Vulnerabilities / Threats

5/12/2016
05:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Call Centers In The Bullseye

Cheap set-ups, economic recession, and the US rollout of chip-and-PIN technology, all contribute to dramatic increase in call center fraud.

A new report out this week says fraudulent call center calls rose 45% between 2013 and 2015.

During that same period, losses from fraudulent call center transactions rose 14%, according to the data from call-center fraud detection technology company Pindrop.

The findings don’t come as a surprise to Chris Hadnagy, CEO of Social-Engineer LLC, a consulting and training company that specializes in social engineering. Voice phishing (vishing) is going to be the next biggest attack vector because of how easily accessible and affordable voice over Internet protocol (VoIP) lines and session initiation protocol (SIP) trunking are, Hadnagy says.

Call center fraud is particularly troublesome in countries experiencing economic strife, he says, and these fraudsters don't fear getting caught as much as other cyberattackers. It’s also no longer just a few groups that are committing call center fraud, he warns. The crime is being committed by nation-states, organized hacker groups, hacktivists, and your everyday, average crooks and thieves.

Organizations should expect to see an increase in call center fraud and multi-vectored attacks -- vishing in conjunction with phishing, Hadnagy says.  

Domestic fraud calls (calls that originate within the country targeted in an attack) have also increased from 36% to 51% of all fraud call traffic, according to Pindrop's report.

Dr. David Dewey, director of research for Pindrop Labs, says that a likely reason for the spike in US call center fraud is the rollout of Europay, MasterCard, and Visa (EMV) chip-and-PIN technology in the financial industry. EMV takes a bite out of "card-present" crimes, which are committed in-person using counterfeit cards. Dewey says EMV has forced the criminals who favor card-present fraud to make a choice: move to a country without EMV chips, or simply stay at home and switch to card-not-present attacks.

As a forecast of what's to come, Dewey says look to the United Kingdom. The UK rolled out chip-and-PIN over a decade ago, and its domestic fraud call traffic rate has since reached 72%.

The report also shows that the average loss per fraudulent call has gone up to 65 cents per call.

“[Fraudsters] are becoming much, much more skilled at what they do. [They’re] getting good at refining the data and targeting high-value accounts,” Dewey says. He tells a story of a call center criminal who would only target large accounts: “He’s never once gone after an account that is less than a million dollars. He already knows the values of the account before he’s making the call,” says Dewey. This fraudster employs a level of reconnaissance and refinines its practices to achieve higher fraud exposure rates, he explains.

“It’s very, very common when we go talk to managers of call centers that the idea of fraud happening in their environment is something that they know about but is not their primary concern. Their number one priority is to give a delightful experience at the lowest cost possible,” says Dewey.

Social-Engineers' Hadnagy reiterates that the nature of call centers -- a place that employs individuals based on their ability to provide a premium customer experience in a short span of time -- is part of the reason they’re a prime target of fraudulent calls. “That very nature creates the vulnerability for the company. The attackers are utilizing it to get the information,” he says.

While vendors such as Pindrop offer call center fraud-protection technology, Hadnagy says education is the real solution here. “I would love businesses to know that there is no 100% technological fix for this. There’s no solution that automatically catches malicious content and then stops the call. Education is the only fix and consistent education about what vishing is.”

 

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/31/2017 | 3:48:53 PM
Re: EMV
Agreed.  Black Hat has been good on this topic (as has DR in writing about it).  Rapid7 exploits have opened more eyes on these vulnerabilities.  Numerous papers are written on EMV weaknesses and yet...
williamibarra
50%
50%
williamibarra,
User Rank: Apprentice
7/13/2017 | 10:11:05 AM
Re: Pen is a good Knife
nice article
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/31/2016 | 8:37:51 AM
EMV
"EMV has forced the criminals who favor card-present fraud to make a choice: move to a country without EMV chips, or simply stay at home and switch to card-not-present attacks."

...or exploit the MitM vulnerabilities particular to EMV (something EMV proponents like to conveniently forget to mention...but that's not any of my business).
margaretmbrooks
50%
50%
margaretmbrooks,
User Rank: Apprentice
5/13/2016 | 2:04:41 AM
Pen is a good Knife
Emily Jhonson did an open call or an open write towards the fraud work at call centers. I read in somewhere "Pen is the right Knife". A good write up can be seen here. This is not only in US is is everywhere in the world. I hope you will keep this knife with you in future also.
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...