Phone number spoofing is a known problem, one that has been around for years and addressable via solutions from companies such as Pindrop that help determine the probability that the caller’s number is legitimate. Through white and black lists of phone numbers, testing network delay, and other audio heuristics, the confidence rates are in the high 90s. For instance, if a call comes in from a U.S. area code, but the network delay is longer than 100 milliseconds, then odds are high that the caller is really overseas.
This technology is beneficial in contact centers. Enterprise call centers deploy this technology to reduce the number of security questions they must ask, in turn reducing the average call handle time and providing a better caller experience.
A newer problem, thanks to artificial intelligence (AI) in the speech world, is voice spoofing.
Voice verification technology has been around for at least 20 years, in use at many banks and stock trading companies as part of the multifactor authentication strategies they put in place to protect funds transfers. Voice verification systems require large base-line sample sizes for optimal performance, so work best when used regularly. Given that voice spoofing capabilities are becoming more mainstream, enterprises that use voice verification technology should look at additional security controls for validating callers.
Bad actors can easily use a site like spoofvoice.com to change their voices and phone numbers to remain anonymous. A more sophisticated bad actor can grab audio clips from YouTube and mimic someone else’s voice. So, what’s an enterprise to do?
Multifactor authentication (MFA) is in vogue, as enterprises have come to understand that just a username and password aren’t good enough for secure transactions and interactions. The problem is that most enterprises assume two-factor authentication is good enough. They underestimate the growing sophistication of bad actors and their ability to spoof or steal information, including one-time passwords. For instance, bad actors might use malware that incorporates a keystroke logger to capture and use a one-time password in near real time.
The National Institute of Standards and Technology (NIST) recommends a three-factor MFA strategy for highly secure transactions and interactions, as shown above. I’ve added a fourth. The four factors should be based on:
- Something you know -- password, mother’s middle name
- Something you have -- smartphone, token, certificate on device
- Something you are -- fingerprint, voice print
- Something you’ve done -- previous transaction, discussion topic, context
With each of these factors, you’ll need additional verification. For example, just last week Google announced it’s advancing research on fake audio detection.
Personally, when my stockbroker calls with the latest stock tip and buy recommendation, these days I do more upfront vetting, so to speak -- spending more time than previously in the introduction and catching up on our personal lives before giving out any financial information. Besides registering my stockbroker’s phone number and voice, I validate that he is who he says he is by discussing things that only he knows about me and my previous transactions.
To learn more about UC security best practices, tune into the No Jitter On Air podcast below and join me at Enterprise Connect 2019 on Monday, March 18, for my 9:00 a.m. to 9:45 a.m. session on new challenges and solutions for securing video, team chat, and other emerging risk areas.
Register for Enterprise Connect today using the code NJPOSTS to save $200 of our current rate!