Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/12/2016
05:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Call Centers In The Bullseye

Cheap set-ups, economic recession, and the US rollout of chip-and-PIN technology, all contribute to dramatic increase in call center fraud.

A new report out this week says fraudulent call center calls rose 45% between 2013 and 2015.

During that same period, losses from fraudulent call center transactions rose 14%, according to the data from call-center fraud detection technology company Pindrop.

The findings don’t come as a surprise to Chris Hadnagy, CEO of Social-Engineer LLC, a consulting and training company that specializes in social engineering. Voice phishing (vishing) is going to be the next biggest attack vector because of how easily accessible and affordable voice over Internet protocol (VoIP) lines and session initiation protocol (SIP) trunking are, Hadnagy says.

Call center fraud is particularly troublesome in countries experiencing economic strife, he says, and these fraudsters don't fear getting caught as much as other cyberattackers. It’s also no longer just a few groups that are committing call center fraud, he warns. The crime is being committed by nation-states, organized hacker groups, hacktivists, and your everyday, average crooks and thieves.

Organizations should expect to see an increase in call center fraud and multi-vectored attacks -- vishing in conjunction with phishing, Hadnagy says.  

Domestic fraud calls (calls that originate within the country targeted in an attack) have also increased from 36% to 51% of all fraud call traffic, according to Pindrop's report.

Dr. David Dewey, director of research for Pindrop Labs, says that a likely reason for the spike in US call center fraud is the rollout of Europay, MasterCard, and Visa (EMV) chip-and-PIN technology in the financial industry. EMV takes a bite out of "card-present" crimes, which are committed in-person using counterfeit cards. Dewey says EMV has forced the criminals who favor card-present fraud to make a choice: move to a country without EMV chips, or simply stay at home and switch to card-not-present attacks.

As a forecast of what's to come, Dewey says look to the United Kingdom. The UK rolled out chip-and-PIN over a decade ago, and its domestic fraud call traffic rate has since reached 72%.

The report also shows that the average loss per fraudulent call has gone up to 65 cents per call.

“[Fraudsters] are becoming much, much more skilled at what they do. [They’re] getting good at refining the data and targeting high-value accounts,” Dewey says. He tells a story of a call center criminal who would only target large accounts: “He’s never once gone after an account that is less than a million dollars. He already knows the values of the account before he’s making the call,” says Dewey. This fraudster employs a level of reconnaissance and refinines its practices to achieve higher fraud exposure rates, he explains.

“It’s very, very common when we go talk to managers of call centers that the idea of fraud happening in their environment is something that they know about but is not their primary concern. Their number one priority is to give a delightful experience at the lowest cost possible,” says Dewey.

Social-Engineers' Hadnagy reiterates that the nature of call centers -- a place that employs individuals based on their ability to provide a premium customer experience in a short span of time -- is part of the reason they’re a prime target of fraudulent calls. “That very nature creates the vulnerability for the company. The attackers are utilizing it to get the information,” he says.

While vendors such as Pindrop offer call center fraud-protection technology, Hadnagy says education is the real solution here. “I would love businesses to know that there is no 100% technological fix for this. There’s no solution that automatically catches malicious content and then stops the call. Education is the only fix and consistent education about what vishing is.”

 

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
margaretmbrooks
50%
50%
margaretmbrooks,
User Rank: Apprentice
5/13/2016 | 2:04:41 AM
Pen is a good Knife
Emily Jhonson did an open call or an open write towards the fraud work at call centers. I read in somewhere "Pen is the right Knife". A good write up can be seen here. This is not only in US is is everywhere in the world. I hope you will keep this knife with you in future also.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/31/2016 | 8:37:51 AM
EMV
"EMV has forced the criminals who favor card-present fraud to make a choice: move to a country without EMV chips, or simply stay at home and switch to card-not-present attacks."

...or exploit the MitM vulnerabilities particular to EMV (something EMV proponents like to conveniently forget to mention...but that's not any of my business).
williamibarra
50%
50%
williamibarra,
User Rank: Apprentice
7/13/2017 | 10:11:05 AM
Re: Pen is a good Knife
nice article
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/31/2017 | 3:48:53 PM
Re: EMV
Agreed.  Black Hat has been good on this topic (as has DR in writing about it).  Rapid7 exploits have opened more eyes on these vulnerabilities.  Numerous papers are written on EMV weaknesses and yet...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...