By Dr. Clive Summerfield
In January this year, Philip Cummings, was jailed for 14 year for stealing identities. He used his job as a computer helpdesk employee to steal personal information from more than 30,000 unwitting customers. He passed credit card and other stolen details on to other criminals. It is reported that the fraud is believed to have taken place from early 2000 to October 2002 and pleaded guilty in September 2004.
Judge George B Daniels said the case ¡°emphasised how easy it is to wreak havoc on people¡¯s financial and personal lives¡± and added that consequences for individual victims were ¡°almost unimaginable¡±. Losses have been estimated to be between US$50m (¡Ì38m) and US$100m (¡Ì76m) making it one of the largest single incidents of its kind yet in the U.S.
Meanwhile, in Pune, India, police arrested 16 people in an investigation into the fraudulent transfer of more than US$400,000 from Citibank customer accounts in the United States to bogus accounts in India. Investigators said employees of a Business Process Outsourcing company (BPO) used Citibank customers PIN¡¯s to access accounts.
Whilst in this case the amount stolen were not large, it caused a significant issue regarding the credibility and trustworthiness of off-shore call centres, with some commentators suggesting that the incident could trigger as much as a 30% down turn in India¡¯s off-shore call centre industry.
Identity-related fraud is now one of the fastest growing crimes in the world. Biometric technologies, including iris scanning, fingerprints and face recognition have long been touted as a solution to fraud. However, whilst these technologies have their place, only speaker verification, or voiceprint technology, is poised to be the application that brings biometrics into widespread corporate use.
IDENTITY FRAUD, A US$2 TRILLION PROBLEM
Law enforcement agencies in the U.S. estimate that identity related crime is now a US$2 trillion problem and doubling every 12 months. The Australian Institute of Criminology (AIC) estimates that in Australia identity fraud costs the community between US$2 and US$6 billion a year. In dollar terms AIC estimate business looses more to fraud than to employee theft, burglary, armed robbery and vandalism, combined. Over one third of all serious crimes involve ID fraud. And this can not only be a problem for law enforcement and national security, but as the U.S. and Indian cases make apparent, a real problem for victims of ID fraud, both businesses and individuals.
With the trend towards providing services through call centres and the Internet, the opportunity for identity fraud has exploded. Over half of all identity fraud complaints are Internet related.
In the physical world, establishing identity relies on documents, such as driving licences, passports and certificates. With the advent of cheap, high quality copying equipment, relying on documents is increasingly an issue. Establishing identity in the virtual world is even more problematic. Individuals must remember and keep secure passwords and PINs, and these are notoriously weak forms of security. When they are lost or forgotten, customers must re-establish their identity -- most often by calling a call centre and answering a sequence of personal questions. Costly and time consuming, this process does not necessarily establish that the caller is ¡°who they say they are¡±. Furthermore, the call centre agent is also privy to their identity information, and as we have seen in the U.S. and India, consequences can be catastrophic.
COMBATING FRAUD WITH BIOMETRICS
Biometrics is a range of technologies that use specific physical and/or behavioural characteristics unique to each individual to either establish or confirm identity. The advantage in using biometrics is that identity can be established from a characteristic unique to the individual. In theory, even if one¡¯s personal information were stolen, a biometric technology would prevent the information being used in a fraudulent manner, as the identity of the individual attempting to use the information will not match the biometric on file.
The most common biometrics are the iris scan, fingerprint, face recognition and voice. (Less common biometrics including gait, odour and DNA.) Iris scanning, which is widely acknowledged as the most accurate, uses the patterns of the iris to uniquely determine identity. The most established biometric technology, the fingerprint, has been used in police work for over 100 years. Face recognition, which is the least accurate technology, uses face characteristics to recognise individuals.
However, the biometric with the greatest potential for widespread use is speaker verification. Speaker Verification can authenticate a person¡¯s identity from their unique voice characteristics. In a nutshell, a person records a spoken password (such as their name). This is analysed to extract the unique voice characteristics, which are then compiled into a ¡®voiceprint¡¯ which is stored in a database.
During a transaction, to confirm their identity, the person simply says their name. The corresponding ¡®voiceprint¡¯ is downloaded from the database and the characteristics of each are compared. If they match, identity is confirmed and the transaction can proceed. Because Speaker Verification relies on the voiceprint (and not a particular password or phrase) an imposter attempting to gain access to an account will be rejected by the system.
