Problem solve Get help with specific problems with your technologies, process and projects.

How can I authenticate a customer calling over the phone?

I work at an international bank and would like to authenticate users requesting wire transfers over the phone....

Is there any new technology requiring the use of a token or smart card that can give me reasonable assurance I am talking to the person he/she claims to be?

The most exciting possible solution for you that I have found comes from a company called Beepcard. They have a smart card that can fit into a credit card and have already gotten certification from Visa and MasterCard, too, as I am told. Unlike other smart cards, this one is audio. You press a button on the card, and it sends out a one-time digital authentication token as a series of beeps. You can simply hold it up to a phone, or use it with a PC that has a microphone. There is a version that is a simple broadcaster, and one that also has voice authentication in it. Depending on some of the other security parameters of your system, this could very well be exactly what you want.

VASCO are another manufacturer of tokens. They did much of the pioneering work on them and are extensively used by European banks. I would talk to them, too, because they have a history of securing financial transfers.

Swivel Technologies also have an authentication system that could work for you. Theirs is based upon sending the user a random string that they modify with a PIN. It can run on a computer, PDA, or smartphone, or even be done by hand. It's clever.

Authentify is different, and perhaps not applicable, but I like this system, which can work either as a service or an appliance. The way that it works is by callback. For example, let's suppose I call you to make a wire transfer. I give you a number to call me back on, and then their system calls my number. They ask me to say the number they call me at, and their computer verifies it with voice recognition and records it. If there is fraud, you have the number that was used to commit the fraud and a recording of the fraudster's voice. It may not be what you want, but it's innovative. I like it, myself.

Is this solution for regular customers who make lots of wire transfers or for occasional customers? For example, I rarely make wire transfers, and if I banked with you, then it wouldn't be worth it to have a physical token. The cost (almost any cost) would be too high, and I'll probably throw the thing into a drawer where it will never be seen again. In this case, a software-only system would be best.

Do you want to give your users a token? Do you want it to be usable with no other equipment? If both of those are so, then the RSA or VASCO tokens work with nothing else. If you want to require a computer, then there are a lot of USB tokens or smart cards that I haven't mentioned at all, which could be applicable.

Do you want the phone to be part of the authentication? In these days of ubiquitous cell phones, the phone itself can be part of the authentication or lower the threshold. For example, when I get an updated credit card, if I call from my registered number, then they don't require the same level of authentication. You could have a service where someone who made a wire transfer had to use a specified number.

All of these factors will affect your solution. Remember, security is a balance of cost versus security, as well as reliability. Insurance could be a viable solution as well, assuming the fraud rate is low enough. It might be cheaper to insure than to buy tokens.

This was last published in March 2004

Dig Deeper on Two-factor and multifactor authentication strategies