blog

Criminals Still Turning to the Telephone to Perpetrate Bank Fraud

Posted on: May 15th, 2012 by art No Comments

When it comes to bank fraud, criminals may be leveraging technology to outsmart the latest online security tools, but they haven’t forgotten about the telephone. In fact, some studies suggest that crooks are finding more ways to use the phone to commit bank fraud.

In the UK Cards Association report, the payment card information resource found that telephone banking fraud losses increased 32% in 2011, from £12.7 million in 2010 to £16.7 million last year. In my experiences, these numbers are particularly relevant because the UK fraud experience is similar to that in the US, outside of counterfeit fraud where the UK has chip and PIN built into the cards.

To defraud financial institutions and banking customers, criminals need to collect personal security details. This data is seen by thieves as the keys to the vault, and they will do anything they can to get their hands on the information they need to access bank accounts.

Aside from mining social media websites like Facebook to gather data and build personal profiles on unsuspecting victims, criminals are turning to the telephone to dupe customers into divulging their personal information. Spoofing their Caller ID, crooks socially engineer customers by pretending to be bank representatives asking them to provide their account details such as passwords. This is the identity theft portion of the crime. Once they’ve collected enough details on a person, the next step is identity fraud.

There are many ways criminals can perpetrate identity fraud, both online and over the telephone channel. With banks offering more ways than ever for customers to bank online, in recent years financial institutions have invested heavily in security tools to protect online channels. While this has helped reduce online banking fraud losses (which fell 24% in the UK from 2010 to 2011), banking institutions need to consider solutions that help banks identify and stop fraud over low-tech channels, as well.

The TrustID® network-based Physical Caller Authentication is one solution that stops criminals that are spoofing their Caller ID from social engineering call center agents. By automatically validating the physical location of the incoming call before the phone is answered, TrustID instantly lets bank representatives know when the Caller ID or ANI is spoofed. This level of real-time telephone forensics allows financial institutions to determine whether the call is from a legitimate customer or a criminal who has manipulated their Caller ID to commit fraud. Doing so helps banks on several levels — from reducing telephone fraud losses and call center operating costs by eliminating the time to handle bad calls to achieving regulatory compliance through multi-factor authentication required by the new FFIEC Authentication Guidance.

Can banks be found negligent for not meeting FFIEC guidelines?

Posted on: May 8th, 2012 by art No Comments

Over the past year, a lot of attention has been placed on the FFIEC Authentication Guidance, and the recommendations for safeguarding confidential company and customer information.

In many ways, security guidelines tend to supersede actual legislation because they provide specific direction on what steps financial institutions need to make to protect their critical assets from fraud. But now there’s new cause for concern if banks don’t adhere to the FFIEC guidance: Class action lawsuits.

In the BankInfoSecurity article, “FFIEC: Impact on Consumer Accounts,” Joseph Burton, information security legal expert with Duane Morris LLP, warns that if banks and credit unions don’t expand their security beyond commercial accounts to also include retail accounts, they could expose themselves to legal woes by consumers whose online accounts are breached or hijacked by phishing or other social engineering techniques.

Burton said many banks typically don’t worry about reasonable security and negligence on the retail side because the Electronic Funds Transfer Act (Regulation E) protects consumers against paying for unauthorized transactions. But while Regulation E doesn’t address a bank’s liability on consumer accounts, the FFIEC’s Authentication Guidance does.

“The FFIEC was a godsend to plaintiffs in that regard — a guidance, a near-regulation — that if you have banks not following it, you’ve got the perfect storm to declare them negligent… You’re dead today if you don’t take the FFIEC guidance on both levels.”

According to Burton, the FFIEC makes no distinction between education for commercial versus retail accounts. This would mean that banks focusing only on enhancing authentication techniques to protect customers and members hit by corporate account takeovers can potentially be found negligent if they ignore security for consumer or retail accounts.

