Here is the excerpt from the follow-up document on the webinar I co-presented with Jeff Patterson on MFA.
Question 8. I wanted to know what's going on with IVRs. The FAQ was the first time to mention it and you did today, but I don't see anything in here discussing it!!
Answer: The concepts of additional security requirements, including multi factor authentication, being implemented to mitigate the risks associated with access to confidential customer information and funds transfer capabilities do apply to
IVRs. VRUs, and telephone banking. Each of these types of services should be included in the risk assessment, and where the risk associated with access to confidential information or capabilities to transfer funds warrant additional security, then multi factor authentication should be employed.
Look at the same types of factors you would look at for online banking: Can a caller gain access to sensitive customer information by posing as your customer and bypassing authentication safeguards? Can a caller engage in high risk transactions if they successfully impersonate your customer?
Possible additional authentication options include phone number verification (caller ID), call back verification, and possible voice prints. The initial set-up for a customer to use IVR should be reviewed to determine if it is robust enough. The more information that can be accessed through the system, and the greater the transactional capability it has, the greater the need to guard against unauthorized use.