Identity Thieves Dialing In To Call Centers To Finish The Job


Organized crime rings increasingly are targeting the call centers of financial institutions, which already are reeling from constant denial-of-service attacks, according to a new report.

Phishing and other common attacks conducted by organized cybercriminals sometimes yield enough information about an individual to trick call center operators into giving attackers complete control over a victim's account, said Shirley Inscoe, a fraud expert and senior analyst at Aite Group. Inscoe interviewed executives at 19 of the top 40 U.S. financial institutions. The executives identified a disconnect between IT security teams that deal with cybercriminal activity and the actual fraud happening over the phone.

"If the fraudster gets one additional piece of data about that customer, they are happy and they can do this repetitively and get all the information they need to ask for a password to reset or set up online banking for first time," Inscoe told CRN. "The service representative's focus is not on antifraud measures, it's on taking care of the customer's needs and handling the call as quickly and efficiently as they can."

 

[Related: Top 10 Password Data Breaches Evoke Urgency For Stronger Credentials]

The results of Inscoe's study mean there is more opportunity for service providers and resellers to sell additional antifraud measures into contact centers. Voice biometrics, in particular, may be ready for broader adoption, according to Inscoe. Fraudsters are taking notice of the increased volume at call centers due to ongoing denial-of-service attacks, Inscoe said, adding that when contact center operators are inundated with calls, they take shortcuts and make errors they might not typically make.

Standard high-volume contact centers have been using knowledge-based authentication, typically challenge and response questions based on information gleaned from a variety of publicly available databases and credit reports, but its effectiveness has eroded. The verification questions are being defeated because attackers are gaining access to those databases, fraudulently retrieving a person's credit report and other details through social networks and blog posts.

"Sometimes the bad guys know the answers to the [knowledge-based authentication] questions better than the real customers do, and oftentimes the customer gets irritated when they don't know the answer to a challenge question," Inscoe said.

In March, Equifax and other credit bureaus publicly acknowledged data breaches that exposed credit files. Often, attackers are defeating authentication measures designed to protect third-party access to victims' credit reports to gain access to the sensitive information. The problem also was highlighted when a Wired reporter had his identity stolen last year. Tech support at Amazon gave a key piece of information over the phone that enabled Apple to release information, giving the attacker control of the reporter's iCloud account and other services.

Solution providers told CRN that systems such as voice biometrics, which mitigate call center fraud, are a niche market. Smaller firms are not interested in additional features and technology, but larger firms with high call volumes are likely candidates, said Kevin Smith, a consultant and technician at eSmith IT, a Huntersville, N.C.-based partner of Fonality, a maker of PBX systems based on the open-source Asterisk project. Asterisk makes it relatively easy to add features and capabilities when a client needs them, Smith said.

"Even though a lot of clients have the ability to record and review inbound calls, we see that feature rarely being utilized," Smith said. "Antifraud measures are something larger call centers might employ."

NEXT: Call Center Fraud Handled By Established Vendors