By Roy Urrico
Nearly 25% of respondents in a 2020 Experian survey reported being a victim of identity fraud during the holidays as hackers take advantage of the shopping frenzy and additional volume of personally identifiable information (PII) exchanged online. Nuance Communications claims its Gatekeeper solution can help credit unions protect members from account takeover (ATO) attacks and other ID cybercrimes.
It is not enough to ask members for extra diligence this time of year, points out Brett Beranek, vice-president and general manager of security and biometrics at the Burlington, Mass.-based Nuance, a tech pioneer in conversational artificial intelligence. Credit unions must also protect member data from bad actors who may already have collected enough exposed personal information to gain entry into financial accounts.
Nuance Gatekeeper is a cloud‑native biometric security solution that authenticates legitimate persons and detects fraudsters wherever and however they engage. “Nuance is very well-known for speech technology but we actually have been in the security space for quite a bit of time,” Beranek explained. He detailed how in 2001, Nuance’s relatively new voice biometrics process helped a small community bank take down a group calling every single day to perpetrate fraud. “We applied our algorithm. It was a very MacGyver-ish type of approach. We were able to generate an alert each time one of those fraudsters called in. From there we determined this is something we need to invest in and productize.”
Account Takeover: An Unwanted Holiday Surprise
“A lot of credit unions and smaller financial institutions have been lucky in the past because a lot of the bad guys were attacking the larger players. And then when the Equifax breach hit, all of a sudden it was a free for all,” Beranek suggested. The 2017 Equifax breach exposed Social Security numbers, birth dates and home addresses, and other sensitive information, of an estimated 145 to 148 million Americans.
Fraudsters exploit data harvested from data breaches and other sources including social media posts, and reconnaissance interactive voice response drives (where hackers deploy autodialing techniques) to impersonate accountholders. As more breaches occur, enough information about individuals accumulates on the dark web to put together full packages of individuals’ identifying information for hackers and data resellers. Cybercriminals can then extract funds and alter account details such as security questions, passwords, encryption settings, and usernames.
ATO is a type of identity theft, which rose from 16,128 to 43,330 from 2018 to 2020 with accompanying losses growing from $100.4 million to $219.5 million, according to the FBI Internet Crime Complaint Center.
While ATOs can take place at any time, credit union contact centers are particularly vulnerable during the challenging holiday season, suggested Beranek, because there is typically an uptick in volume and frauds. “We see this time and time again, during the holiday season, a lot more calls into the contact center and fraudsters are taking advantage of a lot of stress and a lot of volume going through the credit union.”
Defending the Gate
Since criminals seek the weakest link in a financial institution to exploit, unprotected contact centers are more likely fraud targets.
“Credit unions need to look out for the contact center team, which tends to be overlooked from a security perspective,” Beranek said. One reason for the oversight is many credit unions still use security questions. “What if a fraudster just goes on the dark web? Besides the Equifax breach, there's other data sets available that can help cybercrooks answer all those security questions. They (then) basically have the keys to the kingdom.”
Beranek explained cybercriminals do not actually perpetrate fraud in the contact center; what they will do is take over an account by requesting the contact center allow an address or password change, or setup a new payment channel. “There isn't a financial transaction taking place, it's the setup to take over the account.” Once the deception succeeds through the contact center, a cybercriminal effectively takes over that member’s account, and can start performing transactions. “It often takes several days before the member notices this is taking place.” During holiday season it could be even longer.
The pandemic allowed ID fraudsters to operate undetected for some time, since remotely dispersed contact center staff cannot as readily exchange notes on suspicious callers. “We've seen cases where it can take 30, 60, 90 days before that fraudster is detected using the manual process,” Beranek said. “And during that time, they can take over a lot of accounts.”
How Gatekeeper Works
Beranek pointed out account takeovers could damage the trust members have with a credit union. “I've seen credit unions do just some fantastic work on the damage control side of things,” Beranek said. “But instead of focusing on damage control, there's an easy solution to prevent this from happening in the first place,” which is to identify when the “wrong” person is on the call and stop that call immediately. “Don’t let the fraudster take over those accounts.”
Gatekeeper, which Nuance offers as an on-premise solution or as software as a service (SaaS), layers numerous biometric and non‑biometric factors into a central AI risk engine to deliver what Nuance describes as “more successful authentications and higher fraud detection rates through a unified solution.”
Gatekeeper took Nuance’s foundational voice technology and put it on steroids by adding additional technologies such as conversational biometrics, which also analyzes the language used, inflections, vocabulary, grammar, and structure. “We can very effectively detect the good guys from the bad guys at the human level,” said Beranek.
Beranek noted sometimes agents become inundated with calls and dread having to ask frustrated callers to identify themselves though security questions. “I understand the power of the technology at preventing fraud. I realize how it could be impactful, on the human side as well, just making life easier for both members and for the agents.”
The Gatekeeper service monitors all the calls coming through; constantly analyzing the voices. A legitimate caller triggers a green light on the agent's screen. If a potential fraudster calls, Gatekeeper either shows one of two screens: a red screen for an unknown first-time caller; and a purple screen for a known fraudster. Said Beranek, “So, a member does not need to answer any security questions. For the agent, they do not need to play cop anymore. They do not need to ask security questions. They just, say ‘how can I help you?’ It's a lot better for the agents and a better experience for the customers.”
Following the Equifax breach Nuance started seeing smaller organizations, including many credit unions, reach out for help to identify fraudsters. Nuance is now seeing three to four credit unions onboarding with Gatekeeper every quarter. Two recent additions are the $7.5 billion Apple Valley, Minn.-based Wings Financial Credit Union; and the $4.9 billion North Chesterfield, Va.-based Virginia Credit Union.