Vulnerabilities / Threats
5/12/2016
05:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Call Centers In The Bullseye

Cheap set-ups, economic recession, and the US rollout of chip-and-PIN technology, all contribute to dramatic increase in call center fraud.

A new report out this week says fraudulent call center calls rose 45% between 2013 and 2015.

During that same period, losses from fraudulent call center transactions rose 14%, according to the data from call-center fraud detection technology company Pindrop.

The findings don’t come as a surprise to Chris Hadnagy, CEO of Social-Engineer LLC, a consulting and training company that specializes in social engineering. Voice phishing (vishing) is going to be the next biggest attack vector because of how easily accessible and affordable voice over Internet protocol (VoIP) lines and session initiation protocol (SIP) trunking are, Hadnagy says.

Call center fraud is particularly troublesome in countries experiencing economic strife, he says, and these fraudsters don't fear getting caught as much as other cyberattackers. It’s also no longer just a few groups that are committing call center fraud, he warns. The crime is being committed by nation-states, organized hacker groups, hacktivists, and your everyday, average crooks and thieves.

Organizations should expect to see an increase in call center fraud and multi-vectored attacks -- vishing in conjunction with phishing, Hadnagy says.  

Domestic fraud calls (calls that originate within the country targeted in an attack) have also increased from 36% to 51% of all fraud call traffic, according to Pindrop's report.

Dr. David Dewey, director of research for Pindrop Labs, says that a likely reason for the spike in US call center fraud is the rollout of Europay, MasterCard, and Visa (EMV) chip-and-PIN technology in the financial industry. EMV takes a bite out of "card-present" crimes, which are committed in-person using counterfeit cards. Dewey says EMV has forced the criminals who favor card-present fraud to make a choice: move to a country without EMV chips, or simply stay at home and switch to card-not-present attacks.

As a forecast of what's to come, Dewey says look to the United Kingdom. The UK rolled out chip-and-PIN over a decade ago, and its domestic fraud call traffic rate has since reached 72%.

The report also shows that the average loss per fraudulent call has gone up to 65 cents per call.

“[Fraudsters] are becoming much, much more skilled at what they do. [They’re] getting good at refining the data and targeting high-value accounts,” Dewey says. He tells a story of a call center criminal who would only target large accounts: “He’s never once gone after an account that is less than a million dollars. He already knows the values of the account before he’s making the call,” says Dewey. This fraudster employs a level of reconnaissance and refinines its practices to achieve higher fraud exposure rates, he explains.

“It’s very, very common when we go talk to managers of call centers that the idea of fraud happening in their environment is something that they know about but is not their primary concern. Their number one priority is to give a delightful experience at the lowest cost possible,” says Dewey.

Social-Engineers' Hadnagy reiterates that the nature of call centers -- a place that employs individuals based on their ability to provide a premium customer experience in a short span of time -- is part of the reason they’re a prime target of fraudulent calls. “That very nature creates the vulnerability for the company. The attackers are utilizing it to get the information,” he says.

While vendors such as Pindrop offer call center fraud-protection technology, Hadnagy says education is the real solution here. “I would love businesses to know that there is no 100% technological fix for this. There’s no solution that automatically catches malicious content and then stops the call. Education is the only fix and consistent education about what vishing is.”

 

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/31/2016 | 8:37:51 AM
EMV
"EMV has forced the criminals who favor card-present fraud to make a choice: move to a country without EMV chips, or simply stay at home and switch to card-not-present attacks."

...or exploit the MitM vulnerabilities particular to EMV (something EMV proponents like to conveniently forget to mention...but that's not any of my business).
margaretmbrooks
50%
50%
margaretmbrooks,
User Rank: Apprentice
5/13/2016 | 2:04:41 AM
Pen is a good Knife
Emily Jhonson did an open call or an open write towards the fraud work at call centers. I read in somewhere "Pen is the right Knife". A good write up can be seen here. This is not only in US is is everywhere in the world. I hope you will keep this knife with you in future also.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Post a Comment
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.