Why Call Center Fraud SucceedsFinding the Balance Between Service and Security
Organizations are spending big bucks to enhance their fraud-fighting efforts, relying on big data to play an important role.
But Jerry Silva, an analyst with the advisory firm International Data Corp., says that too often, organizations are spending far too much money on data they cannot put to good use, especially where fraud prevention is concerned.
"Whatever investments they're making [have to be] absolutely strategic," says Silva, who oversees the global retail banking practice at IDC, in an interview with Information Security Media Group [transcript below]. "What kind of analytics do we run through that unstructured data to get some business value out of it?"
And While Silva he sees value in big data, he says banks and other organizations must be cautious.
"In my mind, big data seems to be one of those things that could potentially turn out to be data warehouse version 2, CRM version 2, where a lot of work was done and a lot of money was thrown away, frankly," he says. "That, in my mind, is the potential downfall around big data. You have to look at it very, very carefully."
During this interview, Silva discusses:
- Why call centers are easy targets for fraudsters;
- Strategic investments banks should be making to ensure compliance and address risks; and
- The fraud investments that are giving banks the most bang for their bucks;
With more than 25 years of experience in financial services, Silva has held a variety of operational, technological and business roles at banking institutions and technology providers. Before joining IDC, Silva was an independent consultant and a research director at TowerGroup, now CEBTowerGroup, where he managed the retail banking and delivery channel practices.
Where Fraud is Growing
TRACY KITTEN: Across what channels and lines of business would you say fraud is growing the most?
JERRY SILVA: I see it growing pretty much across all of the channels organically. But the one channel that kind of surprised me over the last six months has been the contact center, where you don't typically think about fraud. But I've talked to a lot of institutions that are now seeing fraud coming out of the contact center from the perspective of social engineering - fraudsters calling the contact center, getting information, accessing accounts and then going through another channel, like the online channel, to actually commit the fraud and initiate transfers, withdrawals or payments. Out of all the channels I've seen, I think that one surprises me the most.
Call Center Fraud
KITTEN: Call center fraud has been talked about quite a bit in the last 12 to 16 months. What are institutions doing to help mitigate their risks?
SILVA: That's a tricky one. Banks are in a bind when it comes to the contact center, because most of the social engineering that's taking place is during times of banking vulnerability, when the online system is down or there's a sudden rush for consumers to call the contact center for one reason or another. The contact center is probably stuck in this position of, "We're trying to please the customer, especially now, given customers' attitudes toward banks." The bank contact center agent is trying to please the customer and finds himself, sometimes, bypassing the existing process or somehow shortcutting the system, thereby unwittingly giving out information that perhaps he wouldn't have given out had the circumstances been different. I think that's where the banks are caught today, in that balance between how much do we put our customers through this onerous process of authentication of the contact center and what's that costing us from a customer-service perspective.
Evolution of Card Fraud
KITTEN: What can you say about card fraud and how it's changed in the last year?
SILVA: In years past, going back for as long as credit cards have been around, there's always been card fraud, from the perspective of a spouse, child or a friend taking card information or actually taking the physical card and then going off and creating fraudulent transactions. That then moved to individual fraud: getting somebody's account number and committing fraud that way. I think in the last 12 months, you've seen fraud on a much more massive scale, where the criminals are now hacking databases, hacking into payment systems, and are able to ... access million and millions of card numbers, showing a level of sophistication that's just been recently exhibited, allowing them to commit fraud on a massive scale over a very, very short time period. Card fraud, in general, I think, has moved from that mom-and-pop phase, if you will, to criminal enterprise.
KITTEN: ATM risks tie into card fraud as well. Are there specific risks that you see affecting the ATM channel?
SILVA: I don't think it's anything new that we haven't seen in the past. Certainly, skimming at the ATM has always been there. Hopefully with the introduction of EMV [Europay, MasterCard, Visa standard] in this country, that will start stemming back. Where I see the ATM channel now taking place is not so much the origin of fraud but much more in terms of cashing out on the fraud, going back to my previous point where the criminals are actually gathering account information, creating blank cards with mag stripes on them, and then using the ATM again not as a point of origination for fraud but as the point of withdrawal, cashing it out. I think that the role of the ATM is a little different nowadays than it used to be with respect to fraud.
