Network Authentication and Fraud Prevention 101 – How can it make a difference to your call centre?
Network Authentication and Fraud Prevention use signalling data from a phone call either to confirm that the call originated from a device known to be in possession of the customer (authentication) or to detect when the call has originated from a device, location or network indicative of suspicious behaviour (detection).
Matt Smallman provided an educational session with real-life examples provided by Chris Wade.
Matt’s presentation was followed by a question-and-answer session with Chris Wade from Smartnumbers.
Matt is the author of “Unlock Your Call Centre: A proven way to upgrade security, efficiency and caller experience”, a book based on his more than a decade’s experience transforming the security processes of the world’s most customer-centric organisations.Matt’s mission is to remove “Security Farce” from the call centre and all our lives. All organisations need to secure their call centre interactions, but very few do this effectively today. The processes and methods they use should deliver real security appropriate to the risk, with as little impact on the caller and agent experience as possible. Matt is an independent consultant engaged by end-users of the latest authentication and fraud prevention technologies. As a direct result of his guidance, his clients are some of the most innovative users of modern security technology and have the highest levels of customer adoption. He is currently leading the business design and implementation of modern security for multiple clients in the US and UK.
Only available to signed-in members
[00:00:00] Matt: Good afternoon and, and thank you very much for joining this afternoon’s Modern Security Community session. I, I’m Matt Smallman. I’m the author of the book, Unlock Your Call Center and my work is helping organizations improve the usability, efficiency, and security of their call center, Identification, Authentication, and Fraud Prevention processes.
[00:00:16] But that’s a bit of a mouthful. So put a bit more simply. I do everything I possibly can to help people eliminate those time consuming, frustrating, and often pointless security processes wherever I find them, which is what led to the formation of this community and today’s session,
[00:00:38] Whilst I think my client’s results speak for themselves, there are only so many hours in a day. So I wrote the book, Unlock Your Call Center to provide a framework for others, hoping to improve their organization’s security processes.
[00:00:49] And recognizing it takes a village to raise a child founded this community to allow practitioners to share their experiences, to identify best practice and promote the application of modern security in a safe environment where you can be sure that other participants are your peers. I’ll come onto what the term modern security means a little later in my presentation.
[00:01:09] What I’m really hoping to do is to spin this flywheel, engage people who want to or are making the change, provide them with the information and support they need to make that change, which enables them to ultimately deliver it, have impact on their organizations and customers, which in turn provides the stories, information, and support that others need to make their change in their organization..
[00:01:32] Today we are going be talking about Network Authentication and Fraud Prevention. And over the next 20 minutes or so, I want to provide a primer on this technology and how you might apply it to your contact center. I’m incredibly excited, uh, about the potential impact of this technology on customer authentication experiences far beyond the kind of traditional financial services organizations that I have worked with and traditionally purchased this kind of advanced technology, and we’ll look at more of that, why that’s important in a minute. I’m also gonna provide a bit of context on Modern Security, having a look at the background for this technology, and then spend some time in those Fraud and Fraud prevention use cases afterwards.
[00:02:11] I’ll be joined by Chris Wade from Smartnumbers, one of the pioneers in this field who’ll be able to answer mine and, and your questions on the realities of this.
[00:02:21] Matt: So how do we even get here? First off, uh, and this is what this chart is supposed to illustrate. I think we all intuitively recognize that there’s a trade off between security and convenience.
[00:02:32] As this background hopefully illustrates the most perfectly secure system is almost certainly completely unusable and the most convenient security is probably no security at all. So we can draw a trade off that looks a bit like. . Now, nearly every organization requires some security, but particularly when we’re serving customers remotely, we want that security to be reasonably convenient.
[00:02:55] Uh, and when we started operating call centers, we took what was at hand knowledge, knowledge about our customers, and we implemented what’s known as knowledge-based authentication. Questions like date of birth, and mother’s maiden name. And they are probably appear about here on this chart. Now, unfortunately, this presents a few challenges.
[00:03:12] Some organizations have higher security requirements and they’ve implemented additional methods, generally accepting some form of trade off for less convenience, uh, for more security for those transactions that need them. We can think of things like PINs and passwords maybe here, uh, and things like SMS one time passcodes and, uh, authenticators, uh, hardware authenticators here. More secure, but less usable. I think we’ll all agree.
[00:03:37] Unfortunately, this relationship presents a few challenges. First off, from an organization’s perspective, it’s difficult to move these dots to optimize for your customers and organization’s real needs. How do you make a password a bit more secure or a bit easier to use if that’s what customers are asking for, or you, your organization needs to stop fraud, but more importantly, from an external perspective.
