Risk
7/15/2013
06:00 AM
Tim Wilson
Tim Wilson
Quick Hits
50%
50%

Report: Phone Fraud Plagues Call Centers At Financial Institutions

Social engineers increasingly tap unsuspecting customer service reps for information, Aite Group says

A caller phones the customer service center at a regional bank and gives just enough information to authenticate himself as a customer. Then he starts asking the service representative for information he has "forgotten" -- and he keeps dialing the call center until he has enough information to open a new account somewhere else.

This form of telephone-based social engineering -- an emerging type of phone fraud -- is becoming a popular method for attackers to collect the information they need to steal identities and commit new account fraud, according to a report by the Aite Group, a research firm that focuses on the financial services industry.

According to "Look Who's Talking: Financial Institutions' Contact Centers Under Attack," 74 percent of financial institutions believe that organized attacks by criminal rings are responsible for the majority of this contact center fraud, often with account takeover as their goal.

"When I let the [financial] industry know I was working on this report, I actually had banks call me directly to tell me about their experiences," says Shirley Inscoe, a researcher at the Aite Group and author of the report. "So many financial institutions are dealing with this type of fraud, they really wanted to get the word out."

The prevalence of this type of social engineering on call centers has gone overlooked in the financial industry because many banks only count it as "fraud" when a call center representative violates policy, Inscoe says.

"But in many cases, these call center reps are just doing their jobs and no policies are broken," she says. "These attacks are so sophisticated that the caller often has just enough information to make the rep believe he is an actual customer. At that point, the rep has really no choice but to try help him."

"Until recently, the only way to fight this type of phone fraud was to ask the 'customer' a series of questions and authenticate him by his answers," notes Matt Anthony, vice president of marketing at Pindrop Security, which specializes in fighting this type of call center fraud. "If the caller has enough data, or even just asks the right questions, they can get a lot more information from the call center, even if they have to call several times."

Information gathering is a key part of almost any type of sophisticated attack, both in financial fraud and in breaching online systems, the report states. A person who has all of a victim's data -- including name, address, Social Security number, and the answers to security questions -- can open new accounts or commit other criminal acts in the victim's name.

"But in many cases, the financial institution doesn't have much visibility into the phone fraud that's occurring," Inscoe observes. "There's no easy way to spot it before it's too late."

Sophisticated attackers often spoof the North American Number Identification (NANI) system in order to mask their phone numbers or prevent the victim institution from seeing that they have called multiple times, Inscoe says. As a result, simple fraud detection systems that block known malicious caller IDs may not prevent more sophisticated scams.

"A lot of banks now are looking more at behavioral analytics tools that analyze caller behavior and flag the institution when a call looks to be an anomaly," she notes.

Pindrop, an emerging company that received new funding earlier this year, is attacking the problem with a new tool that analyzes each incoming call with a variety of filters, including location, caller ID, and even background noise.

"This type of social engineering isn't going away," Anthony says. "In the end, it isn't a choice between anti-fraud tools and authentication. These institutions are going to need both."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
7/17/2013 | 2:45:07 PM
re: Report: Phone Fraud Plagues Call Centers At Financial Institutions
Did anyone else see Identity Theft? Obtaining personal information is just too easy. I just hope that in an effort to better screen their callers they don't increase the wait time to speak to a representative.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0750
Published: 2015-05-22
The administrative web interface in Cisco Hosted Collaboration Solution (HCS) 10.6(1) and earlier allows remote authenticated users to execute arbitrary commands via crafted input to unspecified fields, aka Bug ID CSCut02786.

CVE-2012-1978
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

CVE-2015-0741
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

CVE-2015-0742
Published: 2015-05-21
The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

CVE-2015-0746
Published: 2015-05-21
The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.