Protecting Compromised Victims After a Data Breach
Australian telco, Optus, released a statement on September 22, 2022, regarding a cyberattack that resulted in a major data breach affecting their customers. Optus believes that the cyberattack involved unauthorized access to their current and former customer information. The breach has become a politically charged event with Home Affairs minister, Clare O’Neil, informing the Australian parliament that it involved nearly 10 million people and that 2.8 million have lost “significant amounts of data”. Compromised customer information included names, dates of birth, addresses, phone numbers, passport details, driver’s license numbers, and Medicare numbers. To make matters worse, the hacker has recently released 10,000 alleged customer records as part of their ransom demand.
An important topic for discussion after a cyberattack is ensuring the protection of the victims of the attack. Hackers can purchase stolen information on the dark web and impersonate the victims to attack existing accounts or create new accounts using the stolen information. Compromised driver’s licenses, passport numbers, and Medicare numbers mean that hackers have a higher chance of succeeding, especially since these numbers rarely change. Traditional verification methods such as answering security questions like date of birth and addresses as well as evidence of government documents such as driver’s licenses and Medicare cards are now less secure. Organizations must integrate alternative methods to allow victims to continue verifying their identity and securely authorizing access to services and the ability to authorize transactions.
Protecting Compromised Victims
Organizations can use identity verification processes that eliminate the need for them to retain personal information, such as name, address, and driver's license details. Combining device-based information, like access to your mobile device, with biometric verification, such as Auraya’s EVA Voice Biometrics technology, helps reduce the risks of identity theft to both organizations and their customers. The use of voice biometrics provides a unique capability for a person to say a one-time passcode which is only valid for the specific transaction or access request. The person can provide the correct code, using a voiceprint to prove it is the authorized person, while on the trusted device. This multifactor authentication process provides increased security and a frictionless, convenient user experience. EVA Voice Biometrics enables organizations to verify a legitimate customer identity. Voice biometrics can also be used by organizations to spot known fraudsters by matching the spoken request against a list of fraudster voiceprints further improving the security of their customers’ accounts.
Voice biometrics is a better solution than relying on the face recognition or fingerprint system that is stored on a device. Physical or virtual control of the smartphone allows a bad actor to add their finger or face print to the device in a simple process to thwart this identity verification process. Organizations that use voice to verify a customer’s identity can check that the access request has three distinct security factors, or keys; (1) the trusted device plus (2) a separate check that the person matches the stored voiceprint and (3) the person is saying the correct one-time passcode.
EVA Voice Biometrics includes fraud attack protection which detects, and flags synthetically generated, recorded playback, or mimicked voices. What this means for organizations and their data breach victims is that any fraudsters attempting to impersonate their victims will face additional security roadblocks via voice biometrics. While they may have possession of customer information, fraudsters will still fail identity verification processes if they cannot pass the voice biometric check.
Moving away from knowledge-based security questions to biometric verification can help mitigate the risks of future cyberattacks such as data breaches, account takeovers, and identity theft. It would no longer be necessary for organizations to request and store general personal information for identity verification, as a simple account or mobile number and customer voiceprint would be sufficient. This also helps reduce the risk of internal cyberattacks where current and former employees with malicious intent may have access to customer information. Customers would likely feel more secure and comfortable knowing that they are not required to provide personal information to strangers every time they interact with an organization.
On top of better and more convenient security, Auraya’s voice biometrics technology is language agnostic and can be integrated into many channel platforms such as contact centers, mobile applications, web browsers, or chatbots. This allows for seamless and frictionless voice biometric identity enrollments and verification across numerous touchpoints.