Semafone has Three Little Words for customers – and no, they aren’t “I love you,” although the company certainly hopes they’ll inspire that feeling.
For the 2018 PYMNTS.com Voice Challenge with Amazon Alexa, Semafone developed an Alexa skill called Phone Concierge that fulfills two key security functions during potentially sensitive phone conversations: first, identification and verification, and second, secure voice payments.
Semafone’s head of global solutions, Ben Rafferty, and senior software developer James Kirrage said they were inspired to create this skill in response to the problems that banks and billers face when doing outbound calling to customers. Customers don’t always answer, and when they do, they aren’t always sure that it is the real biller or a scammer up to no good.
In both use cases, users can ask Alexa to authenticate the interaction and she will generate a random one-time, three-word security key, which the user shares back with the company representative on the line to prove he’s truly with the company he claims to be.
In a recent interview with Karen Webster, Rafferty and Kirrage enacted two scenarios to show how the skill works and explained why it’s more secure than knowledge-based authentication.
Use Case One: Identity Verification
Kirrage, representing Innovation Electric, calls Rafferty with a question about his account. Before discussing this sensitive information, Rafferty says he wants to authenticate the session. He asks Alexa to check with Phone Concierge to see who’s calling. Alexa says it’s an unauthenticated call from Innovation Electric and asks if he would like to authenticate it.
Alexa gives him the three little words: “pension, pin, current.”
Rafferty recites these words back to Kirrage, who types them into the Innovation Electric system. Now when Rafferty asks Alexa who’s calling, Phone Concierge can verify that Kirrage is really a representative of Innovation Electric – and also that Rafferty is truly the customer Kirrage believes he called.
The one-time password is generated based on the merchant ID, explained Kirrage, and is time-based, so even if someone overheard the key, it couldn’t be reused.
Use Case Two: Voice Payments
Innovation Electric makes another call to Rafferty, this time to let him know that he has an outstanding balance on his account. Rafferty says he would like to pay using Alexa. Kirrage sends through the request for payment.
When Rafferty tells Alexa to ask Phone Concierge to check his payment requests, she verifies the amount and gives him another three-word key. Rafferty relays the code, Kirrage enters it on the company’s end and the payment is completed. Rafferty can then have Alexa check his last payment on Phone Concierge if he wishes to confirm that it went through.
Kirrage said this function has applications in retail, too. Merchants have varying degrees of security, so this can give customers peace of mind that their information is safe – indeed, their credit card numbers are never released to the merchant. Instead, the payment is tied to the merchant ID, customer ID, payment service provider and card on file.
The benefits aren’t only on the consumer side, Kirrage said. Merchants pay a premium to accept card-not-present transactions; authenticating via phone can lower their risk as well as reduce costs for PCI compliance, because the ecosystem is now smaller.
Again, Kirrage noted, the security token expires and can’t be reused.
Traditional Security Insecurities
Rafferty said authentication can be “a real bugbear” for the industry for a few reasons.
First, it has a high time cost. Knowledge-based authentication relies on the customer answering three questions – and those questions have inherent problems of their own, Rafferty added.
Someone’s previous name, address, or mother’s maiden name are matters of public record and could be accessed by malicious actors. More subjective questions, like “What was your first pet’s name?” or “What is your favorite color?” have the advantage of not appearing in the public domain, Rafferty said, but the customer could forget that pet’s name or change his favorite color, thus becoming unable to prove his own identity.
Rafferty noted that the skill Semafone developed for the Alexa Voice Challenge answers this by asking only one question with a single-time answer that is handed directly (and securely) to the user.
The second problem with knowledge-based authentication is that it’s a one-way street. The customer authenticates himself to the caller, but gets nothing in return; he can’t validate that the call is really coming from the bank.
Rafferty said Three Little Words creates a reciprocal scenario by adding reverse authentication to the mix. That way, both parties can be confident they’re talking to the correct person.
Playing Nice With PSD2
New European regulations under the second Payment Services Directive (PSD2) require secrecy of channels and data tokens, something that Rafferty and Kirrage said Semafone was very deliberate about including in its Voice Challenge submission.
Kirrage explained that the customer gets his Three Little Words from Alexa, not from the agent, and receives them on a separate channel from the data channel, creating secrecy of tokens from initiation through authentication.
Indeed, added Kirrage, Phone Concierge utilizes a multi-factor voice token, thus delivering more than the consent token required by PSD2 regulations.