Identity Fraud – Why Passwords Aren’t EnoughNovember 15, 2011
Identity (ID) fraud is the fastest growing area of criminal activity in the world.
The cost to the global economy is over $4 trillion (USD) annually. It is a problem of epidemic proportions. Every country in the world is affected. ID fraud is closely linked to terrorism (including 9/11) and organized crime. ID fraud is extensively used in crimes committed against financial institutions and agencies. It also facilitates major international criminal enterprises involving drugs, weapons, people smuggling and large-scale fraud.
A recently published study by the Australian Bureau of Statistics estimates that more than 800,000 individuals fall victim to fraud each year, with identity fraud accounting for nearly two thirds of these. The combined financial loss to Australia was about $977 million. The ABS says that personal fraud is a growing crime type due to the rapid expansion and availability of the internet, and the increase in electronic storage, transmission, and sharing of data and the explosion in the use of social networking. These statistics reflect the experience of organizations globally, as reported by the FBI in the USA and the Home Office in the UK amongst others.
Why Identity Fraud Continues to Grow
The phenomenal growth of ID fraud has been the result of a combination of circumstances. Availability of cheap high quality printing and card embossing software and machines has made paper and plastic ID documents, such as birth certificates, motor driving licenses, passports and credit cards almost valueless as a means of authenticating identity. Furthermore, the growth and ubiquity of on-line services, both web-based and via call centers, has meant that the only means of confirming identity is through a single authentication factor, such as a password (or PIN) or in the call center, confirmation of personal information.
The Password Problem
In the face of the ID fraud epidemic, passwords (and PINs) have become completely inadequate as a means of authenticating identity. Whilst technologies exist to secure the connection between a computer and a service, there is no way to confirm that the person at the keyboard is authorized to access the service and is not in fact using stolen password and PIN information. Having a password is no positive confirmation of identity. Essentially, businesses have delegated security to their clients, making the individual responsible for security of passwords and PINs. Not only is this practice extremely insecure, it is expensive and difficult to manage. Passwords (and PINs) are often forgotten, copied, shared and stolen. In addition, it is extremely difficult to detect if the security of a password has been compromised. And once compromised, there is the problem of re-establishing the identity of the original holder of that information.
The Call Center Problem
The issue of passwords is bad enough, but authentication issues in call centers are worse. The key information used to authenticate identity in call centers is personal information of clients or callers. Like passwords, simply knowing personal information is no guarantee that you are who you say you are.
A significant amount of personal information is readily available and visible on printed documents, such as telephone bills and bank statements, or account information that is sent through the post in unencrypted form. These documents are often readily accessible in people’s mailboxes. Personal information is also easily shared, copied or stolen. By definition, callers must divulge, and hence share, personal information with a call center agent to confirm their identity. The call center agent then knows their personal information. This places considerable privacy and security requirements on call center businesses to ensure that personal information shared with its call center agents is not misused. There have been a number of incidents where call center staff have used such personal information or sold the information to others for personal gain.
agencies are required to screen prospective call center agents to ensure their suitability before an offer of employment. This places restrictions on recruitment policies and also increases costs. Often, call center agents are recruited for their communication and interpersonal skills, not necessarily their security clearances. As a consequence there are real issues associated with finding and retaining people with suitable skills who can also pass the screening process.
The issue of call center privacy and security is not restricted to Australia. Increasingly the trend is to contract call centre functions to low cost jurisdictions, such as India. Whilst this reduces operating costs, there are significant implications for protecting personal client information, where this information might be transferred without the client’s consent or knowledge. The question here is: what protection does your ‘s privacy legislation afford in offshore call centers?
ArmorVox™ Speaker Identity System, from Auraya Systems, allows business to implement solutions that not only improve security, privacy and convenience for the individual, but also reduce costs of agencies and call centre operations. Auraya’s technology also enhances privacy in offshore call centers, but still allow businesses to utilize the cost benefit from operating in low cost jurisdictions.