By Shai Cohen, Senior Vice President of Global Fraud Solutions, TransUnion
E-commerce merchants, well aware that the competition is just one click away, have traditionally devoted significant resources to creating a positive online and mobile experience for consumers. With convenience as one of the main selling points of e-commerce, merchants must provide a quick and easy purchase process and flawless order fulfillment if they want repeat customers. Add in consumers’ growing concerns about data security and increasing expectations of personalization, and suddenly merchants have their customer satisfaction work cut out for them.
Further complicating matters is the need to balance a frictionless customer experience with fraud prevention in remote transactions. Merchants need to be able to quickly flag then verify or block potential fraudsters without creating unnecessary obstacles for legitimate customers.
This is where authentication comes in. Sophisticated device-based and multifactor authentication technologies can address both of these competing priorities by simultaneously improving fraud detection rates and supporting the rapid authentication of legitimate users.
But many organizations that have embraced or are at least considering these technologies for their digital channels have failed to move beyond traditional knowledge-based authentication (KBA), usually in the form of challenge questions, for the phone channel. E-commerce merchants often treat their call center as something of an afterthought—a means of contact that comes into play only for after-sales service, or if something goes wrong during the purchase process. So, they continue to rely on agent-led authentication, a legacy method that is both insecure and time-consuming.
KBA’s dual shortcomings
Contact center agents, regardless of how well trained, are highly vulnerable to social engineering from fraudsters, who can use stolen data or information gleaned from social media to answer challenge questions, gain account access, and then change online passwords and account contact information.
At the same time, KBA starts the interaction off with a tone of implied distrust and lengthens handle times, delaying service for legitimate callers. In today’s world, treating all callers like potential fraudsters and forcing them to answer repetitive questions and wait for service is a recipe for customer attrition. Consumers increasingly expect merchants to provide a seamless experience even as they interact over multiple channels—including the phone.
As the transition to an omnichannel approach accelerates, how can authentication help e-commerce merchants to both improve the customer experience and combat fraud? The recent 2022 State of Omnichannel Authentication Survey, conducted by Neustar, a TransUnion Company, provides some insights into leaders’ perceptions and priorities.
The threat landscape…
More than half of survey respondents reported an increase in fraud attempts targeting their organization’s contact center in the past year, with over a quarter reporting an increase of 11 percent or more in the frequency of callers attempting to commit fraud. Financial institutions were more attuned to fraud originating in their call centers, with 52 percent of respondents reporting being very concerned about this channel, compared to 40 percent of those from other industries.
While respondents cited websites (50 percent) and mobile apps (21 percent) as the source of most account takeovers, the share attributed to call centers (19 percent) is likely an undercount. This is because significant root-cause analysis is required to trace a connection from the call center to the digital channel where the takeover eventually occurs.
Organizations also reported an increase in the use of call spoofing and virtual calling by fraudsters attempting to defeat caller risk assessment protocols: 64 percent of respondents saw an increase in call spoofing to impersonate customers (a six-point increase over 2021), and 59 percent reported increased use of virtual call services to launch anonymous and untraceable attacks (a nine-point increase from 2021).
…and organizations’ response
More than eight in 10 respondents said their inbound call center analytics are not prepared to utilize STIR/SHAKEN data to help combat spoofed calls, with just five percent reporting having implemented changes to process and use this data.
However, other fraud-fighting measures are being more widely embraced. More than half of respondents plan to implement multifactor authentication, either by supplementing KBA with a new technology approach such as voice recognition or using the caller’s device as an authentication token (22 percent), or by replacing KBA entirely with a new two-factor technology approach (35 percent). Another nine percent expect to replace KBA entirely with a new single-factor technology approach.
In considering technologies to replace KBA, respondents prioritized reducing agent time spent on authentication, with 78 percent rating this expectation as very important. Respondents also placed a high value on reducing call center operating costs (69 percent rated this very important), improving agent job satisfaction (69 percent) and delivering high authentication accuracy (67 percent).
Desired approaches to authentication
A large majority of respondents (70 percent) expressed a preference for completing authentication pre-answer or while callers are engaged with an interactive voice response (IVR) system—thus keeping call center agents out of the authentication process. An even more overwhelming majority (93 percent) want to be able to detect fraud activity before or during IVR engagement; however, just 41 percent reported having the tools in place to do so.
In considering new technologies for fraud detection, 60 percent of respondents consider a high detection rate to be very important. The ability to alert on a first-time attack with no dependence on prior caller history came in a close second, at 59 percent—important because fraudsters are increasingly cycling through new devices. A low false-positive rate, considered very important by 57 percent of respondents, lowers the risk of flagging (and irritating) legitimate customers and allows the organization’s fraud team to focus its resources on genuine threats. Finally, the ability to support both authentication of legitimate callers and detection of risky callers in a single system (rated highly by 57 percent of respondents) allows organizations to segment callers based on risk signals and thus extend more trust to callers that pose little risk while focusing more attention on higher-risk calls, such as those from devices with SIM swaps or masked IP addresses.
Omnichannel gains ground
As the survey results suggest, the shift toward an omnichannel customer experience will also require a shift in organizations’ approach to authentication. Merchants that are forward-thinking and embrace new technology tools—authentication solutions that combine robust insight into consumer device data with authoritative linkages between consumer identity and devices, for example—will be able to both meet rising customer expectations and mitigate fraud risk.