Online, Mobile Fraud
KITTEN: What about online and mobile fraud? How have attacks against those channels changed in the last year?
SILVA: In terms of the online fraud - not that any of these other channels have decreased in terms of fraud - certainly the growth is still there. But, again, I think you're seeing fraud on a much more massive scale, with regard to the criminals going in and hacking databases, gathering all this information on a much larger scale than we've seen in the past, and then using that to cash out at the ATM or to create fraudulent cards.
With online, I think it's the same stuff we've always seen, the information gathered during social engineering and being able to transfer funds in or out. What I've seen in the past 12 to 18 months is much more fraud against business than consumers. Certainly that sector has grown. I think with respect to mobile, that's yet to be seen. We're just now getting a sense for how vulnerable the mobile channel is. You can look at it as if the fraudsters are poking their noses here and there and looking for the weaknesses in the mobile channel. Unless something is done sooner rather than later, two years from now ... you and I will be talking about the massive mobile fraud that's happening in the industry.
KITTEN: How are banking institutions addressing call center or contact center risks?
SILVA: I think there are a couple of different ways of looking at this. In some cases, like from the ATM, you almost have to look at point solutions. What do I do for the online bank to increase authentication? Certainly that's going to be important for mobile as well. What do I do with the mobile channel that might be a little different than online and a little different than ATM to protect that channel? With the ATM, looking at the introduction of EMV into the U.S. is a good thing; it's very much a point solution. I think what banks have been looking at already, with regard to technology solutions, is looking at fraud from an enterprise perspective. Can we gather all of the transaction information across all of the channels and somehow make that fraud detection much more consistent?
The contact center is a little different. The contact center, I think, has more to do with people and process, and this goes all the way back to HR - hiring the right people and then training those people. How do we train them to continue to be rigid during the authentication process, regardless of what's happening in the channel? Maybe you have to look at compensation policies, because you know that on the contact center side, cross sales are very important. If you're rewarding folks based on things like cross selling, where they want to plead with the customer during the phone call or if you're facing bonuses or any kind of performance metric against queue waiting times - how long are customers waiting before they speak to an agent - you really have to look at those things. Am I willing to relax some of those constraints, relax some of those metrics during the time of an online banking outage, let's say, to essentially give the agent permission to leave people on the line longer and maybe not live up to their customers' expectations, with regard to service so that you're not being more relaxed on the authentication side?
For most banking channels, it's about technology and enterprise; but the contact center is a little different. The contact center is much more about how are you doing things, rather than on what kinds of technologies are there.
Fraud Prevention and Customer Convenience
KITTEN: I know you've touched on customer satisfaction and customer convenience. From a fraud-prevention perspective, do you think that banking institutions are approaching it correctly? Are they focusing too much on compliance and customer service and not enough on security?
SILVA: That's a tough one. You have to comply with regulations. From that perspective, banks are spending enormous amounts of money today complying, and it's almost a catch-22. If they're focusing too much on regulatory compliance, maybe they're not spending enough on security and anti-fraud, which then gets them in trouble, and then here comes the government with more regulation. It's difficult striking that balance. I think that gives them the appropriate amount of time and investments on both sides. It's a tricky task.
I do know banks are implementing technology solutions. I do know banks that are starting to look at or have looked at fraud from an enterprise perspective, a cross-channel perspective. I think some of these emerging areas might need a little more focus, with regard to social engineering at the contact center. What do we do about mobile going forward? I think most of the institutions have the right amount of balance, when it comes to the big-picture things: security, regulatory compliance and enterprise fraud detection. I think it's some of these up-and-coming things that they may want to spend a little more time and investment on.
KITTEN: In what technology are banks making their greatest investments?
SILVA: You almost have to divide that question into two things. If you're looking at absolute spending, it's going to be a different take. Banks are spending a lot of money these days on things like risk and compliance; that's a huge, huge focus for investments. But in terms of where you see the new investments, I see a lot of banks looking at the continued push on what to do on social media. What do we do in security, in terms of these tactical things? What do we do in mobile? How are we investing our money in the mobile channel, not just phones, but other form factors like tablets? Is the tablet a fundamentally different channel than the phone?