[00:04:01] They’re not really fixed at all. Our customer’s perception of convenience and usability is increasingly driven by their experiences in other verticals and modalities. The fourth, eighth, and 12th letter of my password was never that convenient, but didn’t seem to be a problem a decade ago when I couldn’t unlock my phone with just my face.
[00:04:20] But now I perceive it to be significantly harder that my bank makes me go through this effort. And fraudsters didn’t stay idle either. They exploit the same technologies our organizations use to become more efficient and scale their operations accordingly. Sending millions of texts and emails every day to trick customers into handing over these precious pieces of knowledge.
[00:04:43] Ultimately, I believe these security methods trend to zero. They’re neither usable nor secure in the long run.
[00:04:49] What we need is a new relationship, a modern relationship, one that provides higher levels of convenience at any given level of security. And importantly, gives organizations the ability and flexibility to choose exactly where on the curve they want to operate in order to meet their unique needs.
[00:05:06] And I call this Modern Security. Before we get onto that, just to recap a little bit, uh, and the different terminology I might use.
[00:05:14] Matt: When I talk about traditional security, I’m usually talking about knowledge-based authentication, the kind we’re all used to my mother’s maiden name, my social security number, my date of birth, information that when we first started to operate call centers, um, was reasonably secure, mostly through its obscurity. Very few people knew it.
[00:05:32] Then it was hard to find out that now has. Everyone is providing service remotely. Everyone wants to know my mother’s main name and date of birth, and you could probably go and figure both of them out right now from Facebook or LinkedIn. Account based questions, similarly, when we only dealt with one or two organizations, were never that easy to remember, but at least they were few and far between, but now have become increasingly hard, uh, and increasingly easy for fraudsters to obtain information relating to.
[00:06:01] Some organizations, of course, recognize this and traded usability for security, and that’s what I call transitional security. First off, they start with PINs and passwords, maybe SMS one time pass passcodes or even hardware authenticators, and they did provide significantly more security.
[00:06:19] For a time, but as fraudster, techniques and technologies evolve. The real, their real security value has declined, and when compared to advanced methods, their usability is significantly lower.
[00:06:31] Now, I need a password for everything, so most people, myself included, use the same or handful of ones for nearly every service I interact with and will gladly hand it out or add it to any new service. I might subscribe to.
[00:06:44] And organization still can’t make it more secure. It’s deterministic. I need a whole new scheme if I want more security with all the cost, complexity and disruption that entails. More recently, more organizations have started using SMS and fraudsters have followed them down that route.
[00:06:59] So if a fraudster, can’t intercept it, the volume that I’m asked to use on a daily basis means that the chances of some or at least a few customers handing out the that information to fraudsters when they call, is quite high.
[00:07:11] And don’t even get me started on hardware authenticators, the ultimate usability for security trade off. I have a draw full of them right here, but I never have them on me the, when I need them.
[00:07:23] Which leads us on to Modern Security and the Modern Security methods that we talk about are Voice Biometrics, Network Authentication and Fraud Prevention which we’ll cover in far more depth today and Behavioral Analytics.
[00:07:36] Matt: Now all of these methods have some important properties that can be used to provide a significant and sustainable improvement in security and usability over those traditional and transitional methods. First off, they’re passive. They require little or no customer interaction, significantly improving usability and hence adoption by both customers and agents.
[00:07:57] They’re probabilistic. They largely express their results in terms of confidence that the subject is who they claim to be. Allowing organizations to establish an appropriate risk appetite for any given transaction.
[00:08:08] Their dual purpose, they can be used for both authentication and fraud prevention purposes. So whilst an organization may prefer, and I certainly prefer authentication over fraud prevention every time, they can also be used separately, or in addition for those callers that where it’s appropriate for fraud prevention and they’re continuous, they’re usable at different stages of an interaction, they can sometimes increase their confidence over time, and they provide organizations with a capability of providing strength through depth.
[00:08:37] So let’s take a little bit more look at Network Authentication and how that fits into this Modern Security approach.
[00:08:46] Matt: To start off with, I want to look at how a call actually gets from your customer to your call center. When your customer picks up the phone to call your organization for service, they dial a number on their device, and that obviously goes to nearest cell tower, which is connected to the operator’s backhaul network, which at some point or many will connect to a national carrier, which will eventually deliver it to your enterprise’s telco, which will ultimately deliver it to your switch or to your internal network.
[00:09:14] Now, whilst there is obviously the voice stream that your IVR and agent interact with, there is also a significant amount of associated data that allows the network to route the call, and importantly from their perspective, make sure that everyone gets paid for their part of it.
[00:09:27] First off, no, no cell operator wants to allow somebody else’s devices onto their network without the right authentication and hence link to a bill. So the cell tower makes sure that the device that’s connecting to it is cryptographically proven to be the one that it’s claiming to be both the device and the sim inside it.
