Risk
7/15/2013
06:00 AM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

Report: Phone Fraud Plagues Call Centers At Financial Institutions

Social engineers increasingly tap unsuspecting customer service reps for information, Aite Group says

A caller phones the customer service center at a regional bank and gives just enough information to authenticate himself as a customer. Then he starts asking the service representative for information he has "forgotten" -- and he keeps dialing the call center until he has enough information to open a new account somewhere else.

This form of telephone-based social engineering -- an emerging type of phone fraud -- is becoming a popular method for attackers to collect the information they need to steal identities and commit new account fraud, according to a report by the Aite Group, a research firm that focuses on the financial services industry.

According to "Look Who's Talking: Financial Institutions' Contact Centers Under Attack," 74 percent of financial institutions believe that organized attacks by criminal rings are responsible for the majority of this contact center fraud, often with account takeover as their goal.

"When I let the [financial] industry know I was working on this report, I actually had banks call me directly to tell me about their experiences," says Shirley Inscoe, a researcher at the Aite Group and author of the report. "So many financial institutions are dealing with this type of fraud, they really wanted to get the word out."

The prevalence of this type of social engineering on call centers has gone overlooked in the financial industry because many banks only count it as "fraud" when a call center representative violates policy, Inscoe says.

"But in many cases, these call center reps are just doing their jobs and no policies are broken," she says. "These attacks are so sophisticated that the caller often has just enough information to make the rep believe he is an actual customer. At that point, the rep has really no choice but to try help him."

"Until recently, the only way to fight this type of phone fraud was to ask the 'customer' a series of questions and authenticate him by his answers," notes Matt Anthony, vice president of marketing at Pindrop Security, which specializes in fighting this type of call center fraud. "If the caller has enough data, or even just asks the right questions, they can get a lot more information from the call center, even if they have to call several times."

Information gathering is a key part of almost any type of sophisticated attack, both in financial fraud and in breaching online systems, the report states. A person who has all of a victim's data -- including name, address, Social Security number, and the answers to security questions -- can open new accounts or commit other criminal acts in the victim's name.

"But in many cases, the financial institution doesn't have much visibility into the phone fraud that's occurring," Inscoe observes. "There's no easy way to spot it before it's too late."

Sophisticated attackers often spoof the North American Number Identification (NANI) system in order to mask their phone numbers or prevent the victim institution from seeing that they have called multiple times, Inscoe says. As a result, simple fraud detection systems that block known malicious caller IDs may not prevent more sophisticated scams.

"A lot of banks now are looking more at behavioral analytics tools that analyze caller behavior and flag the institution when a call looks to be an anomaly," she notes.

Pindrop, an emerging company that received new funding earlier this year, is attacking the problem with a new tool that analyzes each incoming call with a variety of filters, including location, caller ID, and even background noise.

"This type of social engineering isn't going away," Anthony says. "In the end, it isn't a choice between anti-fraud tools and authentication. These institutions are going to need both."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
7/17/2013 | 2:45:07 PM
re: Report: Phone Fraud Plagues Call Centers At Financial Institutions
Did anyone else see Identity Theft? Obtaining personal information is just too easy. I just hope that in an effort to better screen their callers they don't increase the wait time to speak to a representative.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.