Armor vox call-centers-and-pencil-and-pen-attacks


Published on

The problem of identity theft in call centers is not new or restricted to the USA. The problem here is that offshore operators are no more dishonest than on-shore operators; it is a matter of whose law applies when a data breach occurs. The US has mandatory reporting of data breaches. But if identity theft occurs in an off-shore call center, then whose law applies?

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Armor vox call-centers-and-pencil-and-pen-attacks

  1. 1. TECHNOLOGY WHITEPAPER ArmorVox - Solving Call Center Identity Theft How to use Voice Identification to Protect Global Call Centers Against Even “Paper and Pencil” AttacksAURAYA SYSTEMSOne Tara Boulevard | Nashua, New Hampshire 03062 | +1 603 123 7654 | | linkedin/in/armorvox
  2. 2. Solving the Call Center Identity Theft ProblemIn August 2010, SC Magazine ran a series of articles on security perspectives in call centers. In thosearticles, cybercrime investigator, Charles Jeter, focused on the “Hagen Case”, where an enterprisingBank of America employee, using old fashioned “paper and pencil”, simply wrote down account holdersnames, birth dates, addresses and account histories with the intent of on-selling this information tocriminal groups who would later use it to break into Bank of America customer accounts.Whilst most security solutions focus on the threat from outsiders, the truth of the matter it is bankemployees and contractor pose just as big a threat as those outside the organization. Statistics quotedin the SC Magazine article for identity theft in America suggest: “Overall, 48% of all breaches in 2009 were attributed to users who abused their rights to access corporate information for malicious purposes. In addition, 90% of insider threat cases resulted from deliberate malicious activity, while just 6% each were caused by unintentional activity or inappropriate conduct. 51% of insider threat cases involved regular employees or end-users, while 12% involved both accounting staff and system administrators. Upper management caused 7% of insider incidents.”The problem of identity theft in call centers is not new or restricted to the USA.Perhaps the biggest known case of identity theft dates back to 1999/2000 when credit card companyhelp desk employee Philip Cummings used his password to simply help himself to thousands of creditreports which he then passed on to other criminal groups. In all around $100 million was stolen fromaround 30,000 victims.In April 2005 twelve former employees of an Indian call center were arrested on suspicion of identityrelated fraud. It is alleged that the former employees had used Citibank callers’ personal credit cardinformation to purchase various goods and services for their own personal gain and use. The allegedfraud took place whilst they were employees of the call center, working as call center agents.Whilst losses associated with this incident are relative low ($350,000), it does highlight the fact that theproblem is a global one. Globalization of the call center market has also meant globalization of ID theft.2ARMORVOX – ImpostorMaps™© 2012 Auraya Systems
  3. 3. The problem here is that offshore operators are no more dishonest than on-shore operators; it is amatter of whose law applies when a data breach occurs. The US has mandatory reporting of databreaches. But if identity theft occurs in an off-shore call center, then whose law applies?So how can organizations protect themselves from the old fashion call center “Paper and Pencil”attack? And how can they do this and still benefit from low costs offered by off-shore contact centers?The SolutionThe key to protecting customers’ personal information and preventing identity theft is to prevent callcenter agents from accessing customer’s personal identity information in the first place. But how doyou authenticate callers’ without access to their personal information?The solution is ArmorVox, a voice biometrics system able to accurately authenticate the identity of acaller’s voice characteristics.Voice biometrics is a two stage process. The first stage requires that a caller register their voiceprint.This involves repeating a few words, for example their name and counting numbers. Subsequently,enrolled, a caller can confirm their identity by simply responding to a few voice prompts. In effect, byusing their voice to confirm they can confirm they are who they say they are but without having todivulge their sensitive personal information to the call center agent.The capacity to limit call center agent access to the caller’s personal information is one of the majorbenefits of ArmorVox. Once authenticated through ArmorVox there is no need for the caller to disclosepersonal information to the call center agent and there is no need for the call center agent to even seethe caller’s sensitive identity information. All the call center agent needs to know is that this caller’svoice matches the voiceprint associated with this financial record.Voice authentication, therefore, not only delivers a measure of call center efficiency by automating theupfront authentication process, but more importantly for the off-shore call center operators, it provides alevel of security and privacy that prevents agents from stealing or misusing callers’ personalinformation.3ARMORVOX – ImpostorMaps™© 2012 Auraya Systems
  4. 4. In addition, ArmorVox can also resolve the ambiguity over protection afforded by a particular country’sprivacy legislation. Figure 1 shows the solution. By locating ArmorVox in-country, personal informationstored and processed by ArmorVox is subject to local privacy laws. Once authenticated, the caller canbe handed off to an off-shore call center anonymously without any personal identity informationattached. Any privacy breach is then subject to the local privacy laws, i.e. the caller’s local jurisdiction.This not only solves the legal ambiguity problem, but more importantly provides an increased level ofconfidence to off-shore operators that breaches can be dealt with in the local jurisdiction, and that theinternational flow of personal information to off-shore call center is limited. Authentication Gateway Off-shore call centre In Country International Authentication Telephone Telephone server Network Network Customer database Authentication database Client/citizen handed to off Client/citizen personal shore call centre with information authenticated and personal information omitted stored in country and subject to in country privacy Caller referred to through an provisions alias Figure 1: Privacy Enhanced Call Center4ARMORVOX – ImpostorMaps™© 2012 Auraya Systems
  5. 5. ConclusionBanks spend million (if not billions) on encryption; firewalls and other security measures to protect theircustomers’ sensitive personal information only to have their employees and outsourcers use good-oldpaper and pencil to steal this information. Identity theft cost banks millions each year and the problemis only getting worse. And it’s not just the economic cost. It is also the loss of trust and the impact onbrand that comes with insider identity theft.ArmorVox not only provides offers banks and financial services a way of reducing customers services,but more importantly provides an extremely cost effective solution to protecting customers’ personalinformation and protecting the bank from the insidious insider identity thief.Next StepsArmorVox offers a Quick Start program for banks and financial services institutions. Working with ourindustry-trusted Authorized Partners, ArmorVox offers a quick start program for your voiceauthentication pilot project or in-depth analysis. Our partners will discuss your authentication needsand work with your IT team to implement ArmorVox Speaker Identity System pilot program with yourapplications for:  Internal User – PIN and Password Reset  Consumer Identity AuthenticationTo get started, please visit: – ImpostorMaps™© 2012 Auraya Systems
  6. 6. About the Author Dr. Clive Summerfield is Auraya Systems’ Founder and Chief Executive Officer. Clive is an internationally recognized authority on voice technology and holds numerous patents in Australia, USA and UK in radar processing, speech chip design and speech recognition and voice biometrics.As a former Founder Deputy Director of the National Center for Biometric Studies (NCBS) at Universityof Canberra, in 2005 Clive undertook at the time the world’s largest scientific analysis of the voicebiometric systems leading to the adoption of voice biometrics by for secure services. That experiencelead Clive in 2006 founding Auraya, a business exclusively focused on advanced voice biometrictechnologies for enterprise and cloud based services. Visit for Clive Summerfield’s fullbio.About Auraya SystemsFounded in 2006, Auraya Systems, the creators of ArmorVox™ Speaker Identity System is a globalleader in the delivery of advanced voice biometric technologies for security and identity managementapplications in a wide range of markets including banks, government, and health services. Offices arelocated near Boston USA, Canberra and Sydney Australia. For more information, pleasevisit – ImpostorMaps™© 2012 Auraya Systems