[00:09:45] The mobile network wants to find the most efficient route to the network, to the national carrier who wants to make sure that the mobile network gets billed for the work it’s doing and the service it’s providing. And then they want to find the most efficient route to the telco, to the enterprise Telco, who wants to make sure it’s delivering and charging the customer correctly for the service.
[00:10:04] And because this isn’t one way communication, a single message, each node in this network needs to know what happened before it and what happens after it so that the route can be maintained. Now, in most cases, all the data you see from this is the caller ID or ANI that’s provided to your switch by the carrier.
[00:10:21] And this is one of the real problems with this approach, because this data, that data that you see is just relayed from the originating party through every other ones with very little validation or checking. Uh, it’s not part of the routing that’s critical for the voice stream or the carriers getting paid. So what Network Authentication and Fraud Prevention does is, is look behind those numbers, is to look at what’s happening underneath in the network to assess the likelihood that the call is originating from where, it claims to originate from, and to identify any other behavior that might be considered, uh, anomalous or indicative of fraud.
[00:10:56] Now, of course, this is a massive oversimplification of what is an incredibly complex network that’s evolved over probably close to a century of, uh, international telecoms. Um, but it’s sufficient for our purposes right now. And as we delve into Network Authentication in more detail, it may be appropriate to go and look at, at some of the detail underneath this, uh, in a little bit more. Suffice it to say though, this will work for today’s purpose.
[00:11:22] Matt: When we think about Network Authentication and Fraud Prevention, I, I, I like to think about the analysis it does in in two buckets. The first off is what I call Providence. That’s about right here, right now. What can I tell about this particular call and this caller.
[00:11:36] Analysis of the data enables me to understand whether the caller originated from where it claims to originate from, whether it was spoofed or not. Uh, I can check whether I know this caller either as a fraudster as a customer, and I can combine it with other sources of data, such as mobile number or network intelligence, or to, to give me some insight as to who this customer might actually be, where they’re located, or even in some jurisdictions who they uniquely might be.
[00:12:01] And the second bucket is behavioral. Observing this caller over time, what can we understand? Have you seen this caller before? How often do they call? And at what frequency? And what is that indicative of? Which accounts or customers does this caller claim to be associated with? And and similarly, what does that tell us about their legitimacy of their behavior?
[00:12:21] And all of this data gets combined together to inform an authentication or fraud detection decision appropriate for your organization. So we’re gonna look in a little bit more detail at both of those use cases and how this data might actually get used. The first, and I think the most simple is authentication.
[00:12:40] Matt: Whilst many organizations conflate these processes, ID and V, data privacy security. I think it’s important to make a distinction between Identification and Authentication. Identification is the process of establishing which customer in your systems this caller is claiming to be. And Authentication is about being sufficiently certain that they are who they claim to be, to carry out the service they request.
[00:13:03] In the case of Network Authentication, the Identification step is most often carried out using the caller ID or the ANI. Now whilst everyone in the network gets to access this data, they have privileged access to this, and we only get to see this data as the end user if the subscriber allows us to access it and they don’t withhold it.
[00:13:23] Uh, historically this was always a challenge to understand where these calls were originating from, but in a recent snapshot we did with Smartnumbers, we’re able to identify that more than 97% of callers to UK organizations disclose their number on calling. The second challenge then is having got the number I need to figure out which of the unique customers in my system of record it relates to.
[00:13:46] Now, there may be many people in my household, there may mean many people phoning from a single corporate exchange, but fortunately, um, we also discovered that 76% of customers called using a mobile number. And we increasingly know that customers view their mobile number as a number for life and that they are increasingly prepared to. To use that for service provision rather than any home or fixed line phone. In many cases, many younger generations have no fixed line phones at all, and they’re entirely dependent on their mobile, the number for which they intend to keep for, for posterity. Uh, and this simplifies the problems. Immensely.
[00:14:21] Now, I, I can personally attest to the challenges of managing customer data, uh, but I think just having this one mobile number, uh, allows very, very easy searches and is usually of higher quality than some of the, the legacy numbers we might have captured for people’s home phones and the like. Mostly because if it’s not, it can’t be used for purposes like text, text messaging.
[00:14:43] Matt: The final key then is that network Authentication analysis solution itself needs to confirm that the number being claimed in those ANI and CLI fields that we receive from the carrier, which remember are not validated, that we can’t really trust is originating from the number that it claims to do, and that there are no other anomalies associated with their call.
[00:15:03] And in this case, we should consider the caller authenticated as a customer for most purposes.
[00:15:09] Importantly, and I think the critical power of this technology is that that can happen pretty much instantaneously and, and certainly quicker than it’s gonna take you to, thank the caller for calling you today. Or to ask them what they’re calling about or to tell them about their options in your, in your menu system. Which means the call is authenticated right at the start, and subject to knowing what it is they want to do, we can route them into some of the amazing self-service features and capabilities that are available.
