Call centres and outbound verification

I’m sure we’ve all experienced authenticating ourselves when calling a company. You have a (hopefully) trusted contact number, you dial in, answer some information and the call handler can access your account.

But what about the other way round? You’re called out of the blue by a company and they start demanding information from you citing “data protection” before they’ll go any further. How do you know who they are?

I’ve experienced this exact situation recently from the financial and healthcare sectors, on many occasions the caller ID (which can be spoofed, more on that later) is withheld. A typical interaction with me might go:

Them: “Hello, I’m calling from your delivery company to arrange a date, can I take your date of birth please?”

Me: “Nope”

It’s understandable, especially in the case of a health-related delivery company, that they might not want to identify themselves or what they’re delivering in case they have the wrong number or someone other than the patient has picked up the phone. But it’s equally not ok to be coaching people into just handing out their personal information like this unprompted.

An obvious thing to do in such a situation is to simply call the company back on a validated number (not one provided by the would-be caller) but often it’s difficult to get back to the original person or that the queues are long so it is very tempting to just play along.

Technology and automation go a long way of course; sending an email or text notification with a validatable website link allows people to arrange their own deliveries or send a secure message back but not everyone will want or be able to do this.

So how to mutually authenticate on a phone call that originates from a company you already have a relationship with? A codeword can be useful, for example:

“Hello, I’m calling from your delivery company to arrange a date. I’ll need to verify your identity in a moment, but to show you I’m calling from the company the code word you’re expecting is banana.”

An argument against this is that the calling company doesn’t know who’s picked up, it could be a bad actor. Armed with that code word the bad actor can now spoof the company’s phone number, call the real person, give the correct code word, and proceed to interact as if they were the real company. A bit of a convoluted way round but still a small risk.

An alternate would be to pick from multiple options, for example:

“Hello, I’m calling from your delivery company to arrange a date. I’ll need to verify your identity in a moment, but to show you I’m calling from the company please can you confirm which code word you’re expecting from the following: apple, banana, peach.”

This shows the customer the caller has some knowledge, and vice-versa, and if the wrong person is called then it cannot be replayed.

Overall though this is not a particularly great situation as it needs the codeword to be setup first, and for it to be recalled at the next interaction which could be years in the future.

Some thoughts then on how to approach company-initiated customer contact:

1. Avoid voice if possible. Use text, email, or app messaging with a verifiable link or security-conscious wording such as “call us on the number printed on the back of your credit card”.
2. In a voice call step-up authentication as needed. If it is a purely informational call with no personal details divulged, then there is no need to ask for personal information up front.
3. Pre-agree codewords on account creation especially in the financial and healthcare sectors, and make them accessible via website or app.
4. Have a mechanism where a customer can easily get back in touch with the company by calling into a trusted number (found on a website for example) and giving a specific extension to bypass the first line call centre.
5. Avoid normalising requesting personal information from unsolicited callers.

Of course, when a customer calls in to a contact centre then assuming they have used a known-good number (direct from a website for example) then hopefully they are already confident about who they are speaking to. Some banks have now started to use the biometric capabilities of phone apps to authenticate their customers during phone calls which is a useful extra step too.

Technologies such as U2F (FIDO) solve many problems with mutual authentication but are sadly still not readily available to use.