Interactive voice response (IVR) banking is very common. If you've ever called your bank to check an account balance or pay a bill, you've probably used it. In addition to these basic self-service tasks, customers can use banking IVRs to report fraud, update personal information, check their transaction history, or even change their PIN without having to wait for an agent.
Having access to a variety of options like these makes using IVR a convenient alternative to visiting a physical branch or waiting through long hold times.
Customers are not the only ones who benefit from these systems: banks can enjoy the advantages of reducing the number of routine customer service queries and finding new ways to serve customers outside of regular business hours.
Many of today’s leading VoIP phone services already include IVR in their packages, meaning banks using these services likely already have access to tools and integrations for data collection, analytics, and advanced security features like voice recognition.
All of these benefits of IVR come with the risk of additional vulnerabilities that must be considered and addressed before deployment. Without proper security measures, IVR technology has the potential to be used for identity fraud, phishing attacks, and data breaches.
How do hackers attack IVR banking services?
While customers and businesses love good interactive voice response (IVR) systems, hackers love bad ones. IVR hacking involves attacking certain weaknesses to gain unauthorized access to the system.
They will seek credit card data, attempt to take control of customer accounts, and even exploit personal information associated with financial history.
Some of the most common methods include tricking the IVR into thinking the hacker is a legitimate customer, launching phishing attacks with automated phone calls or social engineering tactics, using voice biometric spoofing, and finding vulnerabilities in the IVR software to gain entry into the system.
Secure authentication methods for IVR banking
If a system is properly secured, every time a customer calls a banking IVR, they are asked to verify their identity with at least one authentication method before being able to access any account services.
The key here is to make sure the IVR is compliant and secure enough to keep hackers out, but not so complex that it frustrates legitimate customers to the point of affecting their ability to access their own banking information.
For added protection, banks typically require multiple layers of authentication that are designed to thwart different types of attacks.
6 Authentication Methods for IVR Banking
Knowledge-based authentication
Knowledge-based authentication is a way to verify a person's identity by asking them questions that only they know. For example, if a person calls a bank using knowledge-based authentication, the bank might ask them to provide one of their previous addresses or the city where they met their spouse.
For KBA to work well, banks need to make sure they are using data that cannot be easily found or deduced through social engineering, and they also need to make the questions clear enough that customers will actually remember their answers.
Offering only very specific questions can be a recipe for frustration, so it's important that questions are broad enough to be easily used, while also specific enough to be secure. Some systems even allow the end user to set their own questions and answers.
PIN-based authentication
PIN-based authentication is a very common way for customers to gain access to their accounts by entering 4- to 6-digit codes that only they know.
When used with a banking interactive voice response (IVR) system, the system automatically compares the PIN code entered by the customer with the one associated with their account. If the two numbers match, the rest of the interactive voice response (IVR) system is unblocked and the customer can use the services.
While PIN-based authentication can be an effective method for data protection, it is often erratic due to customers setting common or easy-to-guess PINs. This includes when customers use the same four numbers in a row or default combinations such as 1234.
If you use PIN-based authentication, it's important to remind your customers to avoid using numbers that are associated with other sensitive data, such as the last four digits of their phone number or Social Security number, as this increases the chance that hackers can gain access to their account if the IVR is breached.
It's also important to include elements in your interactive voice response (IVR) system that automatically lock your account after a certain number of failed attempts. This will help prevent brute force attacks, where hackers use software programs that automatically attempt to log in with thousands of attempts.
Voice biometrics
Voice biometric authentication is a relatively new technology that works by a customer saying a certain passphrase or a predefined series of words into the phone. The interactive voice response system captures the recording and compares it to a previous recording set up by the caller. If the passphrase and voice patterns match, the customer can proceed.
Voice biometrics are great when they work, but issues with low-quality voice capture and poor analysis can sometimes lead to false negatives and false positives. The former is very annoying for customers, while the latter is a huge risk for the bank.
If your bank chooses to enable voice biometrics, it's important to partner with a high-quality system that has excellent pattern recognition. It's also a good idea to educate your customers about the importance of providing clear voiceprints when they set up their passphrases.
One-time access codes
One-time passcodes are temporary codes sent to customers via SMS, email, or phone call to verify their identity. When a customer calls, the interactive voice response (IVR) system sends them a code via the registered method of their choice. If the customer enters the correct code within the allotted time, they can proceed to the next stage of service.
While this type of security check is typically found at the beginning of the IVR process, it can also be used again later as additional security when dealing with something higher risk, such as sending a large sum of money to another person.
The best one-time passcodes are time-sensitive, meaning they will only work for a few minutes or an hour, reducing the chance that someone with bad intentions can get their hands on them. If you implement one-time passcodes at your business, be sure to remind your customers to keep their details up to date so that the IVR system sends the code to the correct phone number or email address.
Caller ID Verification
One of the automated ways to authenticate callers is to match caller ID information with the phone number associated with their bank account. If the information matches, the customer can proceed with this step without having to actively do anything.
While caller ID verification can be great for customers who only call from the phone number on file with the bank, it doesn't really work for customers who must call from unregistered numbers, such as work numbers or a friend's phone. As a result, most systems that use this authentication method must also provide other options.
Caller ID data can also be spoofed, so banks should consider implementing additional security measures along with caller ID verification to ensure that it is really the customer calling.