience.-editor
With the recent news of the record-setting data breach of Home Depot, the need for effective security has once again reasserted itself. Yet as dramatic as this incident is, more sobering is the realization that such breaches are a distressingly common occurrence. As of September of this year alone, 579 breaches have exposed nearly 77 million records, according to the Identity Theft Resource Center. When one also considers the fact that out of the hundreds of millions of phone calls that call centers receive annually, 1 out of every 2900 callers is a fraudster—many of whom are using information and credentials stolen from breaches to enhance their attempts—it quickly becomes clear that the potential consequences to both customers and companies are vast and grim.
While customers themselves can take numerous actions to reduce the possibility of becoming a victim of identity theft, it behooves companies to better serve their customers by investing in training and technologies that will detect, deter, and defeat fraud. Among the many tools being developed to combat fraudsters and data thieves, voice biometrics (VB) is emerging as one of the most promising weapons in the fight.
A Better Fingerprint, An Unhackable Password
Like other types of biometrics, voice biometrics uses an individual’s distinctive characteristics to identify himself or herself. “We create a model of what your larynx structure is like, as well as that of your throat, your mouth, and your nasal cavity,” says Michael Goldgof, Vice President of Marketing at AGNITIO, a founding member of the FIDO Alliance. “It’s actually a physical biometric that is deduced from the sound waves of your voice.” Combined with behavioral vocal characteristics (such as accent or pronunciation), the resulting voiceprint is as unique and accurate as a fingerprint. But unlike a fingerprint, which is static biometric, a voiceprint is a dynamic biometric and thus can be revoked and changed as easily as a password.
“If somebody accesses an imprint of your fingerprint, they’ve compromised that credential,” explains Brett Beranek, Senior Principal Solutions Marketing Manager at Nuance. “We have ten fingers so in theory you can stop using one finger and use another finger to authenticate into the system, but it’s inherently limited. With voice biometrics, we have infinite variability.”
Therefore, in the event that a criminal records a customer speaking a passphrase to facilitate a playback attack, the customer can change his compromised credential (“My voice is my password”) to something else (“My voice gives me access to my account”). Additionally, anti-spoofing technology that recognizes a voice being emitted from a loudspeaker instead live human vocal tract can also help prevent such an attack from succeeding.
Moreover, since a voiceprint cannot be reverse engineered to create a voice, no actual credential that can be stolen is stored on a database.
“If you compromise a voice biometric database, then there really is no security issue because the voiceprints are just a set of voice characteristics,” advises Beranek. “You can’t use a voiceprint to authenticate into an account. The only thing you can use to authenticate into a voice biometric system is somebody’s voice. So the potential for massive security breaches with voice biometric systems simply doesn’t exist.”
Further protecting against massive data breaches is developing technology that allows voiceprint storage and matching on handheld devices, using cryptography to actually log in.
“The idea is that the credentials never leave the device,” notes Goldgof. “When we deal with the issues of break-ins, one of the key things for a break-in is these scalable attacks are only possible if there is a centralized database of credentials. But if the credentials are actually kept locally on the devices, then it’s not even possible to have a scalable attack that is authentication related.”
An Antivirus Against Fraudsters
Phone fraud against call centers is almost the perfect crime. “You don’t know who the person is, you don’t know his name, you don’t have any of his credentials,” points out Goldgof. The only thing left after a successful fraud attempt is a voice recording. However, by using that sole bit of evidence a fraudster can be prevented from ever succeeding again.
By using the same VB technology that allows real-time identification and authentication of legitimate customers, a fraudster’s voice can be matched with a blacklist of known fraudsters. And in much the same way that an antivirus database updates when a new computer virus is identified, voiceprints of new fraudsters are added to the blacklist.
“If you compromise a voice biometric database, then there really is no security issue because the voiceprints are just a set of voice characteristics” -Beranek
“We’re simply filtering like we would filter for malware,” affirms Goldgof. “We filter for fraudsters using their voiceprints, which can be shared among other blacklists. So even if a fraudster calls someplace else, he can be caught.”
Since nearly three-quarters of fraud at contact centers are committed by fraud rings, the relatively small number of professional fraudsters creates a manageable list of voiceprints that can be tracked and analyzed, thereby creating a profile that can conclusively identify a fraudulent call.
“Once we’ve got a bad guy’s voice in the database, we can go back and pull up the last 6 months’ worth of calls, and we can see the pattern of their behavior across time and across accounts,” explains Mark Lazar, Global Vice President of Fraud and Identity Solutions at Verint Systems.
“We profile not only the voice of the bad guy, but we look at the day of week they call, the time of day they call, the types of transactions they call on,” he adds. “We look at geographically where their calling from, what types of carriers they use, what types of phones that they use. So we build an entire profile and it turns out that fraudsters call in to contact centers in totally different patterns than customers do. So when we see something that looks like a pattern match to a fraudster and a strong match to a voice, we know that we got the guy.”
Reducing the ROI of Fraud and the Future Adoption of Voice Biometrics
No security system is completely impregnable and with enough time and resources, a smart and dedicated criminal can compromise any system devised by man. But with voice biometrics, a smart and dedicated criminal wouldn’t want to.
“Criminals are just like anybody else—‘If I can make $1000 by investing 15 minutes of my time versus 10 hours of my time, I’m gonna go with the option that only requires 15 minutes.’ It’s a very simple cost–benefit analysis,” observes Beranek. “By increasing the complexity enough, even if it’s still possible to compromise the system, it’s not worth it for them to attempt to compromise the system.”
“So what we’ve seen is a displacement of fraudsters and hackers who just don’t bother,” he notes. “They just deal with organizations that have simpler security systems.”- Beranek
Tamar Sharir, Director of Fraud and Real Time Authentication Solutions at NICE Systems, confirms this trend with an anecdote: “Recently, we had a customer interaction event. One of our customers from one of the largest banks was talking about a fraudster who would call ten times a day. Using voice biometrics, they were able to find more and more of his calls. And then he said to the other customers to the room, ‘He’s not calling us anymore, so he’s probably knocking on your doors.”
The adoption of VB solutions is likely to increase as more companies find themselves wishing to avoid inheriting what was once another organization’s problem. “A telco in Europe told us, ‘We need to get voice biometrics ASAP because the minute our competitors do, the fraudsters will go directly from them to us’,” recalls Sharir.
In the United States, however, adoption has progressed at a slower pace compared to Europe, Australia, Israel, Canada, and Mexico. Beranek theorizes that since US banks have always erred on the side of convenience, security processes are considerably less stringent in the United States. “You can look at credit cards as an analogy,” he observes. “You look at all these countries and they have chip-and-PIN for years now, and it’s significantly reduced fraud. The United States is just now slowly adopting that.”
However, with the increasing ability of voice biometrics to enhance customer experience, U.S. companies may finally be able to reconcile the pressing need for security and convenience.