[00:15:34] I always find it amazing to look at the sheer volume and capability that exists with natural language understanding and speech driven systems today to have that real conversational discussion with customers. But, importantly, we can’t really do anything for th those customers until we’re certain that they are who they claim to be. And that really is the powerful feature of Network Authentication and why I think it’s gonna be so impactful for so many organizations as they invest in these self-service technologies.
[00:16:04] Matt: Before we move on to fraud prevention, I do want to add a few slight caveats. We are clearly dependent on the possession of the device, which leads to two risks.
[00:16:12] The first that a related party could access it either innocently or maliciously and be incorrectly authenticated. Uh, as the customer. This is an age old problem, the husband, wife problem. Uh, and whether it needs mitigation really depends on the type of service you are providing. My wife knows all of my passwords could access all of my services and I don’t really have a problem with that, and neither is there a lot of risk to those service providers.
[00:16:36] The second, perhaps more concerningly, is that the physical theft of the device, or its electronic signature through the SIM, could allow an imposter to authenticate as the customer, and again, the impact of this risk depends on the nature of your business, whether it’s worth the, the fraudster to do that, and whether you have the protections against identifying whether the, the, the device itself has been changed.
[00:16:56] My, my expectation with both of these is that these, this kind of low risk interactions common in nearly every industry, um, don’t require any stronger authentication, but that’s clearly something that, um, organizations need to decide for themselves. If you think mothers maiden name and date of birth is secure, then I guarantee you this is more secure.
[00:17:18] In some cases, however, it may be appropriate for organizations to implement some additional step up authentication either because they’re the risk of all their transactions or the risk of a certain number of transactions is, is more significant.
[00:17:29] And that leads me to this diagram here on the left, taken from Unlock Your Call Center, the sweet spot for Network Authentication. And where it really provides us value is in the, the huge number of low risk, low frequency interactions that every service organization has to deal with. Day in, day out,.
[00:17:46] Yes, there are more frequently calling customers who may be appropriate to enroll in Voice Biometrics solutions because the risk of the interaction or because the length of the relationship makes that worthwhile. Uh, and because the risk of imposters or related parties authenticating, but in many cases that that’s overkill and, and the complexity associated with it really prevents those organizations from delivering better authentication experiences.
[00:18:14] Matt: So moving on and looking at the other use case, Fraud Prevention.
[00:18:18] I think it, before we look at the, how we use network data in this, I think it’s important to remind ourselves the role the contact center can play in fraud. Here’s our typical fraud cycle and, and I think the contact center play different roles here.
[00:18:33] If we look right at the start, we can see this acquisition phase. Now, many times fraudsters have obtained some information relating to a customer and they need more information in order to properly compromise that customer, whether that be with you or with a third party, their bank or another service provider, and, and our IVRs are ripe for that because often we just recognize an incoming number.
[00:18:56] You can enter an account number and our behavior will be different if we recognize it versus if we don’t recognize it. And that’s an easy opportunity for fraudsters, to, um, figure out which data is valid and which data is not valid. Um, if they have obtained pins or passwords from the dark web to test those to see if they provide access to the account or not, uh, in an unattended situation, and one in which we have very little data and unlikely to detect very well. So that’s, that’s the impact in the acquisition phase.
[00:19:23] In the reconnaissance phase, if I’m trying to understand a customer and their behavior better, maybe to gain additional data or to, uh, escalate the privileges in a, in a channel. The reconnaissance phase again in IVRs allows us to understand what the customer’s balance might be, the date of payments they’re making, what the bank, those payments originate from the cell provider they might be using. All of which helps the fraudster build a picture of this user, which allows them to be compromised either through this, the phone channel with you, through your online or mobile channels, or to take that data to a third party and compromise them in, in, in that location.
[00:20:00] And this often leads to our iceberg analogy. In many companies I speak to, there is little or no fraud in the telephony channel because they’re just as, there is just very few transactions that have enough material risk for it to be worth people’s while to do it. So, so very little is identified or detected in that channel because, It doesn’t appear to happen.
[00:20:21] But actually those channels are being used to get the information that enables your customers to be exploited in, in either your other channels, um, or with other service providers. So the iceberg analogy is, is really important here and, and this is one of the unique properties of Network Authentication that.
[00:20:38] Almost instant decisioning, uh, allows us to make decisions about how we treat calls and what services we do or do not provide to them. And after the effect to understand the impact and the relationship between different customers and potentially different customers who’ve been compromised.
[00:20:55] Matt: So it’s important to just go back and just look at those two buckets of analysis that we can provide and how those might apply to the fraud prevention scenario.
