IVR banking is quite common. If you happen to’ve ever dialed your financial institution to verify an account stability or pay a invoice, you’ve in all probability used it. Along with these fundamental self-service duties, clients can use financial institution IVRs to report fraud, replace private data, verify their transaction historical past, and even change their PIN with out having to attend for an agent.
Accessing a wide range of choices comparable to these makes utilizing IVR a handy various to visiting a bodily department or ready by way of lengthy caller maintain instances.
Prospects aren’t the one ones who profit from these programs — banks can benefit from the perks of lowering the variety of routine customer support enquiries and discovering new methods to serve clients exterior of standard enterprise hours.
A lot of at present’s prime VoIP telephone providers already embody IVR of their packages, which implies banks that use these providers probably have already got entry to instruments and integrations for knowledge assortment, analytics, and superior security measures comparable to voice recognition.
All of those advantages of IVR do include some threat of further vulnerabilities that should be thought of and addressed earlier than implementation. With out the appropriate safeguards in place, IVR expertise has the potential for use for identification fraud, phishing assaults, and knowledge breaches.
How do hackers goal IVR banking providers?
Whereas busy clients and firms love IVR system, hackers love a nasty one. IVR hacking entails concentrating on sure weaknesses to achieve unauthorized entry to the system.
They’ll go after bank card knowledge, attempt to take management of buyer accounts, and even exploit the private data hooked up to monetary historical past.
A few of the commonest strategies embody tricking the IVR into pondering the hacker is a professional buyer, launching phishing assaults with automated telephone calls or social engineering ways, utilizing voice biometrics spoofing, and discovering vulnerabilities in IVR software program to interrupt into the system.
Safe authentication strategies for IVR banking
If a system is correctly secured, at any time when a buyer calls a banking IVR, they’re required to confirm their identification with no less than one authentication methodology earlier than they’re in a position to entry any account providers.
The important thing right here is ensuring that the IVR is each compliant and safe sufficient to maintain hackers out however isn’t so advanced as to frustrate professional clients to the purpose that it impacts their capacity to entry their very own banking data.
For added safety, banks sometimes require a number of layers of authentication which might be designed to foil several types of assaults.
6 authentication strategies for IVR banking
Information-based authentication
Information-based authentication is a method of verifying the identification of an individual by asking about issues that solely they might find out about. As an illustration, if an individual referred to as right into a financial institution utilizing KBA, they is likely to be requested by the financial institution to supply one among their earlier addresses or the town wherein they first met their partner.
For KBA to work nicely, banks want to verify they’re utilizing knowledge that may’t simply be discovered or deduced by way of social engineering, and so they additionally must make the questions distinct sufficient in order that clients will truly keep in mind their responses.
Offering solely hyper-specific questions generally is a recipe for frustration, so it’s necessary to maintain the questions broad sufficient to be simply usable whereas nonetheless being particular sufficient to be safe. Some programs even permit the tip person to set their very own questions and responses.
PIN-based authentication
PIN-based authentication is a quite common method for purchasers to achieve entry to their accounts by getting into 4-6 digit codes that solely they know.
When used with a banking IVR, the system routinely compares the PIN code entered by a buyer with the one which’s related to their account. If the 2 numbers match, the remainder of the IVR is unlocked, and the shopper can use the providers.
Whereas PIN-based authentication generally is a sturdy methodology for knowledge safety, it’s typically fallible due to clients who set widespread or easy-to-guess PINs. This contains when clients use the identical 4 numbers in a row or default combos like 1234.
If you happen to use PIN-based authentication, it’s necessary to remind your clients to keep away from utilizing numbers which might be related to different necessary knowledge—such because the final 4 digits of their telephone quantity or social safety quantity—since this will increase the prospect of hackers having the ability to get into their account if the IVR is breached.
It’s additionally necessary to incorporate parts within the IVR that routinely lock the account after a sure variety of failed tries. This can assist forestall brute-force assaults, the place hackers use software program packages that routinely try to log in with hundreds of guesses.
Voice biometrics
Voice biometric authentication is a comparatively new expertise that works when a buyer speaks a sure passphrase or a predefined collection of phrases into the telephone. The IVR captures the recording and compares it to a earlier recording arrange by the caller. If the passphrase and voice patterns match, the shopper can proceed.
Voice biometrics is nice when it really works, however points with low-quality voice seize and dangerous evaluation can generally result in false negatives and false positives. The primary could be very annoying for purchasers, whereas the second is a big threat for the financial institution.
In case your financial institution opts to allow voice biometrics, it’s necessary to associate with a high-quality system that has wonderful sample recognition. It’s additionally a good suggestion to coach your clients concerning the significance of offering clear voiceprints after they’re establishing their passphrases.
One-time passcodes
One-time passcodes are non permanent codes despatched to clients by way of SMS, e mail, or a telephone name to confirm their identification. When a buyer calls in, the IVR will ship a code by way of their most well-liked, registered methodology. If the shopper enters the appropriate code throughout the allotted time, they’ll proceed to the subsequent stage of service.
Though such a safety verify is normally discovered in the beginning of the IVR course of, it will also be used once more in a while as additional safety when coping with one thing of upper threat, comparable to sending a big sum of cash to another person.
The very best one-time passcodes are time-sensitive, which means that they’ll solely work for a couple of minutes or an hour, which lessens the prospect that somebody with dangerous intentions may get ahold of them. If you happen to implement one-time passcodes at your corporation, you should definitely remind your clients to maintain their knowledge up-to-date so the IVR sends the code to the appropriate telephone quantity or e mail deal with.
Caller ID verification
One of many automated methods of authenticating callers is to match their caller ID data with the telephone quantity related to their checking account. If the data matches, then the shopper can proceed previous this step with out having to actively do something.
Whereas caller ID verification will be nice for purchasers who solely ever name in from the telephone quantity that’s registered with the financial institution, it doesn’t actually work for purchasers who need to name in from unregistered numbers like work numbers or their good friend’s telephone. In consequence, most programs that use this authentication methodology have to supply different choices as nicely.
Caller ID knowledge will also be spoofed, so banks ought to take into account implementing further safety measures alongside caller ID verification to ensure that it’s truly the shopper getting by way of.
