I could really do with some help please. How can I encourage customers to go through security with my outbound teams when customers are becoming increasingly conscious of the security of their personal information. So many customers refuse to answer our standard security questions (full name, DOB, postal code, etc.) for fear that we are not who we say we are. The call unfortunately ends there.

Any suggestions?

That is a very very tough scenario you have there. The best my team of outbound people used to be able to do was provide them a number to call back right away and test.

Though we didn't have this issue too much as we were always calling about a specific recent order.

Emma,

I would not believe anyone who called me and tried to authenticate me. I would expect them to authenticate themselves if they had called. Justin's suggestion of having the customer call back can work. But is there anyway your agents could volunteer information about the account to prove who they are?

Rob

Outbound calling is always tricky when it comes to security. You need that 3rd point of reference that allows an agent to express to a customer that " I the agent know who you are"?. This is often done via pin codes,physical or email address verifications etc.Your calling scenerio dictates how far you can go when requesting personal data from a customer.If you are "cold calling" you can request little of a customer with out involving web sites ,email,mailers etc. were by a customer has a method of research into "who you are".

I know this will not help you, Emma, but I wanted to share that this problem is certainly not unique. Even the very largest organisations are struggling with how to overcome it.

There are certainly technical solutions, which typically involve giving all your customers a 'dongle'. The dongle generates a unique time-based code when you press a button - you may have one already to log in to a bank account, or similar. They can work the same way for identification too. Visa is trialling a system for this, embedded into their credit cards: click here

Of particular interest to your case is the second video linked from that site: click here for that

Looks expensive, right? And apparently can only be used by people with Australian accents :-)

CR.

Emma, I think this is a major and growing issue, and one that all organisations will have to address: as customers get more and more wary of orgs and outbound calling (and general org-consumer trust is at a pretty low level) then it is going to be a major issue for outbound as part of a customer contact mix. As Cam Ross has suggested, there are technology solutions, but I think current approaches are of limited use: partly lack of user friendliness (eg Nat West's solution), partly inconvenience (where is that dongle? I'm in the kitchen, the dongle is in another room, somewhere in a desk drawer, along with the five other dongles that other orgs I do business with have given me..oh, and the battery is flat...) However, I think there is a simple procedural solution which is bi-lateral security procedures. That is, when you ask the customer to set up their passwords and security questions, they also agree with you a parallel set of security questions they can use to identify you, and the fact that you properly have access to their accounts/data. Orgs who do this will have an advantage in terms of being seen to be concerned about customer security concerns. It also gives them a "lock in" advantage relative to orgs who haven't done this. Guy Fielding (horizon2)

Note to self: before hitting the "add reply" button, make sure the post says what you want it to say!

Folks: In my previous post what I meant to say about bi-lateral security procedures was:

...when you ask the customer to set up their passwords and security questions, in addition to the usual passwords and security questions which allow you to validate their identity and authority to access their accounts, they also agree with you a parallel set of password and security questions that they can use to identify you, and use to assure themselves that you properly have access to their accounts/data.

Not only is this simpler than technology solutions, and consistent with other current security procedures, but it has the big benefit that is also clearly an arrangement between equals, rather than the one-sided procedures currently used, which implicitly put the customer in the position of supplicant with respect to a rather arrogant organisation

Guy

This indeed, is a major challenge for many. I'd suggest even more difficult for financial organisations that actually ARE calling from the Fraud department!

Have any other users tried to use Guy's suggested approach? Was there any reluctance to implement from Legal / Compliance areas?
This is an idea that I've thought about before, but I see this as potentially a vicious circle: We can't give the customer any information before we know they are the customer, and they won't give us information until we confirm we're the customer's company. Would giving away things like password prompts be viewed as a breach of data protection in any of your organisations?

Gareth: I don't know of anybody who has good outbound security procedures, but like you would love to hear from/know about anybody who does. And I don't know of anybody currently using my "bi-lateral security" idea. Makes me think there's a useful piece of research to be done (sponsored by CCA? CCF?) looking at what procedures organisations are using, what customers think of them, what the practicalities are, what the compliance/regulatory/legal issues are, etc. And clearly variation in the issues/practices across different sectors/functions (eg fraud) would be really intersting. And the other way to go would be to find an organisation willing to be the first mover and pilot it.... Guy

Hi Emma

Did you get very far with your research?

Voice Biometrics could work using the following process. Agent calls the customer and rather than the customer providing the agent with ID tokens the call is transferred to the voice biometric engine and the customer is asked to speak. The biometric engine verifies the caller and the call is passed back to the agent.

Its technologically complex and requires the implementation of voice biometrics but its an option for the future maybe.

Let me know if you need any more information darren.mills@icr3s.co.uk

Darren

Darren: Intersting idea. My worry is that anything that is at the caller's end of the conversation is suspect...if I am a scammer, then I wouldn't be too phased by having to set up something that sounds like a Voice Biometrics engine. The same problem applies, I think, to anything where you depend on the customer calling back...if you've given them the number, extension, name, that you then suggest they call, how do they know it is genuine rather than just an accomplice/extension of the scammers? The authentication process has to be something that the customer has control of and that they operate. I think the only other route to go with this is a "public verification process", whereby, for instance, the voice biometrics engine was controlled by a public body equivalent to, say, a real-time Criminal Records Bureau. Organisatioins would register their agents, their voice prints and their contact details with the "Public Verification Authority", and customers would then route their callbacks through the PVA... But this seems like a massive sledgehammer to crack a relatively small nut; and it also introduces a two-step process, which is likely to add expense and significant drop out during the callback process. I think we need to explore simpler, non-technological options first...but I'm still trying to find somebody who has done anything systematic about this problem, and what their experience has been.
Guy Fielding
all contact details: www.horizon2.tel