Vulnerabilities / Threats

5/12/2016
05:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Call Centers In The Bullseye

Cheap set-ups, economic recession, and the US rollout of chip-and-PIN technology, all contribute to dramatic increase in call center fraud.

A new report out this week says fraudulent call center calls rose 45% between 2013 and 2015.

During that same period, losses from fraudulent call center transactions rose 14%, according to the data from call-center fraud detection technology company Pindrop.

The findings don’t come as a surprise to Chris Hadnagy, CEO of Social-Engineer LLC, a consulting and training company that specializes in social engineering. Voice phishing (vishing) is going to be the next biggest attack vector because of how easily accessible and affordable voice over Internet protocol (VoIP) lines and session initiation protocol (SIP) trunking are, Hadnagy says.

Call center fraud is particularly troublesome in countries experiencing economic strife, he says, and these fraudsters don't fear getting caught as much as other cyberattackers. It’s also no longer just a few groups that are committing call center fraud, he warns. The crime is being committed by nation-states, organized hacker groups, hacktivists, and your everyday, average crooks and thieves.

Organizations should expect to see an increase in call center fraud and multi-vectored attacks -- vishing in conjunction with phishing, Hadnagy says.  

Domestic fraud calls (calls that originate within the country targeted in an attack) have also increased from 36% to 51% of all fraud call traffic, according to Pindrop's report.

Dr. David Dewey, director of research for Pindrop Labs, says that a likely reason for the spike in US call center fraud is the rollout of Europay, MasterCard, and Visa (EMV) chip-and-PIN technology in the financial industry. EMV takes a bite out of "card-present" crimes, which are committed in-person using counterfeit cards. Dewey says EMV has forced the criminals who favor card-present fraud to make a choice: move to a country without EMV chips, or simply stay at home and switch to card-not-present attacks.

As a forecast of what's to come, Dewey says look to the United Kingdom. The UK rolled out chip-and-PIN over a decade ago, and its domestic fraud call traffic rate has since reached 72%.

The report also shows that the average loss per fraudulent call has gone up to 65 cents per call.

“[Fraudsters] are becoming much, much more skilled at what they do. [They’re] getting good at refining the data and targeting high-value accounts,” Dewey says. He tells a story of a call center criminal who would only target large accounts: “He’s never once gone after an account that is less than a million dollars. He already knows the values of the account before he’s making the call,” says Dewey. This fraudster employs a level of reconnaissance and refinines its practices to achieve higher fraud exposure rates, he explains.

“It’s very, very common when we go talk to managers of call centers that the idea of fraud happening in their environment is something that they know about but is not their primary concern. Their number one priority is to give a delightful experience at the lowest cost possible,” says Dewey.

Social-Engineers' Hadnagy reiterates that the nature of call centers -- a place that employs individuals based on their ability to provide a premium customer experience in a short span of time -- is part of the reason they’re a prime target of fraudulent calls. “That very nature creates the vulnerability for the company. The attackers are utilizing it to get the information,” he says.

While vendors such as Pindrop offer call center fraud-protection technology, Hadnagy says education is the real solution here. “I would love businesses to know that there is no 100% technological fix for this. There’s no solution that automatically catches malicious content and then stops the call. Education is the only fix and consistent education about what vishing is.”

 

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/31/2017 | 3:48:53 PM
Re: EMV
Agreed.  Black Hat has been good on this topic (as has DR in writing about it).  Rapid7 exploits have opened more eyes on these vulnerabilities.  Numerous papers are written on EMV weaknesses and yet...
williamibarra
50%
50%
williamibarra,
User Rank: Apprentice
7/13/2017 | 10:11:05 AM
Re: Pen is a good Knife
nice article
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/31/2016 | 8:37:51 AM
EMV
"EMV has forced the criminals who favor card-present fraud to make a choice: move to a country without EMV chips, or simply stay at home and switch to card-not-present attacks."

...or exploit the MitM vulnerabilities particular to EMV (something EMV proponents like to conveniently forget to mention...but that's not any of my business).
margaretmbrooks
50%
50%
margaretmbrooks,
User Rank: Apprentice
5/13/2016 | 2:04:41 AM
Pen is a good Knife
Emily Jhonson did an open call or an open write towards the fraud work at call centers. I read in somewhere "Pen is the right Knife". A good write up can be seen here. This is not only in US is is everywhere in the world. I hope you will keep this knife with you in future also.
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6970
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
CVE-2018-14781
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
CVE-2018-15123
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
CVE-2018-15124
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.
CVE-2018-15125
PUBLISHED: 2018-08-13
Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.