Risk
7/15/2013
06:00 AM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

Report: Phone Fraud Plagues Call Centers At Financial Institutions

Social engineers increasingly tap unsuspecting customer service reps for information, Aite Group says

A caller phones the customer service center at a regional bank and gives just enough information to authenticate himself as a customer. Then he starts asking the service representative for information he has "forgotten" -- and he keeps dialing the call center until he has enough information to open a new account somewhere else.

This form of telephone-based social engineering -- an emerging type of phone fraud -- is becoming a popular method for attackers to collect the information they need to steal identities and commit new account fraud, according to a report by the Aite Group, a research firm that focuses on the financial services industry.

According to "Look Who's Talking: Financial Institutions' Contact Centers Under Attack," 74 percent of financial institutions believe that organized attacks by criminal rings are responsible for the majority of this contact center fraud, often with account takeover as their goal.

"When I let the [financial] industry know I was working on this report, I actually had banks call me directly to tell me about their experiences," says Shirley Inscoe, a researcher at the Aite Group and author of the report. "So many financial institutions are dealing with this type of fraud, they really wanted to get the word out."

The prevalence of this type of social engineering on call centers has gone overlooked in the financial industry because many banks only count it as "fraud" when a call center representative violates policy, Inscoe says.

"But in many cases, these call center reps are just doing their jobs and no policies are broken," she says. "These attacks are so sophisticated that the caller often has just enough information to make the rep believe he is an actual customer. At that point, the rep has really no choice but to try help him."

"Until recently, the only way to fight this type of phone fraud was to ask the 'customer' a series of questions and authenticate him by his answers," notes Matt Anthony, vice president of marketing at Pindrop Security, which specializes in fighting this type of call center fraud. "If the caller has enough data, or even just asks the right questions, they can get a lot more information from the call center, even if they have to call several times."

Information gathering is a key part of almost any type of sophisticated attack, both in financial fraud and in breaching online systems, the report states. A person who has all of a victim's data -- including name, address, Social Security number, and the answers to security questions -- can open new accounts or commit other criminal acts in the victim's name.

"But in many cases, the financial institution doesn't have much visibility into the phone fraud that's occurring," Inscoe observes. "There's no easy way to spot it before it's too late."

Sophisticated attackers often spoof the North American Number Identification (NANI) system in order to mask their phone numbers or prevent the victim institution from seeing that they have called multiple times, Inscoe says. As a result, simple fraud detection systems that block known malicious caller IDs may not prevent more sophisticated scams.

"A lot of banks now are looking more at behavioral analytics tools that analyze caller behavior and flag the institution when a call looks to be an anomaly," she notes.

Pindrop, an emerging company that received new funding earlier this year, is attacking the problem with a new tool that analyzes each incoming call with a variety of filters, including location, caller ID, and even background noise.

"This type of social engineering isn't going away," Anthony says. "In the end, it isn't a choice between anti-fraud tools and authentication. These institutions are going to need both."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
7/17/2013 | 2:45:07 PM
re: Report: Phone Fraud Plagues Call Centers At Financial Institutions
Did anyone else see Identity Theft? Obtaining personal information is just too easy. I just hope that in an effort to better screen their callers they don't increase the wait time to speak to a representative.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.