Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


10:30 AM
Patrick Cox
Patrick Cox
Connect Directly
E-Mail vvv

How to Hang Up on Fraud

Three reasons why the phone channel is uniquely vulnerable to spoofing and what call centers are doing about it.

With cybercrime skyrocketing over the past two decades, companies that do business online — whether retailers, banks, or insurance companies — have devoted increasing resources to improving security and combatting Internet fraud. But sophisticated fraudsters do not limit themselves to the online channel, and many organizations have been slow to adopt effective measures to mitigate the risk of fraud carried out through other channels, such as customer contact centers. In many ways, the phone channel has become the weak link.

Most contact centers have continued to rely heavily on knowledge-based authentication to grant callers access to their accounts. However, the ready availability of personal information, either stolen in data breaches or gleaned from social media, makes it increasingly easy for criminals to impersonate customers. Add in some Caller ID or automatic number identification (ANI) spoofing, and fraudsters are well on their way to deceiving call center staff and taking over customer accounts.

The phone channel is uniquely vulnerable to spoofing for a number of reasons:

1. Easy creation and manipulation of call signaling data. An incoming phone call contains signaling data with billing and routing information. However, it is simple for a hacker to alter legitimate call signal data, which is why spoofing has become an epidemic. Spoofing is simply changing or falsifying call-signaling data. It's easy to do using any of dozens of software tools such as FreeSWITCH or Asterisk. When a criminal originates a call, he or she can create all the signaling data needed to mimic a legitimate calling number.

2. Lack of encryption. Most websites today can encrypt a communication system end-to-end, from the browser to the web server. In contrast, very few telephone calls are encrypted end-to-end. This is because the security infrastructure that is mature in web communications is still in its infancy within the telephone network. Getting encryption in place is a slow process because it requires compatible and reliable networking capabilities for telephone communications among all the carriers in the world. That is a long process. In the meantime, this means that the vast majority of telephone calls and their call signaling data are sent in plain text and can be manipulated.

3. Many opportunities to launch attacks. There are thousands of telephone carriers in North America alone, and tens of thousands of global partners that offer access to place calls. Fraudsters exploit carriers and partners with lax security practices or no enrollment requirements. This enables criminals to remain anonymous and leaves them free to launch attacks without any repercussions.

By iterating attacks with multiple signatures on different access points, criminals will find a combination that can perfectly mimic calls from major carriers. Once successful, they can mimic calls from all the customers of that carrier.

Knowledge-based authentication, or KBA, is just as vulnerable because of fraudsters' relatively easy access to the personal information needed to correctly respond to call center agents' identity interrogation. This information can be purchased on the Dark Web or unearthed by simply scouring the social media sites of an account takeover target.  

So, how do we forge a more secure path forward? The basic answer, no matter the particular security solutions involved, is multifactor authentication. Multifactor authentication is a strategy in which inherence and/or ownership factors (that is, something known by a person and/or something in their physical possession) are used to verify a caller's identity, thus reducing or eliminating reliance on KBA and spoof detection. A bank would never allow ATM use without knowledge of a PIN and ownership of a physical debit card, and it's time for companies to adopt this same approach to secure their phone channels.

Multifactor authentication has long been recognized as more secure, and the available tools are becoming increasingly sophisticated. For example, to incorporate an inherence factor, which uses a physical attribute of a caller, contact centers can deploy voice recognition systems. These systems obtain a voice print from a caller and compare it to a reference voice print to make an authentication determination. (Note: TRUSTID offers pre-answer caller authentication as an alternative to KBA and as part of a multifactor authentication solution. Many companies in the industry provide additional caller authentication solutions for multifactor authentication.)  

A complementary technology uses a caller's phone as an ownership-based authentication token. This approach audits all phone calls, devices, and line types from within the global telephone network to ensure that the phone call and device are real and unique and can thus provide a deterministic authentication outcome in the form of an ownership authentication token.

In transitioning to an optimally secure authentication solution, voice biometrics or phone ownership authentication can be paired with KBA to create a quick-fix two-factor authentication approach. Our recent survey of contact center professionals showed that the majority of organizations planning to move to multifactor authentication expect to do so by adding a new factor to their existing KBA process.

Companies that want to gain their customers' trust must show that they take information security seriously. This means not only employing robust measures to prevent data breaches but also implementing multifactor authentication systems to ensure that personally identifying information stolen from other companies or gleaned from social media profiles will no longer empower fraudsters to access customer accounts.

Related Content:

Patrick Cox is chairman and CEO of TRUSTID, which enables companies to increase the efficiency of their fraud-fighting efforts through pre-answer caller authentication and the creation of trusted caller flows that avoid identity interrogation, allowing resources to be focused ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
'Unkillable' Android Malware App Continues to Infect Devices Worldwide
Jai Vijayan, Contributing Writer,  4/8/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-09
Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry. This could cause legitimate traffic to be discarded, le...
PUBLISHED: 2020-04-09
KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc__tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to...
PUBLISHED: 2020-04-09
In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.
PUBLISHED: 2020-04-09
An issue was discovered in Avira Free-Antivirus before 15.0.2004.1825. The Self-Protection feature does not prohibit a write operation from an external process. Thus, code injection can be used to turn off this feature. After that, one can construct an event that will modify a file at a specific loc...
PUBLISHED: 2020-04-09
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are u...