streamWrite Blog

News, events and useful information

IVR Phone Payments in 2021

When it comes to making payments, calling into an IVR may not be the first thing that comes to mind.  Personally, online banking is how I like to take care of regular monthly bills - it's fast and convenient. 

However, for organizations across multiple industries, offering payment by IVR as an option is still an important channel, for a number of reasons:

1) Other payment methods may have been affected such as in-office payments due to the pandemic.

2) Customers calling customer service to ask questions about the bill prior to paying want a convenient and secure way to pay by phone. Transferring the caller to the IVR for payment is simple, effective, and efficient, and addresses PCI compliance concerns.  

3) Despite the naysayers, offering IVR as a payment option increases revenues.  The percentage of overall revenues IVR can represent varies greatly, and can depend on many factors (ease-of use, how it's promoted, etc.). For some customers, IVR can be very seasonal, where 90% of the use is just during a few days of the year, but is a must-have because IVR contributes significant revenues.  

4)  For healthcare customers that have added IVR payment as option, it's not uncommon to see IVR payments represents 18%-20% of all monthly revenues received.

5) Offering an additional payment method to the customer, when properly implemented, leads to higher customer satisfaction. 

5) It is available 24/7.

Cloud-based IVR removes previous barriers of premise based systems, often with a fast implementation, and a low set up cost.  Contact us for consultation on how we can help make this happen for your organization. 

 

 

Facial Recognition AI ruled "illegal" by Privacy Authorities in Canada

In a ruling on Wednesday, Canada's privacy commissioners have ruled that Clearview's Facial Recognition AI is mass surveillance and violates individual privacy rights.  Commissioners have ordered the company to delete images from its database. 

Clearview has been the subject of investigations for its practices, including the controversial scraping images from social media profiles. Clearview argues that facial images on social media is publicly available information.  While the company has agreed to stop offering its services in Canada, it has not agreed to remove the faces. 

Companies like Clearview aim to profit by, and assist law enforcement agencies in solving tough cases.  It saw a 26% spike on January 7th, the day after a mob of rioters raided the US Capitol, as law enforcement officials sought to track down the perpetrators. 

This is a certainly a thought-provoking topic, and prompts questions about where to draw the line between protecting individual privacy rights vs public safety and bringing criminals to justice.  What do you think?  

https://www.theverge.com/2021/2/4/22266055/clearview-facial-recognition-illegal-mass-surveillance-canada-privacy

Why aren't NIST password guidelines being adopted?

I have for many years felt that complex password guidelines, combined with regular expiration dates, creates a recipe for weakened rather than strengthened security. We've all had to deal with it: passwords must be 8 or more characters and contain at least one of each of the following: lower case letter, upper case letter, number, special character, something like this: Xtrain99#. In addition, you have to change this every sixty days and cannot reuse prior passwords.

Now multiply this by differing rules implemented by many of the different systems you use on a regular basis, and you end up recording all of these passwords somewhere, hopefully not on a sticky note attached to your computer.

Unfortunately, I felt like I was swimming upstream in a deluge of password complexity that would never let up.

VINDICATION:

Enter new guidelines from the NIST, National Institute of Standards and Technology, a department of the U.S. Department Commerce, swapping out prior guidelines for new simpler, more sensible ones and I started to feel vindicated: 

  • Passwords should never expire
  • No complexity or variety rules
  • Minimum length of 8 characters
  • Maximum length of 64 characters

And some additional recommendations such as NOT having any hints (questions like where did you go to high school and what was the name of your first parakeet), only enforcing  password changes when it is forgotten or a potential breach is discovered and checking against lists of known bad passwords...

Yes I started to feel like some sanity on passwords was coming to light. I did not expect these changes, officially adopted in 2017, to hit the mainstream immediately, but nor did I expect that three years on, there would be almost no sign of widespread adoption.

Bill Burr, the employee at NIST who initially wrote the complexity guidelines came forth that they actually had no real experiences to draw from, and just did what they thought was right at the time. Ultimately he recanted the guidelines in favor of the newer policies: Wall Street Journal New Password Tip: N3v$r M1^d!

Gizmodo sums it up nicely with this graphic from their article on the subject, Gizmodo, Inventor of Password Rules Regrets Wasting Your Time.

correct horse battery staple

UNANSWERED QUESTIONS:

But, none of this answers my original question. Why we are still being forced to use the outdated guidelines when they have been completely debunked and new more realistic guidelines have been put forth?

I'll keep waiting and hoping for the day when I know longer have to maintain a password protected list of over 400 credentials along with answers to random security questions about parakeets.

Spam Phone Calls -- When will it get better?

Apparently, America is number one in the world for number of robocalls received. Not a verify satisfying statistic, I know. Last year, 48 billion of them arrived on our phones, and I think I received more than my fair share! Voice messages left on my phone in computerized voices threatened me with law suits and, very recently, that a warrant would be put out for my arrest if I don't call them back. Note, they never used my name or told me who they were. They just left threatening messages and a phone number which were promptly deleted.

Robocalls, FCC, Do Not Call LIst

The FCC states that their number one customer complaint is unwanted calls. They also provide some good information about the problem and recommendations on how to handle unwanted calls and phone scams and on registering with the Do Not Call List.

Fortune.com predicts 60 billion robocalls to Americans for 2019 in an article on FCC plans to get aggressive. FCC is pushing it's plan to get telephone service providers to implement a new technology standard known as STIR/SHAKEN to combat the scourge.

Verizon is supposedly offering a free call filter to help block the incoming flow. I have yet to give this a try but it can't hurt. In it's article announcing the call filter, USA today also describes Verizon's call verification feature and T-Mobile's similar offering

With these new standards being implemented and new features coming from providers, I am staying optimistic that and end to the problem, or at least a big reduction in it is forthcoming.

Let us know your experiences and keep up the fight against these unwanted intrusions.

 

TLS 1.3 Approved for Use with Enhanced Security / Performance

Approved by the IETF

In March of 2018, the steering group of the IETF approved RFC 8446 defining version 1.3 of the Transport Layer Security Protocol.

TLS 1.0 and 1.1 continue to be susceptible to cyber attacks. These are considered obsolete and no longer safe when compared to the newer versions 1.2 and 1.3.

Hardened Security & Improved Performance

A main improvement of TLS 1.3 is hardened security. A number of features that were supported in previous versions were removed because of security weaknesses or vulnerabilities. In addition, several new features have been added to the protocol with no known vulnerabilities, such as Curve 25519 supporting 128 bit encryption and Curve 448 supporting 224 bit security.

In addition to the security improvements in TLS 1.3, performance has been augmented as well. The number of steps required in the handshake to setup a 1.3 connection is significantly reduced from TLS 1.2 (and prior), improving connection and page load times. 

Portals and Beyond

Recent changes were made to Portals to support updates to web services requiring the use of TLS 1.2. While these changes are effective in supporting 1.2, they also support the newest version 1.3.  If you have an older version of Portals an update may be required to access the newest release. When customers migrate to a new service requiring TLS 1.2 or 1.3 we update the Portals service, if necessary to support the new protocol. 

Let us know if you have questions about TLS security in your Portals environment.