Bank and financial institution call centers are on the frontline in technology’s latest battle over identity fraud. Decentralized identity provides a low cost, low friction, high benefit solution.
By Trevor Butterworth
Biometrics — using facial, voice, and other physiological characteristics to authenticate a person — was supposed to save customers from the risk of their passwords being stolen. Our biometric characteristics provide a much tougher security profile to crack and can be used to manage mobile and online banking services, payments, ATMs, KYC and AML requirements, and even to remotely onboard customers.
Now, the promise of seamless and secure authentication has been hit by a shapeshifting wrecking ball: deepfake phishing.
In January 2024, an employee of a multinational company, Arup, was duped into sending $25 million to fraudsters after she participated in a video conference call with what she thought was a real, senior executive. The executive who told her to make the payment turned out to be, an AI-generated “deepfake.”
Deloitte’s Center for Financial Services estimates that AI-driven fraud could cost the United States alone between $20 and $40 billion dollars by 2027.
While Arup grabbed global headlines with the scale of the loss, the reality is that attacks using AI are more often focused on defrauding customers with bank and financial call centers on the frontline.
Using AI to mimic the voice of a person, a hacker can generate hundreds of robo calls to different bank call centers, each attempting to reset the passwords of different accounts so as to gain access.
The burden on call center staff and interactive voice response (IVR) authentication systems to identify a virtual fake from a real customer is enormous. But customers are also at risk of being phished by a deepfaking their financial institution’s IVR system.
Proposed solutions such as abandoning voice recognition or using more sophisticated AI to detect deepfakes are either extreme or likely to trigger an endless AI arms race.
Decentralized identity offers a much simpler approach to mitigating the problem. We have already shown how a verifiable account credential radically simplifies authenticating a customer (and a customer authenticating their bank) before access is given. And it provides passwordless login to deter regular phishing.
But a bank can also use the communication features of a verifiable credential to rapidly double check identity. This is because a communication channel with the customer can be created during credential issuance.
This trusted channel can’t be accessed by another party or faked. And it allows the bank call center to automatically verify a caller by sending a message over the channel asking the customer to “please confirm we are on a call right now.”
The advantage over multifactor authentication is that using a verifiable credential is faster, more secure, and it works in both directions. It’s not just a simple way for banks to authenticate customers, it’s a simple way for customers to authenticate their banks.
Curious as to how you could protect your call center with verifiable credentials?
We provide a free, no-obligation workshop where we evaluate your use case in light of this powerful, emerging technology. Contact us now!
####