I also have seen a lot of strategic interest in areas like cloud computing. How different is cloud computing from what we already know as third-party outsourcing, as well as big data? Big data is a huge subject right now. I'm not sure if it requires a whole lot of investment; but whatever investments they're making [have to be] absolutely strategic at this point. Are we talking about big data with regard to what we can gather from the social media sites? What kind of data can we get from Facebook, for example? Then, what kind of analytics do we run through that unstructured data to get some business value out of it? Large amounts of money are being spent on the old tried-and-true things like compliance, but [there are] a lot of very strategic investments when it comes to "the new innovations" around cloud, big data and mobility.
KITTEN: Do you see banking institutions are investing in the right types of solutions? Is it misguided to be focusing so much attention on big data and mobile, for instance?
SILVA: I don't think it's misguided, and I don't think a lot of money has been spent, yet, on purchasing solutions in those areas, particularly in things like big data. I think the smart investments are the ones they're making now with regard to people, saying, "Do we have the right people in place?" Are the institutions going to be able to look at these things and know for sure that future investments are going to be spent wisely?
The only one I would caution on is big data, because, in my mind, big data seems to be one of those things that could potentially turn out to be data warehouse version 2, CRM version 2, where a lot of work was done and a lot of money was thrown away, frankly. While it led to a better understanding of analytics, the topic was overspent on. That, in my mind, is the potential downfall around big data. I do believe there's value in this thing we're calling big data, but I think you have to look at it very, very carefully. Right now, it's not solutions-based as much as that kind of discovery process. I think the banks are spending, for the most part, the right amount of money in that space.
KITTEN: What technology trends do you see emerging this year?
SILVA: We've talked about big data and mobility, and certainly banks are continuing to spend time and money on those areas, and those are trends that are in process right now. The one that I've kind of looked at as being very interesting is around core transformation in the U.S. banks. We're seeing a couple of foreign banks, Sovereign Santander, for example, or BBVA Compass, where they're starting to upgrade their core systems in a completely different environment than the one in which they were developed.
We've always talked why the reasons for replacing the core was to get away from batch [processing]. The existing batch kind of limited our product availability and the kinds of products we could deliver. It would be interesting to see what happens with those two banks specifically. It's one thing to quote an example from Spain and say "This is what real-time core meant to them." But you're in a different market here. I think those two banks have to prove the value of the core replacements. It's a lot of money invested to do that. Careers are at stake when you're replacing a core system, particularly at a large regional or a national bank. That's going to be one of the very interesting things that will play out over the next 12 months. How is the core replacement helping out those two specific institutions? Will we be seeing product innovation, something that other banks can't do without? Is it going to be just a very expensive experiment that fundamentally doesn't change the game in the U.S.? I've kind of got my eye on that particular topic over the next 12 months.
Advice to Banking Institutions
KITTEN: What final advice would you offer banking institutions?
SILVA: Being an ex-banker myself, I always tend to favor very careful investigation of things like cloud and big data, and making sure that we're not overzealous with regard to those kinds of things. Certainly, we've got other things on our plates around compliance and around fraud to keep us busy for a while. ... I think the overall topic of personnel efficiencies or personnel effectiveness is a very interesting one as well. Are we using our people to the greatest extent, especially with the branch in question today? How can we leverage the experts that we have in the contact center, without manning every single branch with every single kind of expert we have? We've got those kinds of keeping-the-lights-on topics, which are taking a lot of investment and a lot of focus; but we don't want to lose focus on the new stuff, either. It's just a question of how do you balance those two things out. Again, this could be just me, the old banker, saying we need to be a little conservative; we need to make sure we've got the business value in sight when we do these things.
But the one good thing about today's technology is that it does let you pilot; it does let you experiment and do proof of concepts, rather quickly and rather cheaply, and to expect failures. That's the only way you can learn. If you want to play with social media for a while, do that; but you have to make sure that your mindset is one that says, "If this doesn't work, we can stop it, we can change it, we can modify it and we can be agile with regard to how we implement it." You've got to make sure that the day-to-day stuff is rock solid and that you're open to experimenting with new innovations.