[00:21:03] So we have the providence, the stuff we can tell right here, right now. Spoofing of itself may not be indicative of fraudulent activity, but spoofing from some, some networks and some sources is more indicative than others. Some fraudsters may be known to us and some fraudster may be known to other providers, if we can see underneath the number, sorry, if we can see underneath the number, we can tie together even those callers who haven’t disclosed their number to us, such that we can see that they are the same known bad actor and either prevent service or, or do something about about it, which we’ll come to in a second.
[00:21:36] That’s different. That kind of deterministic category is slightly different from our more behavioral analysis of the type of activity that is likely to be fraudulent. Have we seen this customer before? Is this number generally associated with this account? How frequently is this number, whether disclosed or undisclosed to us, um, seem to be calling us?
[00:21:54] How, how many and which accounts does it appear to be related to? Now, this again, is a gross oversimplification of some of the amazing work done by the data scientists under the hood of this technology but it gives you an indication of the sort of thing that happens and
[00:22:08] Matt: The general output of that is some form of score. And, and what we would generally expect and colored green for this, uh, specific reason is that that 90 or more percent of our calls are going be categorized as low risk. They almost certainly are coming from the number they claim to be, and there are no anomalous behavior associated with it, indicative of fraud.
[00:22:29] A proportion, mostly for behavioral reasons, will be assessed to have some greater risk. And the degree of risk within that is variable. And the actions you take within that are variable and a smaller and often infinitesimally small in terms of percentage points, maybe even less 0.1 rather than 1% here are deemed to be very high risk, almost certainly fraudulent activity, either because they originate from somebody we know from a call or source or point origination we know to be fraudulent or because other parties have told us about the fraudulent activity or, or it’s just really, really obvious in, in this interaction.
[00:23:06] We then need to determine what to do with with that score. And this is, I think, which leads on to the, the considerations and these will vary immensely between industry, uh, and, and, and situation and, and company and even country.
[00:23:21] Matt: A few things just to consider and, and. I’m not gonna go into too much more depth here, but the first off is about watch lists.
[00:23:27] How do we build, maintain, and sustain a watch list of known bad actors? Do bad actors really recycle their numbers or do they keep coming back to us? Uh, and importantly there, I think one of the really valuable things that the organizations are starting to do is to share between each other. And hopefully Chris will talk a bit more about that, uh, later.
[00:23:46] Just because somebody’s in our watch list almost certainly means that they’re. They’re likely to target other people later. Those devices are likely to be used, uh, by against other organizations, and by sharing that information, we can be far more effective at identifying and preventing fraud, which leads on to the next thing.
[00:24:03] What do we actually do when we get that score? I think the, the immediate reaction is you stop it dead. But if you, and you refuse and deny service to that call, but that’s really telling the fraudster everything they need to know about our methods and, and means, and, and will invariably result in them picking up another device and using that, uh, to carry out a similar attack.
[00:24:22] It doesn’t really stop them and it doesn’t really protect any of the customers or accounts that they’re attempting to compromise. Most often we see, uh, and recommend is that, This behavior is observed, uh, and that the accounts that are compromised are protected in some other way, whether that be by, uh, restricting the activity they can do by changing credentials associated with the, by informing the customer themselves. Uh, but again, something you need to consider when implementing this technology.
[00:24:48] Uh, another is, is, is this information itself sufficiently. Powerful to actually act on, or does it need to be combined with other data sources to make it, uh, effective? Um, and again, in some organizations we see that’s the case, is like they, they see so many, um, uh, spurious calls for quite legitimate reasons that they can’t act on them unless there’s some other indicator of fraudulent activity.
[00:25:13] So again, those scores can be ingested inside other fraud prevention and detection systems. Which leads on to how, how much effort do you really put into investigating those calls? And, and we see two kind of types of work take place in this space. We see a kind of an immediate amount of work that needs to take place in order to, um, allow transactions or to unlock accounts that may have been locked as a result of identifying fraudulent activity.
[00:25:37] And then we see a longer term investigative effort where potentially fraud is being reported to us, and by looking back over the data, over time, we can see that this number or this caller was associated with that fraud. And it’s also associated with a number of other customers and accounts, which may not yet have either identified or even been defrauded, and we can then do something, thing to protect it. So the investigative model, operating model needs some consideration.
[00:26:04] Uh, and then finally, I, I say use model a few too many times possibly, but sitting underneath most of these things, and I’m sure Chris will talk about it later, we’ve evolved from a kind of rules-based model into a machine learning artificial intelligence, and those models always need data. They need data to train them, to tell them how to operate, tell them what a fraudster looks like, like, and what a genuine caller looks like so that they can be more effective the next time. Um, they’re asked to make a decision.
