Telephone banking is still popular in the US, with over 52 million Americans actively using the services, but many banks are failing to implement strong authentication methods for the channel and are leaving customers vulnerable to fraudsters, according to the latest study from Javelin Strategy & Research.
Despite predictions that the Internet would phase out the channel, the Javelin research, which is based on a survey of 3215 respondents, found that many customers – including those who use online banking services – still use the telephone to conduct some transactions.
The study found that 35% of online consumers had used their bank's automated telephone system within the last month to perform banking functions such as checking account balances or paying bills.
But despite the on-going popularity of the services, the study found that weak authentication measures continue to be utilised for phone banking.
Says Javelin founder and president, James Van Dyke: "Javelin data shows that a majority of top 23 US financial institutions need to strengthen authentication methods for the phone, with over one in four still asking for a full social security number, and only eight per cent requiring a password or answer to challenge questions."
This lack of effective and strong authentication for phone banking will lead to fraudsters increasingly targeting the services, warns Javelin. Now that banks have helped increase awareness of phishing, new fraud variations such as 'pretexting' and 'vishing' have emerged.
Pretexting involves fraudsters calling customers and conning them into disclosing personal data over the phone. This data is then used to access accounts via telephone banking services.
Vishing involves fraudsters using voice over Internet Protocol (VoIP) technology to con customers into disclosing personal data. In one version of the scam customers receive an e-mail telling them to call a bogus "customer service" number. Those who call are led through a series of voice-prompted menus that ask for personal data. In another version customers are contacted via VoIP instead of by e-mail. The call - which could either be a real person or a recorded message - tells customers action is needed to protect their account. They are then asked to disclose account numbers and passwords.