Risk
7/15/2013
06:00 AM
Tim Wilson
Tim Wilson
Quick Hits
50%
50%

Report: Phone Fraud Plagues Call Centers At Financial Institutions

Social engineers increasingly tap unsuspecting customer service reps for information, Aite Group says

A caller phones the customer service center at a regional bank and gives just enough information to authenticate himself as a customer. Then he starts asking the service representative for information he has "forgotten" -- and he keeps dialing the call center until he has enough information to open a new account somewhere else.

This form of telephone-based social engineering -- an emerging type of phone fraud -- is becoming a popular method for attackers to collect the information they need to steal identities and commit new account fraud, according to a report by the Aite Group, a research firm that focuses on the financial services industry.

According to "Look Who's Talking: Financial Institutions' Contact Centers Under Attack," 74 percent of financial institutions believe that organized attacks by criminal rings are responsible for the majority of this contact center fraud, often with account takeover as their goal.

"When I let the [financial] industry know I was working on this report, I actually had banks call me directly to tell me about their experiences," says Shirley Inscoe, a researcher at the Aite Group and author of the report. "So many financial institutions are dealing with this type of fraud, they really wanted to get the word out."

The prevalence of this type of social engineering on call centers has gone overlooked in the financial industry because many banks only count it as "fraud" when a call center representative violates policy, Inscoe says.

"But in many cases, these call center reps are just doing their jobs and no policies are broken," she says. "These attacks are so sophisticated that the caller often has just enough information to make the rep believe he is an actual customer. At that point, the rep has really no choice but to try help him."

"Until recently, the only way to fight this type of phone fraud was to ask the 'customer' a series of questions and authenticate him by his answers," notes Matt Anthony, vice president of marketing at Pindrop Security, which specializes in fighting this type of call center fraud. "If the caller has enough data, or even just asks the right questions, they can get a lot more information from the call center, even if they have to call several times."

Information gathering is a key part of almost any type of sophisticated attack, both in financial fraud and in breaching online systems, the report states. A person who has all of a victim's data -- including name, address, Social Security number, and the answers to security questions -- can open new accounts or commit other criminal acts in the victim's name.

"But in many cases, the financial institution doesn't have much visibility into the phone fraud that's occurring," Inscoe observes. "There's no easy way to spot it before it's too late."

Sophisticated attackers often spoof the North American Number Identification (NANI) system in order to mask their phone numbers or prevent the victim institution from seeing that they have called multiple times, Inscoe says. As a result, simple fraud detection systems that block known malicious caller IDs may not prevent more sophisticated scams.

"A lot of banks now are looking more at behavioral analytics tools that analyze caller behavior and flag the institution when a call looks to be an anomaly," she notes.

Pindrop, an emerging company that received new funding earlier this year, is attacking the problem with a new tool that analyzes each incoming call with a variety of filters, including location, caller ID, and even background noise.

"This type of social engineering isn't going away," Anthony says. "In the end, it isn't a choice between anti-fraud tools and authentication. These institutions are going to need both."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
7/17/2013 | 2:45:07 PM
re: Report: Phone Fraud Plagues Call Centers At Financial Institutions
Did anyone else see Identity Theft? Obtaining personal information is just too easy. I just hope that in an effort to better screen their callers they don't increase the wait time to speak to a representative.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.