[00:26:32] Matt: Just to recap before we move on to the questions then Network Authentication and Fraud Prevention is, is an incredibly potent set of technologies that will enable far quicker authentication and far more effective fraud prevention decisions for organizations.
[00:26:47] In the case of authentication. It really is dependent on good quality data. Like if you don’t have the mobile numbers for your customers, then it’s gonna be hard to identify them. We can be very sure that the number is coming from that mobile number, but if we can’t link that with a customer, then it can be challenging. But the powerful impact is really that instantaneous decision that enables self-service of the kind that we really want to deliver to customers, that prevents them needing to speak to agents.
[00:27:14] We are really on the cusp of some amazing breakthroughs in natural language understanding and artificial intelligence. That allow us to deliver conversational experiences to customers like, like never before, as good as if not better than some of the conversations they might have with our agents. And the opportunity to both save cost and deliver better experiences is, is significant, but it hinges on Identification and Authentication.
[00:27:39] Finally, then you must also evaluate the related party risk. This is not right for every situation, uh, but I would argue that in many it is, it is the perfect form of authentication.
[00:27:51] And on the fraud prevention side, it’s a very powerful and effective tool for identifying this hidden fraudulent activity. It does however produce a probabilistic score, and that needs to be connected somehow to some form of activity.
[00:28:04] The biggest consideration really is about how, whether that should be a standalone solution or combined with other mechanisms as part of an overall protection against Fraud.
[00:28:13] So with that, uh, I’d like to thank you for listening to, to my short part, uh, and jump right over to our discussion, uh, with Chris, uh, who is waiting on the line for us now. Hi, Chris.
[00:28:24] Matt: So, um, could you just give us a quick introduction to yourself? Tell us a little bit about yourself before we get started.
[00:28:30] Chris: Yeah, so I’ve worked at Smartnumbers for past four years.
[00:28:35] I joined when Smartnumbers Protect was very much in the early stages. And as the product has matured and our customer base has grown now, like I say, I look after the risk model that powers Smartnumbers protect. . So that means I spend a lot of time with our machine learning and data science teams internally, but also still very much on the front line with our customers, speaking to them nearly every day, helping with their fraud prevention and Authentication challenges.
[00:29:02] Matt: That’s awesome. So, so just, um, how did you find yourself in this area? They’d start off with, it’s, it’s like it’s new thing, isn’t it?
[00:29:08] Chris: Well, so I, I’d worked at fintechs and in financial services long before joining Smartnumbers. So I was never, never really too far away from it. And then when you get a chance to help fix something that is very, very broken, you’ve really gotta take it.
[00:29:23] So on one side you are stopping fraud, which, we know, rips apart people’s lives. And on the other side you’ve got authenticating yourself over the phone, which everyone knows is like you say, terrible. I mean, when I, when I explain to people what I do and what Smartnumbers does, As soon as I say, oh, you know, when you phone your bank, you see this red mist come down, that so many people have had so many bad experiences and they, they just really stick with you.
[00:29:51] Matt: That’s all you need to talk to my mother-in-law, that, that’s literally the, the conversation every time I walk through the door, it’s like, what are you doing about this? Now.
[00:29:58] I, I was gonna ask you what excites you about your job, but it’s clear that, that that’s the bit that excites you about your job. So I think it’s worth just going on to our, to, to our, to our questions.
[00:30:06] Then, um, obviously calls have been flying around phone networks for a long time, so, so why, why now? Why, why hasn’t this been done for years?
[00:30:16] Chris: So, Smartnumbers is a tech company, but our heritage has always been as a, as a telecoms company. So for a long time, our core products was focused around core deliverability and operational resilience, making sure calls always get delivered, which is still a core part of Protect.
[00:30:32] But as we were running the telephony for big banks, obviously they’re experiencing fraud on some of these calls. Now we’re an Ofcom regulated network provider, which means we got access to that carrier level data that customers can’t see. And you, you talked about a few slides ago, so customers were coming to us with requests to ask what could we see on those calls.
[00:30:53] For example, you know, a withheld call and after this happened enough times, we really took that as a signal that this is a real problem out there for organizations that need solving and it’s very clearly not being solved by any of the other network operators.
[00:31:08] Matt: That
[00:31:09] Matt: that’s, I mean, that is, that’s how I came across you guys as well. So it’s, it is really interesting. Would you mind just telling us some of those first customers? What, what kind of, what kind of impact have you had there?
[00:31:19] Chris: Well, the impact was, it was nearly immediate. So in one pilot we ran in the first month, we were able to link hundreds of what looks like to them completely unrelated calls.
[00:31:30] We were able to link them all to one fraudster who committed half a million pounds worth of fraud. In other organizations, we’ve pulled out very clear patterns of that IVR reconnaissance he talked about earlier, and we could link that to fraud that the banks had no idea, had even touched the telephony channel, which, like I say, showed them the scale of the fraud happening and how much bigger telephony fraud is than they thought, like you mentioned.
