Hi,
IVR gave folks a way of interacting with "systems" without dealing with people (of course, that's what the folks peddling this stuff to The Public wanted us to think was a BENEFIT!).
For the most part (neglecting the spooks), this is a reasonably secure communication. When you place a call, there's little fear of MiM attacks, replay attacks, etc. So, authentication mechanisms can be trivial -- shared secret often suffices. Some agencies will go so far as "verifying" the phone number from which you are calling (e.g., credit card activations). Not sure how reliable that is likely to be given CID spoofing.
[It also means you *can't* use the service from another phone line! No big deal for one-time events like a credit card activation. But, if it was something you did weekly or even monthly, you might find this restrictive]Of course, WWW access is the big thing, nowadays. While HTTPS and other encrypted tunnels help protect against wiretap "in transit", there's still the very real possibility of keystroke loggers et ilk *before* the encryption is applied. And, the phone analogy of verifying your IP really doesn't make sense -- the beauty of the WWW interface is that you can access it from
*anywhere*!Before WWW, some services were accessible via email and automated "attendants". E.g., mailing list subscriptions, FTP by email, etc. In these cases, shared secrets and "registered" email addresses gave the "security". A request had to originate from a valid email address (which could always be spoofed) and a verification email could be auto-sent to that registered address for confirmation before the request was acknowledged and satisfied.
[Now, I step off the curb into traffic as I don't use a cell phone and can only *guess* at the following...]Presumably, the email analogy can be extended to "texting" as well? I.e., send a text in a particular format to a particular "number" to make a similar "request". I.e., instead of dealing with a variety of voice prompts in an IVR system, you could send a text to "yourbank": XFER $123.45 FROM SAVINGS TO CHECKING and the receiving system would know that "savings" was "17734500" and "checking" was "7787583900". Assumiong your savings balance was sufficient, a confirmation could be texted (?) back to you.
[I.e., you see how all these technologies can be applied to do the same thing?]Given that you want security, how is the latter accomplished? Security here means preventing others from impersonating you and "illegally" making these transactions -- as well as the privacy issues of not letting information leak.
Given the preponderence of cell phones vs. land lines (which have known, fixed locations -- i.e., if you validate your credit card from a land line, the agency knows you are *in* that residence at the time! Ignoring special cases...) how would this sort of thing be accomplished?
I.e., does the email model still make the most sense from a practical viewpoint? I.e., ---> request (do this) confirmation (yes, I did) ). So, any information provided by spoken word is easily noted by an eavesdropper! (account number, mother's maiden name, favorite pet, etc.)
Where is IVR headed in light of all these communication mechanisms?
Thx,
--don