Speech Authentication Strategies, Risk Mitigation, and Business Metrics
Test and Tune the Speech Application
Speech application tuners can conduct in-depth usability assessments and take advantage of the system's Listen & Learn feature, which can automatically tune the system based on the unique speech patterns of users interacting with the service. Standard and customizable reports deliver in-depth speech recognition related statistics, allowing the tuner to analyze, pinpoint and tune trouble spots in the application to increase automated call completion rates, and improve the customer experience.
Multiple Verification Strategies—Risk Mediation
RSA Adaptive Authentication for Phone is the industry's first risk-based, multi-factor authentication (MFA) solution designed to protect a financial institution's telephone banking customers. Utilizing several factors to authenticate telephone banking users, Adaptive Authentication for Phone helps financial institutions reduce fraud through increased security and audit trails, reduce costs through automation, and address regulators' recommendation for stronger authentication—all without burdening the end-user experience.
Although other solutions are designed to monitor only one or two risk parameters (such as a voiceprint match), Adaptive Authentication for Phone measures several phone-specific parameters—in addition to a voiceprint—to authenticate telephone banking callers and transactions. Supported by the Risk Engine, Adaptive Authentication for Phone considers factors such as Automatic Number Identification (ANI) matching and user behavior profiling ("Is this typical behavior for this user?") in assessing the risk associated with a transaction and generating a unique risk score for the financial institution to use.
The RSA eFraudNetwork is a cross-institution, crossplatform repository of known fraud data gleaned from RSA's extensive network of banks, credit unions, debit and credit card issuers, ISPs, and third-party contributors across the globe. When a suspicious or confirmed fraudulent phone number is identified, the information is entered into the shared centralized database. The information then is disseminated to eFraudNetwork members in real-time to prevent future attacks, thus providing proactive protection to financial institutions and their customers.
Securing the online and telephone banking channels is only the first step in creating a comprehensive cross-channel strategy. If silos still exist and technologies are not engineered to work together, even the best security solutions will do little to protect against the threat of cross-channel fraud. Tracking and identifying suspicious or confirmed fraudulent transactions across both channels demonstrates the compelling strength of cross-channel protection. For instance, a fraudster might compromise an online banking account to reset the password and change the genuine customer's address. The fraudster might then use the same compromised credentials within the financial institution's telephone banking system to transfer a large sum of money. By adding cross-channel security measures, such as in the previous example, a financial institution would immediately recognize the password and address change that occurred online the day before and deem the phone-based money transfer as a high-risk transaction. In turn, the fraudster would be challenged with secondary authentication, such as a one-time password or an additional voiceprint sample, to complete the transaction.
In short, Adaptive Authentication for Phone:
- Performs a behind-the-scenes risk assessment for callers and applies additional security as needed to ensure the lowest impact on end users
- Constructs audit trails for compliance and tracking
- Considers a series of risk parameters including an optional biometric voiceprint (leveraging the Nuance Verifier technology) to ensure the highest levels of security and accuracy
Security features do not imply security! Security is a process, not a product. Security results not from using a few security features in the design of a product, but from how that product is implemented, tested, maintained, and used. Reference 11 contains an in-depth discussion of this subject.
Appendix 1: Voice Browser
A voice browser is exactly analogous to an ordinary web browser, except that instead of a keyboard, mouse, and monitor you use microphone, keypad, and speaker. Instead of the visually-oriented HTML, a voice browser processes pages of VoiceXML. Both kinds of browsers use the same Web infrastructure: HTTP, cookies, Web caches, URLs, secure HTTP, and so on. Because VoiceXML is a standard from the World Wide Web Consortium, just like HTML is, voice applications complying with the standard will run on any compliant VoiceXML voice browser, making your investments safe and future-proof. Voice applications are no longer locked into proprietary systems.
To talk with a voice browser, simply dial its phone number. You'll be connected to a voice server that runs scores, hundreds, or perhaps even thousands of voice browsers, one per caller. When your voice browser starts up, it fetches and evaluates an initial page of VoiceXML it obtains from an ordinary Web server. This page tells the voice browser what to say to you, and also what to expect you to say in return. As the conversation proceeds, the VoiceXML page will reach a stage where it needs to submit information from it to the Web server. The Web server will process this information and generate the next VoiceXML page that you'll listen to. Finally, the conversation is over when you hang up, or when the last VoiceXML page directs the voice browser to disconnect the call.
Your voice browser has an audio playback system that plays pre-recorded audio to you. It has a text-to-speech system that renders ordinary textual information into audio for you as well. When you respond to audio prompts, the voice browser's speech recognition system extracts meaning from what you say.
To experience all of this first-hand, dial 1-800-555-TELL and talk away.
Appendix 2: Multi-Factor Authentication
Multi-factor authentication is becoming increasingly important as a defense to growing threats of security attacks, especially security attacks based on obtaining an individual's password via trickery.
The Federal Financial Institutions Examination Council (FFIEC), which provides guidance to examiners and financial institutions on the characteristics of an effective information technology (IT) audit function, recommends that financial institutions employ two of the following three factors to maximize security:
|Something the user possesses||A token, ATM card, or USB device|
|Something the user knows||A shared secret, password, or account number|
|Something the user is||A fingerprint, iris scan, or voice print|
Appendix 3: SOA and Web Services
SOA and web services are two different things, but Web services are the preferred standards-based way to realize SOA.
SOA is an architectural style for building software applications that use services available in a network such as the Web. It promotes loose coupling between software components so that they can be reused. Applications in SOA are built based on services. A service is an implementation of a well-defined business function, and such services can then be consumed by clients in different applications or business processes.
SOA allows for the reuse of existing assets where new services can be created from an existing IT infrastructure of systems. In other words, it enables businesses to leverage existing investments by allowing them to reuse existing applications, and promises interoperability between heterogeneous applications and technologies. SOA provides a level of flexibility that wasn't possible before in the sense that:
- Services are software components with well-defined interfaces that are implementation-independent. An important aspect of SOA is the separation of the service interface (the what) from its implementation (the how). Such services are consumed by clients that are not concerned with how these services will execute their requests.
- Services are self-contained (perform predetermined tasks) and loosely coupled (for independence).
- Services can be dynamically discovered.
- Composite services can be built from aggregates of other services.
See Reference 5 for further discussion of Business Process Management (BPM), Service Oriented Architecture (SOA), and Web services.
- Harvey, M. Essential Business Process Modeling, O'Reilly (2005)
- Dunn, M. Pro Microsoft Speech Server 2007: Developing Speech Enabled Applications with .NET, Apress (2007)
- Anderson, E. et al Software Engineering for Internet Applications, MIT Press (2006)
- Kung, S. Y. et al Biometric Authentication, Prentice Hall (2005)
- Carr, H., Snyder, C. Data Communication and Network Security, McGraw- Hill (2006)
- Peinado, A., Segura, J. Speech Recognition Over Digital Channels, Wiley (2006)
- Daswani, N. et al. Foundations of Security: What Every Programmer Needs to Know, Apress (2007)
About the Author
Marcia Gulesian is an IT strategist, hands-on practitioner, and advocate for business-driven architectures. Marcia has served as software developer, project manager, CTO, and CIO. She is the author of well more than 100 feature articles on IT, its economics, and its management.
Page 3 of 3