In 2009, the case Shames-Yeakel vs. Citizens Financial Bank found the bank liable under a theory of negligence because it was responsible for protecting the account, as well as the account holder, from identity fraud. Because the compromised account was a commercial account being used for personal payments, the court did not consider Regulation E.

With the line between commercial-use and consumer-use becoming more and more blurred, Burton added that financial institutions that lack layers of security and multifactor authentication on both the commercial and retail side could potentially be found negligent if they are hit with a lawsuit.

“Shames-Yeakel is a case very similar to one that consumer accounts would be involved in. I see potential liability, based on negligence, and the bank’s failure in that case to follow the FFIEC guidelines. That, to me, is evidence of negligence.”

Closely following the guidance to the letter of the law for both commercial and retail accounts is the best way to meet the FFIEC’s multifactor authentication best practices for identifying customers and protect themselves from legal woes that stem from breached retail accounts that could lead to class action suits.

With today’s innovative criminals perpetrating ACH fraud against commercial and consumer accounts across all banking channels, financial institutions need to deploy authentication solutions that enable them to proactively identify criminal activity on all fronts, including the telephone channel. The TrustID® network-based Physical Caller Authentication tool is a front-line defense that identifies and stops criminals before they cross enemy lines.

By automatically validating the Caller ID and ANI before the incoming call is answered by a bank’s contact center agent, TrustID allows financial institutions to stop criminals before they can attempt to socially engineer bank representatives over the phone. Combined with other traditional methods of authentication to identify customers, TrustID provides banks and businesses with an extra layer of defense to protect banking accounts and meet the FFIEC’s guidelines for true multifactor authentication.

Tags: bank fraud, caller authentication, compromised accounts, Electronic Funds Transfer Act, FFIEC Authentication Guidance, FFIEC guidance, multifactor authentication, phishing, phone fraud, Physical Caller Authentication, reasonable security, Regulation E, social engineering techniques, telephone authentication, telephone channel, TrustID, unauthorized transactions
Posted in ANI Spoofing, Authentication, Banking Fraud, Call Center, Caller ID Spoofing | No Comments »

Consumers: How to avoid dangerous and costly telephone scams

Posted on: May 1st, 2012 by art No Comments

Criminals are after your personal information and money, and the telephone is one of the most popular ways to do it.

Merriam-Webster first included the new slang word “phish” into its dictionary in 2005. Phish (verb): to send an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.

Well, now there is an even newer word for the fast-growing risk. Vishing, or “voice phishing” is a type of scam that criminals use over the telephone to obtain consumers’ personal information and money. The way it works is a fraudster calls someone on the phone, but makes the call appear to be coming from someone else by “spoofing” or altering the Caller ID that the consumer sees on the display.

This scam has gotten so common that if your caller ID display indicates the call is coming from your bank, there is a reasonable chance that it is not.

In this type of Vishing attack, you will receive a call to your home or wireless phone from a “live” person or recorded message that appears to be coming from a known reputable institution. The caller will ask for money or your personal information.

Fraudsters are also luring victims to seemingly credible toll-free phone numbers where an automated recording asks for account information. Those who call the fake customer service number are greeted with a pirated recording of an automated voice system, ostensibly for the reputable institution, and are requested to enter their card number to authenticate themselves. They are then led through a series of voice-prompted menus that ask for their PIN code, card expiration date, date of birth, and other critical pieces of information. Once the victim enters these details, the scammer has enough information to commit identity fraud.

What do Vishing scams look like?

Typically, an incoming recorded telephone message using a spoofed Caller ID that matches the identity of a misrepresented organization.
An urgent email or text message from a known institution that directs you to a bogus toll-free number.
An invitation to punch your personal information on your telephone keypad. From there, criminals capture the key tones and convert them back to a numerical format.

Characteristics of Vishing:

The content of the incoming message generally is not personalized, and is designed to trigger an impulsive reaction such as:

Upsetting or exciting information
Demanding an urgent response
Using a false pretense

What data is at risk?