[00:31:54] And we also saw through the Smartnumbers consortium that the same fraudsters attack multiple banks. They, they don’t have brand loyalty. And getting organizations collaborating to stop fraud is such a powerful tool, getting everyone working together.
[00:32:10] Matt: I mean, I, I, unfortunately, I’m, I’m, I’ve been on both sides of this, uh, this problem. So I, I’m a little bit of a cynic and I would say, I mean it, what, what, it can’t all have been plain sailing . What, what didn’t go quite as you expected, ?
[00:32:24] Chris: So, in, in the early days, we had a, we had a rules based system. It was very, very heavy based on certain rules that were either true or false. And one thing fraudsters are very, very good at is spotting rules and working, working around them.
[00:32:38] So if you put in a rule that you have to wait 48 hours after adding a payee, then frauds will wait 49 hours and then just commit the fraud anyway. So we learned about the adaptability of fraudsters and maybe we underestimated them to begin with.
[00:32:51] And the other thing with those black and white rules, it’s not that clear cut call frequency on its own doesn’t necessarily mean that something is fraud. There are genuine reasons to call a bank multiple times, and those are genuine customers doing that. You shouldn’t highlight them as fraud. I think those are big drivers of why we invested so heavily in our machine learning and in the consortium because that’s where we’re seeing the best results.
[00:33:16] Matt: And, and, and you see those as kind of more, more powerful signal to the, to the noise of everything that might otherwise happen in a, in a call center.
[00:33:24] Chris: Yeah, exactly. Spotting those patterns, um, that you can do with, with machine learning models is, is a very, very good predictor of fraud.
[00:33:31] Matt: So, so to what extent is kind of feed feedback important in that, in that process? How, how do you get feedback?
[00:33:37] Chris: So, broad patterns are quite consistent. We’ve seen across, across our customers kind fraudsters are doing similar things generally, but every, every bank, every organization will have their own, their own unique pattern.
[00:33:55] So some banks might have a more international customer base, um, some might have different opening hours or different shift patterns. And getting that feedback to, to kind of train specific, um, or tuned models for a customer does really, really help spot those patterns and really separate the, the genuine customers from the fraudsters and make sure the right calls get looked at.
[00:34:21] Matt: That’s fascinating. I, I guess just, uh, do, we got double people on the call today, so I would encourage you if you have any questions to, um, to drop them into the chat or to the q and a session and we’ll, we’ll put Chris under pressure. I, I’ve just got a few, few, few more.
[00:34:34] Like I, I’ve seen firsthand and people have told me enormous benefits about the, the, the enormous. Benefits from the fraud prevention story. I, I guess when I look at this stuff, what I’m most excited about is, and, and I’ve spent most of my career working in large financial services and, and actually I, I think we, we do quite a good job now of Authentication and, uh, making, creating as effortless experiences as well may not agree as effortless experiences as we can do.
[00:35:02] Or certainly if we haven’t done to date, like we are doing it now and customers will, um, ex be experiencing it over the next few years. What I, what I find most frustrating is kind of everyone else. Yeah. It’s the, it’s the utilities, it’s the telcos, it’s the insurance providers. It, it, it’s every other organization I have to interact with or albeit less frequently and maybe they don’t have my money, but I, I think that’s, that’s where the, the, the opportunity is.
[00:35:28] So, so what, what’s to stop them today? Just using like the caller ID that they’re already getting in order to identify and authenticate their callers.
[00:35:37] Chris: I’ve. I’ve seen CLI matching use, I mean obviously banks use it, but I’ve seen it used everywhere from there to, to even estate agents. So people are, people are aware of it, but even the average person on the street now knows how easy it is to, to spoof a phone number.
[00:35:53] And if an organization’s got nothing in place to detect or stop it, then they’re putting, they’re putting themselves at risk and they’re putting their customers at risk. Now, as a network provider, we’ve got access to that carrier level information, and we’ve got ways of knowing if the number is spoofed or not.
[00:36:08] But as you pointed out, that’s not the only way numbers can be compromised. Fraudsters or bad actors can take control of the number through things like SIM swaps and fraudulent ports.
[00:36:20] Matt: I, I think, I think that’s a really interesting point, like the, because today this data is not used for that purpose. It is not necessarily attacked in the way in which it could easily be attacked and compromised were it’s be used for this purpose.
[00:36:34] So I think there’s a, like you, you could start using, any organization could start just trusting the CLI it’s getting today. Uh, and consider the customer authenticated and provide them with the information or service they want. But pretty quickly fraudsters are gonna figure that out and adapt and start to exploit that mechanism.
