Seeking Easier Prey, Fraudsters Attack Call Centers to Loot Accounts

Faced with more stringent authentication procedures for online financial transactions, criminals are turning to call centers to commit fraud via the phone channel, according to RSA, the Security Division of EMC. Although call-center fraud still is a small percentage of total Internet fraud, it is “definitely growing,” says Joram Borenstein, senior manager of product marketing. It is most prevalent in financial-institution call centers, but also is cropping up in retailing and in some government and health-care-related organizations. There are two main models for committing call-center fraud, Borenstein says. In one model, the criminal might obtain enough consumer data through phishing attacks or other fraudulent means to log on to a consumer's online bank account. The fraudster than uses that information to get past whatever type of manual authentication the call center is performing to take over the account and steal money. “What they're essentially doing at the end of the day is using credentials they've collected in some other manner and using that data” to impersonate the legitimate customer on the phone, he says. In some cases, a criminal using the fraudulent information obtained through phishing will log on to the consumer's online bank account but won't be able to circumvent the security procedures in place to prevent fraud. The criminal will then phone the call center and use information gathered from the online account, such as transaction history, to convince the agent he is the legitimate customer, Borenstein says. “It's very convincing from a call-center agent's perspective,” he says. In the second model, the criminals convince the consumer to call into a fake call center via an e-mail message or text message containing a false phone number. “The most prevalent way we're seeing is vishing, or voice phishing, where people send out typical phishing attacks but instead of having the URL for the consumer to click on, they insert a fake phone number,” he says. “They claim to be a bank, they claim there's a problem on your account, and they convince the consumer to pick up a phone and call this phone number.” The criminals then convince the customer to reveal confidential information, such as mother's maiden name or Social Security Number, which can be used to take over the consumer's bank account through a call to the genuine call center. Fraudsters seeking to complete financial transactions over the phone?for example, confirming transactions processed through a money-transfer service?also are posting messages online to seek out so-called confirmer services. These are offered by criminals who speak the language of the legitimate sender of the money. The confirmer service gives the fraudster the details needed to complete the transaction on the phone, the RSA says in the July issue of the RSA Online Fraud Report. While financial organizations have implemented security measures to thwart phone fraud, including identification of the caller through Caller ID, criminals are using publicly available services offered over the Internet that “spoof” the Caller ID on outgoing calls. In addition, some fraudsters are using Public Branch Exchange to create a fake caller ID, according to the report. A PBX system performs Voice over IP in many protocols and can interoperate with most standards-based telephony equipment using relatively inexpensive hardware. A chat room featuring fraudster call-center services recently was discovered by RSA Fraud Center analysts. This criminal professional call service can spoof any number in the U.S. It enables phone numbers to be customized depending on the state where the account holder lives and enables fraudsters to accept incoming calls, posing as the legitimate account holder. The service costs $12. Financial organizations face several obstacles in attempting to secure the phone channel, the RSA says. Because the online and phone channels often are separate operational units within an institution, it is difficult to identify attempts to commit fraud across different channels. For example, a criminal who is unsuccessful in cashing out a bank account using the online channel may turn to the phone channel. But a call-center representative may have no knowledge of the previous failed attempts. The outsourcing of call centers to countries outside the U.S. also makes the phone channel more vulnerable to fraud because of cultural and language barriers, according to the report. For example, foreign representatives may not be trained to distinguish between male and female names, making it more viable for fraudsters to use the phone channel for cashing out accounts. To secure the phone channel, the RSA suggests that financial organizations add security measures beyond simply using phone numbers as identifiers, particularly for activities such as activating a debit card or conducting high-value transactions. One strategy would be to use knowledge-based authentication tools, asking questions that are unique to each individual. In knowledge-based authentication, the financial institution uses information drawn from public records?previous real-estate transactions, utility bills, license plates of former autos owned by the consumer?to confirm the identity of the caller. The RSA also reported that more than 13,000 phishing attacks occurred in June, a 10% increase from the previous month, and setting an 11-month peak. Phishing attacks against regional banks increased more than 60%, while attacks against national banks dropped more than 50%.