Identity Centered Security: A Better Way to Protect Customer Data and Increase Organizational Efficiency

Have you ever logged into an online account and been asked for your mother’s maiden name or high school mascot as part of knowledge-based authentication (KBA)? Have you ever been asked to prove that you are not a robot by selecting every stoplight or vehicle you see in a photo array? Have you ever used a simple password and thought to yourself, “I wonder how many times that info has been leaked already?” In a world that has far surpassed just voice lines, these point solutions for identification (which almost every company still heavily relies on) are alarmingly ineffective and insecure. They no longer cut it from a security, efficiency, or a customer experience perspective – especially in a post-pandemic world.

Contact Centers in particular have come under attack for a number of reasons, including but not limited to:

• Physical interactions are both more secure (because of recent advances in credit card chips, holograms, surveillance cameras and more) and less frequent because consumers do more from home
• The attack surface is larger with agents working from home in unsecured locations
• Huge opportunities for grift floating in the economy due to stimulus or other incentives that are being targeted

In fact, research has found that 61% of fraud comes through the contact center – making it today’s No. 1 vector for fraud – leading to a loss of up to 58 cents per call. Stop and think about that for a minute.

Whether it’s through the contact center or elsewhere, attacks are coming from all angles…synthetic fraud (the creation of an identity to open an account), account takeover (where someone pretends to be you to take control of an account), and insider attacks (for example, an employee misuses your information, such as credit card details), among other possibilities. It’s difficult, costly, and complicated to stop these attacks – protecting customer data and securing everyday authentications and interactions – with a mish mash of point solutions that solve part of each problem to varying degrees and still often create a lot of friction on customers. Making fraud difficult for bad actors has, until now, also meant that it’s hard on customers.

The Answer: Smartphone + a Trusted Identity Network for a True Identity Centered Security Solution

Contact Centers have been somewhat limited to voice, dial pad or keyboard communications between a customer and agent, which is part of what makes them vulnerable to hackers. However, there are several key innovations that are widespread - the trick is how to make them work in the contact center.

By this, we mean the powerful tool in the hands of over 85% of consumers: the smartphone. Specifically, its sensors, high resolution cameras, touchscreens, and dozens of other touchpoints. Plus, a relatively recent but groundbreaking innovation in cryptography called the “Zero Knowledge Proof.” Essentially, this means verifying information without revealing the actual data to the other party.

Identity centered security (IDS) is built on the concept of proving who someone is versus what they know. Avaya recently partnered with Journey, a digital identity verification and authentication platform provider that is redefining customer identity verification, authentication, and security by leveraging the sensors on a user’s phone or laptop (i.e., location services, cameras, keyboards, QR code scanning) to prove who that person is faster and with far greater accuracy. Their award-winning Identity Network and Platform combined with Avaya’s composable contact center architecture is a powerhouse combo for organizations that understand this imminent, critical next stage of customer security and identity.

Let’s look at how the future of security and identity is changing and what every person – especially IT leaders and contact center stakeholders – need to know.

Prove Who Your Customers Are, Not What They Know

We’ve established that relying on what someone knows (a password, street name, favorite pizza topping, etc.) is now nearly worthless as an authenticator. Far better would be to prove who someone is using biometrics matched to another piece of information, like an identity document. If you can quickly and easily capture a biometric template for customers to re-authenticate against in the future, you’ll be able to get down to business much faster and more securely than ever before. In about two seconds in fact, rather than the industry average of 30-90 seconds.

Voice biometrics is one way to do this, but Journey also enables 3D facial biometrics, which are far more discerning and can be used with someone’s phone or laptop camera. In fact, with a flexible network approach, there are dozens of authentication options now available to choose from depending on the use case.

If you take most or all of knowledge-based authentication out of the picture, it is suddenly MUCH harder for bad actors to successfully execute synthetic fraud or account takeovers. If that information is individually encrypted and ephemeral, which Journey’s network enables, Man in the Middle attacks are out too. Hacker economics are suddenly terrible, and they will go find easier targets than you or your customers.

Protecting Customer Data in a World of Remote Work

Have you ever talked to an agent on the phone and felt uncomfortable telling the person your credit card number or billing address knowing that now that they’ve heard it, there’s nothing stopping them from using it? In traditional contact center settings, security measures like “clean desk” policies, banned pencils and paper, and the requirement to leave cell phones in a locker were enacted to prevent these concerns, but this has all changed with COVID-19.

