BLOG - A Call Center Experience: Securing Identity Without Papering Over the Cracks

We’ve all been there. Call your bank, brokerage, phone company, or anyone with a call center and when you finally navigate to a human you follow a script somewhat like this:

[rep] “Thank you for calling, how can I be of help?”

[you] “I just need to check something quickly about my account.”

[rep] “I’d be happy to help. To ensure the security of your account, I just need to ask you a few questions.”

[you] “OK.” (You’re hoping this is as quick and easy as possible, but, security matters.)

[rep] “What is your account number?”

[you] “I don’t have my paperwork with me. I actually have multiple accounts.”

[rep] “OK, we will find you another way.”

[rep] (Some time later, after trying multiple phone numbers, etc.) “What is your social security number (or the last 4 digits of it)?”

[you] “1234.” (You are thinking that you keep being told not to share your social security number, and here you are giving it away freely. Then again, with all of the data breaches it’s probably already leaked to half the bad actors in the known universe. How much could it hurt to share once more?)

[rep] “Great. What is your mother’s maiden name?”

[you] “Smith.” (But you’re wondering… since birth certificates are public record, and social media has this information already, how could this be secure?)

[rep] “Thanks. One more. What was the name of your 3rd grade homeroom teacher?”

[you] “I have no idea. I don’t even remember what I had for breakfast” (Now you’re a little frustrated, this was supposed to be quick.)

[rep] “No problem. What was the make of your first car?”

[you] “Fiat.” (Sheepishly.)

[rep] “I’m afraid that’s wrong.” (The rep now takes on the tone of a CIA interrogator at a secret rendition site.)

[you] “You think I would have said Fiat if it was really a Mercedes?” (Getting more frustrated.)

[rep] “In what city was your high school?”

[you] “Cleveland.” (Knowing that Facebook has all of the class reunion info that definitely makes this not secure.)

[rep] “Great! You passed! I just texted you a PIN to read back to me.”

[you] “Um, OK, but my phone is against my face. Hold on. (Fumbling to unlock and switch apps, then waiting for the text to arrive). It’s 1111.”

[rep] “All set!” (In the triumphant tone of someone who just scaled Mt Everest.)

[you] “Never mind. I’m out of time. I’ll call back later.” (And repeat the process.)

It gets even worse. I’ve actually had one bank ask me what phone number they should text a PIN to – so that they could “securely identify” me. Whose number did they think a fraudster would give them? I asked them to use the phone number on file, was told they don’t have access to my records, and that if I want to be “securely identified” I need to tell them the number to send a PIN to. I needed access to my account, so ultimately decided to let them send me a PIN vs trying to explain to the rep why that didn’t make sense.

Secret Answers Aren’t Secret

Call centers have no idea who is calling in about your account, and legitimately want to protect it. They can’t rely on caller ID, since that’s easily manipulated. (Think about how many robo calls you receive with numbers that were faked to look local.) They try to challenge you to prove you are who you say, by asking “Knowledge Based Assessment” questions that only you could answer.

Of course, the secret answers aren’t secret. Companies like TransUnion amass databases and sell access, data breaches leak the answers, and most “secret answers” can be found with a simple search on Google or Facebook.

Even worse, sometimes the answers they have are wrong! I’ve been asked which was a “former address” of mine, then been given a list with no former addresses! If the companies asking would just do a web search, they would be more accurate (albeit just as insecure).

Papering Over the Cracks

The real issue is that we have broken the customer experience without adding significant security benefits. We’ve papered over the cracks; it looks like we are trying to make things secure, but customers know better. The cracks are still there. All we’ve done is add to a frustrating process, wasting time and effort. My friend Ken calls that “confusing activity with progress.”

In an age of widespread data sharing through social media, brokers selling your information, and hackers stealing it, the notion that a secret answer to a magic question counts as security is silly. The only secrets that work are the ones where the answer has never been shared. That would mean the rep asking the question would be unable to validate its accuracy, of course.

Overcomplicated Solutions

Early attempts to find a better solution than secret answers added long-term complexity for short-lived benefits. Texting PINs to a phone number on file helped, until the fraudsters adapted by hacking phone company accounts and redirecting the messages (or guessing a weak password to an email account and then retrieving PINs sent by email). The government has, for years, advised against using text messages – they are no longer considered secure enough to establish identity.

New ways to send PINs without texts were invented, but those require complicated back-end changes to associate an active PIN with a specific transaction. They also don’t work if a phone is somewhere with poor coverage. Cost and complexity increase, a new database is created with valuable PINs for hackers to attack, and the potential exists for the customer experience to break completely. Some systems, like Google’s Titan, even require you to carry yet another device around (which can be easily lost).

Voiceprint analysis and call analytics help, but are complicated and imprecise “best guesses.” In an effort to not frustrate clients, we tend to be biased to accept rather than decline uncertain results. More complexity with limited security.

Let’s Start Over

Companies need to securely identify who is on the phone, but what they really need is authorization to act on the customer’s behalf—sharing information, opening or closing an account, changing an address. Being able to capture and document the reason for a call is a plus.

We all want this done in a way that’s frictionless and that doesn’t challenge legitimate customers to “prove themselves” as though they were hostile. We want to minimize complexity, the enemy of both security and client experience. The solution has to work whether customers are online or not, without new things to carry in our pockets, and has to be flexible enough to continue working in the future.

Fortunately, a solution exists. It starts by understanding that a customer’s authorization to access or change their account begins with the customer -- not a company challenging a customer. This simple, yet profound, customer-centric realization drives everything.

In this model, customers don’t receive a challenge PIN from a company. Instead, the model is flipped: customers generate a PIN that authorizes the company to act. This is authorization based on what someone wants to do – not just authentication.

Because the PIN is generated by the customer, it can be a “Smart PIN.” We call it a Permission Code™ and it actually grants permission based on details about the activity.

The customer generates their Permission Code using an app on a smartphone, and digitally signs it. This PIN is self-documenting, expires after it has been used or times out, can be generated without network connectivity, and gives the customer total control over their accounts.

The company doesn’t need a complex back end or a database of active PINs for hackers to attack—they just need a set of public keys to validate the Permission Code’s source and authorized activity.

The result? A better customer experience with better security, less time proving who someone is and more time focusing on what they want to do. The new call script goes something like this:

[rep] “Thank you for calling, how can I be of help?”

[you] “I just need to check something quickly about my account.”

[rep] “I’d be happy to help. What would you like to do today?” (Starting with the customer’s

reason for call.)

[you] “I’d like to see if my deposit cleared.”

[rep] “Of course! To ensure the security of your account, I just need your authorization to proceed. Please open your app, select the account, and give me a PIN that allows me to check this for you.”

[you] “It says 12345.”

[rep] “Perfect. I’ve validated your request, let me get the answer for you…”