Contact centers are increasingly under the threat of cyber attacks. According to a 2023 survey, 90% of respondents reported increasing cyber threats in contact centers. Instead of trying to attack individual accounts, bad actors target contact centers that store and process payment information and other personally identifiable information of a large number of people.
According to the report, most attackers use phone number spoofing and social engineering tactics like phishing to take over accounts. While extensive training can help reduce its prevalence, contact centers need robust security solutions that can keep customer data safe even if passwords are compromised.
For this, contact centers need Behavioral MFA.
What is Behavioral MFA and How Does It Work?
Behavioral authentication is a multi-factor authentication (MFA) factor that verifies a user's identity based on unique aspects of their behavior, like how they type or move their mouse. It analyzes a user's natural patterns of interaction to build a profile that can recognize deviations created by unauthorized use. This means that multifactor checks are being performed consistently throughout the day instead of waiting for the user to authenticate to an application.
Users are assigned a trust score based on their behaviors. If the trust score is high enough, the user will not be inconvenienced by a manual MFA challenge when accessing an application. Some organizations will even use high trust scores in passwordless policies and let the user bypass password requirements entirely.
If the trust score is low, indicating that the wrong user is behind the keyboard, multiple options are available depending on the BPO's preferences and policies.
Unlike conventional MFA, which is currently used mainly in contact centers and relies on external factors like tokens, behavioral authentication leverages a user's inherent "fingerprint" to confirm their identity. It provides continuous, persistent authentication by constantly monitoring how someone interacts with their device. Even if credentials are compromised, a threat actor won't be able to mimic a user's distinct behavior.
One of the main advantages is that behavioral MFA requires little effort from the user. They don’t have to type in their passwords or press their fingerprints. The system also continuously authenticates the users, so the bad actors don’t have a chance to get inside between verifications. Since the system relies on multiple factors, it is impossible for a bad actor to fake these unique behaviors.
The Rise of Phishing Attacks in Contact Centers
Contact centers are highly prone to phishing attacks. They employ hundreds of employees who regularly have access to customers' personally identifiable information, making them a lucrative target for hackers. All they have to do is get into any one of these employee accounts, and they can access customer information—including payment data—for thousands of people.
Bad actors try different tactics for phishing. While it was largely limited to emails pretending to be someone—maybe tech support or a bank representative—these days hackers go so far as to call contact center employees using voice-changing and phone-spoofing technology.
Contact center employees may receive calls asking about routine cybersecurity checkups or claiming that a virus has infected their systems. These data breaches can be costly to the company and its clients. In a recent ransomware attack on a call center in Australia, attackers released over 60 gigabytes of customer data online.
While extensive training can mitigate these risks to an extent, there is still a chance that one among the hundreds of employees may fall victim to phishing–humans are imperfect, and mistakes happen. Traditional MFA systems are not robust enough to overcome modern social engineering attacks or human error.
Why Traditional MFA Methods Are Vulnerable to Phishing
Traditional multi-factor authentication has many weaknesses. They are difficult to manage and it takes effort and skill from individual users to maintain the security of the systems. More than anything, they have no defenses against social engineering attacks.
In phishing, attackers pretend to be someone a contact center employee knows and essentially force them to hand over their credentials or access to their systems. They may call contact centers pretending to be technicians, bank employees, or a government official and gain access just by asking them for passwords or 2FA codes.
If attackers are able to convince contact center employees to hand over access, it doesn’t matter if you’ve implemented rotating passwords, 2FA applications, or even physical hard tokens. Once attackers have gained employees’ trust or convinced them that they’re from a government agency or another trusted entity, the employees will simply hand over access.
Traditional systems are also not designed to detect unauthorized activity once bad actors gain access. Once authenticated, the attackers get free reign throughout the systems.
These solutions are also vulnerable to MFA fatigue, which occurs when attackers send repeated MFA requests. Users may initially reject the sign-in attempts, but after a while, they may just hit “accept sign in,” maybe out of habit or thinking there is a bug in the system.
Behavioral MFA: The Superior Phishing-Resistant Solution
Behavioral MFA uses behavioral patterns to authenticate legitimate users and detect unauthorized users. Everyone has a unique way of interacting with computer systems, be it the speed at which they type, the errors they make, or how they perform certain actions. Some users may use a specific keyboard shortcut a lot, while others may use the mouse for the same action.
Behavioral MFA analyzes these patterns and detects behavioral mismatches in the system. It is phishing-resistant for many reasons. The first is that behavioral MFA does not require passwords or tokens. An attacker cannot trick users into entering their passwords or 2FA codes.
Another reason is that even if an attacker enters the system through a hack, behavioral MFA doesn’t let them carry out any operations. Behavioral MFA is continuous and will monitor any action on the system for behavioral mismatches. If it detects an unauthorized user, it will end the session and notify the security team.
Behavioral characteristics also can’t be stolen or replicated. With physical hard tokens, there is a risk of replay attacks, and attackers may replicate credentials using fingerprint or facial recognition systems. However, behavioral authentication checks many factors, all innate to the user, and cannot be replicated easily.
Step Up Your Contact Center Security With Behavioral MFA
Behavioral MFA is inherently phishing-resistant. With no passwords or “keys” to hand over in the event of a phishing attack, there is no risk of attackers tricking the users. It’s continuous, seamlessly integrates with existing systems, and requires no effort from the users, reducing MFA fatigue and security friction. Due to the inherent complexity of behaviors over passwords, it's difficult for an attacker to replicate them and virtually impossible for them to do a replay attack.