SPEAKER VERIFICATION: UBIQUITOUS AND SECURE
A key benefit of Speaker Verification is that it works over the telephone. The world¡¯s most ubiquitous communications device, the telephone is found in almost every household and business worldwide. This means one¡¯s identity can be authenticated from anywhere in the world simply by dialling a telephone number.
In other words, the infrastructure for the widespread rollout of Speaker Verification is already in place. There is no need to invest in special sensors or scanners. Nor is their any need to invest in special authentication software or data communications technology and customers do not have to learn to operate any new equipment or systems . They simply use the telephone. These factors all add up to an authentication solution that is more cost effective, easier to implement and faster to deploy than any other technology.
Speaker Verification also offers enhanced security when compared to other authentication technologies. As the technology is accessed by telephone, the authentication solution can be centrally located in highly secure facilities with no connection to unsecured desktops, laptops and networks. Hence, there is no opportunity for ¡®hackers¡¯ to break into the system, providing an extremely secure solution for identity management and authentication.
Not only is Speaker Verification by far the most cost effective to deploy, it is also the most effective and convenient for people to use. Passwords and PIN¡¯s are unnecessary making call centre agent intervention obsolete. This has the additional benefit of closing off another avenue for identity theft to occur, removing call centre agents from the identity verification process and cutting call centre operation costs. The following table compares the benefits of Speaker Verification with other biometrics.
In the past, there have been numerous questions regarding the performance of Speaker Verification. What happens if I have a cold? Can mimics break into my account? What happens if somebody records my voice? Can my password be decoded from the voiceprint? Recent advances in Speaker Verification technology have addressed all of these questions.
Studies commissioned by the Communications Electronic Security Group (the Information Security division of the British Government Communications Headquarters) demonstrated that Speaker Verification outperforms all fingerprint, hand print and face recognition systems tested. Testing by Edinburgh University¡¯s Centre of Communications Interface Research showed Speaker Verification technology gave 99.9% security that is 100 times better security than PINs and passwords, with 97% of callers successfully completing transactions without assistance. More recently International Biometrics Group in New York and University of Canberra¡¯s (UC) National Centre for Biometric Studies have confirmed the highly competitive performance of Speaker Verification technologies for use in on-line financial services and Government call centres. In the case of the UC, their studies confirming commercial robustness of speaker verification in mobile telephone networks and in high noise conditions often found in real-life production deployments.
Extensive testing has also shown that mimics are unable to fool the technology, and it has been configured to remain relatively insensitive to colds and flu. Unless highly sophisticated equipment is used, recordings also cannot fool the system. However, to further strengthen security aspects, Speaker Verification systems are usually set-up to ask questions in a random sequence, thus making each session different and preventing a previously recorded voice from being used. In fact speaker verification is now at the point where it is being deployed into highly secure Government services and there are atleast two vendors certifying their technology for defence applications.
SECURING THE CALL CENTER
The Australian Government¡¯s Office of Strategic Crime Assessment has stated that critical to the functioning of the economy is the requirement that stronger systems of proof of identity are developed. Of all the authentication technologies available, Speaker Verification offers the most attractive solution. Speaker Verification is not only more convenient than PIN¡¯s and passwords, is also more secure and cost-effective than other biometrics. But probably more importantly is its ability to secure the call centre and on-line services; business¡¯s and Governments¡¯s security ¡®weak link¡¯. By using speaker verification to front-end call centres and on-line service then there is no need for call centre agents to see clients¡¯ personal informaiton, PIN¡¯s or passwords. There is no need for caller to disclose this information to call centre agents. Callers simply authenticate using voice automatically, and once authenticated can be passed to the agent anonymously; where the call centre agent can be certain that the call is who they say they are but need not know any personal information. If only the helpdesk in the U.S. and the off-shore call centre in India had used speaker verification -- then they may not be facing potential losses of tens of millions to fraud and lost business.
Dr. Clive Summerfield is Director of National Centre for Biometric Studies, University of Canberra, and CEO of 3SH Consulting (www.3sh.net).
For more information, please send your e-mails to firstname.lastname@example.org.
¨Ï2007 www.SecurityWorldMag.com. All rights reserved.