TL;DR: Call centers remain a prime account takeover target because social engineering exploits human trust faster than technical controls can respond, and TransUnion says more than half of ATO attempts now start there. Knowledge-based authentication no longer provides reliable assurance for sensitive recovery flows, and identity binding with biometrics and mobile verification changes the control model.
NHIMG editorial — based on content published by 1Kosmos: why call centers are prime targets for social engineering and account takeover
By the numbers:
- Traditional authentication adds 30 to 60 seconds to every call, often more when customers struggle to answer.
Questions worth separating out
Q: What breaks when call center verification relies on knowledge-based authentication?
A: KBA breaks because attackers can buy, guess, or socially engineer the answers, while legitimate users often forget them.
Q: Why do call centers remain a common account takeover path even when MFA is in place?
A: MFA on digital channels does not protect a support agent who can override recovery steps after a successful pretext.
Q: How do organisations know whether caller verification is actually working?
A: Look for reduced reliance on agent judgment, fewer failed recoveries from legitimate customers, lower override rates, and complete logs of identity proofing outcomes.
Practitioner guidance
- Remove KBA from sensitive recovery flows Eliminate security questions from password reset, account recovery, and high-risk servicing paths where fraud or takeover would be material.
- Insert automated identity proofing before agent action Require device-linked verification, document validation, or biometric proof before an agent can change credentials or disclose protected account data.
- Log and review support-channel verification decisions Capture who initiated the verification, which checks passed, which exceptions were used, and whether the outcome was overridden for audit and fraud review.
What's in the full article
1Kosmos's full analysis covers the operational detail this post intentionally leaves for the source:
- Step-by-step caller verification workflows that replace KBA in live support environments
- Specific deployment patterns for biometric, mobile identity, and document verification in contact centers
- Standards and compliance detail tied to NIST 800-63-3 and FFIEC expectations
- Operational examples of how identity binding reduces repeat authentication risk
👉 Read 1Kosmos's analysis of why call center verification needs a new identity model →
Call center verification: are KBA-based controls still defensible?
Explore further
KBA failed because it was designed for a world where personal data stayed private. That assumption no longer holds, and contact centers are still operating as if it does. When identity proof depends on static questions, attackers only need breached data and a calm voice to pass as a legitimate customer. The implication is that support-channel assurance has to be rebuilt around live identity evidence, not memory tests.
A few things that frame the scale:
- More than half of account takeover attempts now originate through call centers rather than online channels, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when a call center allows an impostor to reset access?
A: Accountability sits with the organisation that designed the recovery control and the operating team that allowed manual exceptions to bypass assurance. Regulators and auditors will look at whether the workflow used appropriate multi-factor evidence, logged decisions, and limited agent exposure to sensitive data.
👉 Read our full editorial: Call center identity verification is moving past knowledge-based auth