The pandemic sent millions of agents to work from home, and the majority plan to keep them at home for the foreseeable future. Security measures in traditional contact centers cannot be enforced, which creates serious risks for any sensitive information on a remote employee or agent’s screen. Imagine the next time you call a customer service number that the agent you speak with is working in the privacy of their home. There’s nothing stopping them from using their cellphone to take a picture of your personally identifiable information like your driver's license number, credit card number, bank account number, passport number, or email address. Scary, right?

Customer service workers, and even organizations, don’t need so much visibility. Instead, companies should make it possible for agents to see the results that matter to them (ex: whether a payment went through or a document was signed) without needing to see or hear a customer’s personal, identifiable, financial, health, or other sensitive information.

Who’s Looking at Your Corporate Data?

Insider attacks are getting bolder. Another important (and quite scary) emerging threat is that organizations must go farther than ever before to ensure the person they hired as a remote customer service worker/agent is the only one working on their corporate network. In other words, making sure the person they hired is the one answering customer calls. And with the explosion of remote work and families regrouping during the pandemic, a trend is emerging in which agents hired to work remotely are sharing shifts with family members and even friends.

Traditional methods for authenticating remote workers are not unlike those required for verifying customers – usually a simple set of KBA-based log-in credentials. This means that any user with an agent’s password credentials (a family member, friend, or perfect stranger) can be admitted to an organization’s system. Once someone is in, they have broad access across customer data, apps, and other digital resources that are now extremely vulnerable.

This is another vital reason why traditional “security” methods like KBA are not a solution to the root cause of the issue. For as long as these outdated techniques continue to be used, they will continue to cost companies in time, efficiency, and level of hackability. The only way to truly protect sensitive corporate and customer data is to make sure that it’s based on proof that the person sitting at the computer is the verified employee, not just someone who got their hands on your employee’s credentials. With Identity Centered Security, your employees can even biometrically authenticate to their computers using the camera or other sensors on the machine (location, fingerprint, voice biometrics, etc.).

Take your Contact Center out of the Scope of Compliance

Security and privacy regulations like Banking Secrecy Act, GDPR, HIPAA, and PCI have guidelines that organizations must adhere to. Falling afoul of these regulations can mean enormous fines, damage to reputation, loss of revenue, and possible disaster for your customers. Compliance is essential, but expensive, tricky, and complicated. If you do it right in the contact center, you can vastly reduce your scope of compliance - reducing your risk, cost, and effort.

Let’s revisit that concept of the Zero Knowledge Proof. Journey’s Zero Knowledge Network® proves customer data is true without revealing it. This can mean sensitive customer data like health information or a social security number, any payment information, or virtually any data that would be subject to compliance.

Journey’s solution encrypts the data, verifies it from the appropriate source (a payment processor or backend database, for example) and returns a pass/fail to the agent. This means that no regulated data ever touches the contact center tech stack, and therefore takes the entire contact center out of the scope of compliance. This vastly simplifies the work of your risk management team who is responsible for compliance of any type.

Your Customers and Agents Will Love It, Too

There are many external-facing benefits of de-risking security that customers and agents will immediately notice and appreciate. Customers can authenticate themselves in 1-2 seconds each time they reach out: no passwords or silly questions needed, and the information they enter can never be seen by the person on the other end of the phone or chat.

Also, when verified identity is established between a business and its customer, those identity credentials are passed through all touchpoints (i.e., chat, email, voice) and transfers. This is a “one and done” process that allows your organization to close a deal in a single, well-designed experience while keeping transactions fast, secure, consistent, and frictionless for your customers. Combined, this creates a better total experience for customers and the agents who serve them. Contact center metrics like Average Handle Time (AHT), First Contact Resolution (FCR), and Customer Satisfaction (CSAT) will naturally improve, and a huge ROI can be achieved through the faster handle time, reduced fraud, and reduced cost of compliance.

The Future of Identity Centered Security is NOW.

Every organization has invested in security measures of different types. Journey’s network and platform allow you to easily integrate your existing tools to create a more intelligent and dynamically flexible approach built on identity centered security that will better protect customer data, increase organizational efficiency, and help reduce costs for tools that are no longer needed (like masking and purging, liveness detection, and KBA). Avaya’s innovation without disruption fits well with Journey’s technology, enabling organizations to create different experiences that are easy and simple to design.

To learn more, about Zero Knowledge, ephemerality, and encryption download this article.