Voiceprints rolled out to fight vishing
"What's your mother's maiden name?"
Most people who've phoned the call centre of their bank, insurance company, medical aid or cellphone service provider will be familiar with that type of personal question, but as identity verification goes, it's a very outdated method.
With voice biometrics, it's your voice - as unique as your fingerprint - that confirms to the company that you are indeed who you say you are, not what you say.
One of the problems with "knowledge-based authentication" - asking callers a set of personal questions - is that it has a success rate of only about 65%, according to Paul Hutton, the CEO of leading voice biometric authentication company OneVault.
"Clients are asked personal questions which they should know, but often they don't answer correctly," Hutton says. "Many don't know the limit on their credit cards, for example."
But with voice authentication, the success rate is 95%, which is why leading financial services companies in the US and UK have adopted it.
And now the technology is to be used by the nonprofit South African Fraud Prevention Service in the form of an impostor voice bank, in partnership with OneVault.
The fraud prevention service combats fraud across the financial services industry by listing the details of consumers who have been the victim of impersonation and identity theft on a database that is then shared with member companies.
So when a fraudster attempts to open a clothing account or apply for a cellphone contract in person with a stolen ID doctored to feature their photograph, they are "red-flagged" and thwarted.
Adding a bank of voice recordings of known impostors - submitted by companies that later discovered that the callers committed fraud by passing themselves off as a client - to the service will enhance the industry's ability to combat fraud committed over the phone, known as vishing.
Imposter voices will...trigger alerts, real timePaul Hutton, CEO of OneVault
Vishing takes several forms, Hutton says, the most common being a fraudster calling a bank's call centre to add their bank details as beneficiaries on the internet banking profile of the client they are impersonating, and doing a SIM swap on their victim's cellphone.
Three banks, which Hutton declines to name, are submitting to OneVault recordings of all their fraudster calls in the past year, as part of the pilot project.
"All members [of ... the fraud prevention service] are encouraged to participate in order to gain access to the recordings of known impostor calls," Hutton says.
"Impostor voices will be loaded onto this single shared database, which will then be distributed or used to trigger alerts, real time.
"We will run a pilot for six months to enable us to comply with South African regulations."
Voice biometrics is similar to fingerprinting in that it makes use of an individual's biology and is therefore very difficult to emulate, Hutton says.
"The explosion of online and digital transactions has increased the demand for remote security and, more specifically, remote authentication."
The system automatically cross-references the caller's voice against a database of known impostor's voices as well as their own "voiceprint".
"It 'listens' in the background, and after a while the agent will be told via a message on their screen either 'Voice Verified' or 'Impostor Detected'," Hutton says.
In the case of the "Press 1 for card balance" type of self-service calls, the authentication is what's termed "active" - the customer is made to repeat a sentence, such as "My voice is my password", which is then matched against their pre-recorded "voiceprint". And the system is wise to fraudster's tricks, being able to detect artificial voice production - a recording of someone's voice - or voice manipulation.
But could a twin pass themselves off as their identical sibling?
This was put to the test, Hutton says, and on his seventh attempt during the course of an hour, one managed to pass himself off as his twin.
But in reality, that many calls would be a red flag in itself, he says.
"No system will ever be totally foolproof. If someone has really bad flu, which distorts their voice, or there's a lot of background noise, or the call drops, authentication can't happen."
Discovery Health introduced voice authentication in 2015 as an option for its members.
"It's entirely voluntary," says chief digital officer Anton Fatti. "Members enrol in the programme either on the call, or our website.
"The main driver is convenience. Members are verified in the interactive voice response before being transferred to a consultant, so there's no need to answer verification questions."
But the system can help prevent a person posing as a client to get confidential information or change their bank account details to commit fraud, he says.
"We want to see competitors taking hands in fighting fraud," says South African Fraud Prevention Service executive director Manie van Schalkwyk.
"Together we can eradicate fraud in South Africa."
• Report suspected ID fraud to the South African Fraud Prevention Service helpline on 086-0101- 248