[00:36:50] Uh, and I think that’s where the risk is. It doesn’t have longevity, but I think what you are talking about, kind of being able to validate the number hasn’t been spoofed, that it really does belong and has originated from the device that’s claimed to originate from, really gives this mechanism some longevity and allows for those low risk, low frequency interactions for, for all those organizations that deal with millions of tho billions of those every day to, um, to, to authenticate their callers.
[00:37:14] I think you just mentioned it, just an issue there that I think comes up quite a bit is the kind of the sim, the sim swap risk, like, so we talked about possession being important here. I talked about the theft of the device. I think it’s always important in this to remember that the phone number is not actually the customer’s property or the caller’s property, it’s property of the network.
[00:37:34] Uh, and uh, I’d just be interested to hear about kind of what, what you, what you consider to be the risks when people being able to swap their, their sim over.
[00:37:42] Chris: Yeah, I mean, when, when we talk about people falling vic victims to scams, generally, there’s a lot of pressure nowadays being put on organizations kind of further up the chain, like social media companies, for example.
[00:37:53] Now in that same vein, we are working with carriers to help them put in place protections against sim swap and even their own vulnerabilities. We know with banks that fraudsters know every detail of their internal processes, and it’s the same for telcos. It’s the same for utility companies. Any organization that has valuable customer data, fraudsters will find ways to get hold of that data and it’s on the organization. Stop that.
[00:38:22] Matt: I think, I think that’s a really important point. I think the, I, I, when I talk to companies about this, it certainly, again, outside financial services where the financial risk associated with the call is a lot lower. I think people just underestimate the reputational risk associated with it.
[00:38:37] Like if I can figure out if I can go to company. Utility A in order to get the security material and data that’s needed to compromise them in, in bank B, then I’m just as liable. And, and if, if, if the public finds out about that, then actually the reputational impact on my brand could be far more significant than any, uh, financial loss I might get from somebody sending me an incorrect meter reading, for example.
[00:39:01] So I think it’s, it’s a really, it’s a really important and well made point. So, um, Jason’s asked, how often do fraudsters show up as a withheld or block number, versus simply change the number they’re using over time?
[00:39:14] Chris: So that’s, that’s quite an interesting one. We’ve, when we speak to organizations, they think that once a fraudster is kind of rumbled and their number is added, that watch list.
[00:39:26] The organizations used to think that the fraudster would ditch that number immediately. And what we’d see, and we’d saw evidence of this behavior, is the fraudsters would simply withhold their number and just carry on as before. So they may change their number now and again, and sometimes we can see them cycling through different sim cards on the same device, and we can link them together from the device.
[00:39:52] Um, but often if there’s, if there’s no protection against callers from a withheld number, there’s no way of detecting if it’s a known fraud or just somebody who is withholding their phone number for a genuine reason, then the fraudsters won’t change their number. Because they don’t need to. They’ll just go the path of least resistance, which can be withholding their number as soon as they’re rumbled.
[00:40:14] Matt: No, I think, I think it’s a really, really good point. Really good point. Uh, I’m just gonna ask you 1, 1, 1 more question. Um, kind of where do you see this stuff going? How do you see it evolving? What was it like to look forward?
[00:40:24] Chris: Oh, that’s a question.
[00:40:27] Matt: Um, sorry, it wasn’t, it wasn’t on the list I sent you, so it’s a bit unfair that
[00:40:30] Chris: Yeah, that’s the possibly the one I would like most prep for . Um, I think I really see it going very omnichannel. So the, the line between calling and going through the apps on your phone or the, on the website, I think those lines are gonna blur more and more. So linking everything from your, the telephone calls you make to the chat interactions you might have on the website or through an app.
[00:41:01] I think there’s gonna be more of a consistent thread in Identification and tracking through those. So, and that will help build up a better profile of, of who a customer is and also conversely who a fraudster is and that those kinds of behavior.
[00:41:17] Matt: Yeah, I think that that’s, that’s certainly the kind behavioral analytics bucket we have in, in modern security is I think you’ve got like a, you’ve got like an in session behavior like, and that, that’s a lot of what network authentication’s about, is about like what they’re doing right now in this session.
[00:41:31] But then when you bring that out and look across all of their sessions and all of the interactions that our customer has and how, and the degree of variation those are from the mean or from expected patterns, I do think that’s where the, the, the big opportunities for certainly fraud prevention are. I, I do worry about whether, uh, at some point the kind of behind the cur like.
[00:41:49] Like Authentication becomes too kind of behind the curtain and cryptic for customers and users to feel that they’re actually secure in their interaction. Like if we do too much of this stuff magically for them, um, how, how secure do they really feel in that interaction? But I, I think that’s probably a, a, a topic for, for another day.