IVR banking is very common. If you’ve ever dialed your bank to check an account balance or pay a bill, you’ve probably used it. In addition to these basic self-service tasks, customers can use bank IVRs to report fraud, update personal information, check their transaction history, or even change their PIN without having to wait for an agent.
Having access to a variety of options such as these makes using IVR a convenient alternative to visiting a physical branch or waiting through long caller hold times.
Customers aren’t the only ones who benefit from these systems — banks can enjoy the perks of reducing the number of routine customer service enquiries and finding new ways to serve customers outside of regular business hours.
Many of today’s top VoIP phone services already include IVR in their packages, which means banks that use these services likely already have access to tools and integrations for data collection, analytics, and advanced security features such as voice recognition.
All of these benefits of IVR do come with some risk of additional vulnerabilities that need to be considered and addressed before implementation. Without the right safeguards in place, IVR technology has the potential to be used for identity fraud, phishing attacks, and data breaches.
How do hackers target IVR banking services?
While busy customers and companies love a good IVR system, hackers love a bad one. IVR hacking entails targeting certain weaknesses to gain unauthorized access to the system.
They’ll go after credit card data, try to take control of customer accounts, and even exploit the personal information attached to financial history.
Some of the most common methods include tricking the IVR into thinking the hacker is a legitimate customer, launching phishing attacks with automated phone calls or social engineering tactics, using voice biometrics spoofing, and finding vulnerabilities in IVR software to break into the system.
Secure authentication methods for IVR banking
If a system is properly secured, whenever a customer calls a banking IVR, they’re required to verify their identity with at least one authentication method before they’re able to access any account services.
The key here is making sure that the IVR is both compliant and secure enough to keep hackers out but isn’t so complex as to frustrate legitimate customers to the point that it impacts their ability to access their own banking information.
For added protection, banks typically require multiple layers of authentication that are designed to foil different types of attacks.
6 authentication methods for IVR banking
Knowledge-based authentication
Knowledge-based authentication is a way of verifying the identity of a person by asking about things that only they would know about. For instance, if a person called into a bank using KBA, they might be asked by the bank to provide one of their previous addresses or the city in which they first met their spouse.
For KBA to work well, banks need to make sure they’re using data that can’t easily be found or deduced through social engineering, and they also need to make the questions distinct enough so that customers will actually remember their responses.
Providing only hyper-specific questions can be a recipe for frustration, so it’s important to keep the questions broad enough to be easily usable while still being specific enough to be secure. Some systems even allow the end user to set their own questions and responses.
PIN-based authentication
PIN-based authentication is a very common way for customers to gain access to their accounts by entering 4-6 digit codes that only they know.
When used with a banking IVR, the system automatically compares the PIN code entered by a customer with the one that’s associated with their account. If the two numbers match, the rest of the IVR is unlocked, and the customer can use the services.
While PIN-based authentication can be a strong method for data protection, it’s often fallible because of customers who set common or easy-to-guess PINs. This includes when customers use the same four numbers in a row or default combinations like 1234.
If you use PIN-based authentication, it’s important to remind your customers to avoid using numbers that are associated with other important data—such as the last four digits of their phone number or social security number—since this increases the chance of hackers being able to get into their account if the IVR is breached.
It’s also important to include elements in the IVR that automatically lock the account after a certain number of failed tries. This will help prevent brute-force attacks, where hackers use software programs that automatically attempt to log in with thousands of guesses.
Voice biometrics
Voice biometric authentication is a relatively new technology that works when a customer speaks a certain passphrase or a predefined series of words into the phone. The IVR captures the recording and compares it to a previous recording set up by the caller. If the passphrase and voice patterns match, the customer can proceed.
Voice biometrics is great when it works, but issues with low-quality voice capture and bad analysis can sometimes lead to false negatives and false positives. The first is very annoying for customers, while the second is a huge risk for the bank.
If your bank opts to enable voice biometrics, it’s important to partner with a high-quality system that has excellent pattern recognition. It’s also a good idea to educate your customers about the importance of providing clear voiceprints when they’re setting up their passphrases.
One-time passcodes
One-time passcodes are temporary codes sent to customers via SMS, email, or a phone call to verify their identity. When a customer calls in, the IVR will send a code via their preferred, registered method. If the customer enters the right code within the allotted time, they can proceed to the next stage of service.
Although this type of security check is usually found at the beginning of the IVR process, it can also be used again later on as extra security when dealing with something of higher risk, such as sending a large sum of money to someone else.
The best one-time passcodes are time-sensitive, meaning that they’ll only work for a few minutes or an hour, which lessens the chance that someone with bad intentions could get ahold of them. If you implement one-time passcodes at your business, be sure to remind your customers to keep their data up-to-date so the IVR sends the code to the right phone number or email address.
Caller ID verification
One of the automated ways of authenticating callers is to match their caller ID information with the phone number associated with their bank account. If the information matches, then the customer can proceed past this step without having to actively do anything.
While caller ID verification can be great for customers who only ever call in from the phone number that’s registered with the bank, it doesn’t really work for customers who have to call in from unregistered numbers like work numbers or their friend’s phone. As a result, most systems that use this authentication method have to provide other options as well.
Caller ID data can also be spoofed, so banks should consider implementing additional security measures alongside caller ID verification to make sure that it’s actually the customer getting through.