Any numerical personal information, including:

Payment card information (numbers, expiration dates, and the last three digits printed on the signature panel)
Personal identification number (PIN)
Social security number
Date of birth
Bank account numbers
Passport number
Driver’s license number

How crooks use your information?

Once your personal details have been stolen, fraudsters can use them to perform any number of identity crimes, including:

Taking control of your financial accounts
Open new bank accounts
Transfer bank balances
Apply for loans
Credit cards and other goods/services
Luxury purchases
Hide criminal activities
Receive government benefits, or
Obtain a passport

What can you do reduce your risk?

As a general rule, be suspicious when receiving any unsolicited incoming texts or telephone communications.
If an email or caller does not use your full name, it may be suspicious.
DO NOT use the number provided to call back.
If you are asked for sensitive information, hang up.
Never provide personal information in these circumstances.
Never rely solely on your telephone Caller ID function.

What to do if you suspect fraud:

Consumers have a role to play in stopping Vishing scams. You are encouraged to recognize, report and stop it.
Do not react immediately without thinking.
If this concerns you, investigate by using telephone numbers known to be valid. In the case of credit cards, for example, use the telephone number printed on the back of the card.
Never provide personal or financial information to non-validated sources.

Vishing scams target all types of individuals. It doesn’t matter if you are an employee, consumer or student, continuing to educate yourself about the latest fraud tactics that criminals use to steal personal or financial information can play a critical role in protecting your identity, money and confidential information from getting into the wrong hands.

Tags: bank fraud, identity theft, payment card information, personal identification number, personal information, PIN, social engineering, telephone security, vishing, vishing scams
Posted in Banking Fraud, Call Center, Caller ID Spoofing | No Comments »

How effective are challenge questions in identifying banking customers?

Posted on: April 25th, 2012 by art No Comments

Over the past year, I’ve written extensively on the issues with using simple challenge questions or more elaborate “out of wallet” or knowledge-based authentication (KBA) questions to identify banking customers.

In the recent interview with Tracey Kitten of BankInfoSecurity, “FFIEC: How Well Do Banks Conform?” Gartner analyst and fraud expert, Avivah Litan, expounds on some of these same industry challenges as they relate to the new FFIEC Guidance. She mentions that many banks are:

“Moving from simple challenge questions to follow the explicit guidance in the FFIEC update about using the more elaborate KBA or out of wallet type questions provided from public data aggregators.”

Avivah added that out of wallet questions can be expensive, and that it “remains to be seen how effective they work.”

Having had oversight of such processes during my career, I truly can appreciate the dilemma that banks and other institutions face. They are under extreme regulatory pressure to ensure they are adequately protecting their customers from identity theft, and as a result, they are authenticating every customer they interact with. But there needs to be a balance between managing fraud exposure, negative customer experience, and operational costs.

As I talk to many senior fraud and operations executives, the real struggle is not just what type of authentication products to utilize, it’s knowing when to deploy them and what customers to use them against. Every call that comes into banks today is not a credentialed call. They cannot be trusted, period. As such, the challenge is answering these critical questions:

Which calls should be trusted?
Which calls should required challenge questions?
At what stage of the interaction should authentication tools be used?
What are the costs and customer impact to using these tools?

Answering these important questions of what tool to use, and when to use it, is critical to a bank’s overall operation. It’s what will determine the operational costs, customer experience and fraud protection. Deploying technology without fully understanding the impact and effectiveness of new tools has driven up customer dissatisfaction and, in part, what has driven the FFIEC Guidance specifically related to Authentication.

While there is certainly a place for KBA and voice biometric, this is where the TrustID® network-based Physical Caller Authentication tool takes a unique approach to authenticating customers dialing into a bank’s call center. Rather than base the level of customer authentication on what the caller is requesting such as adding an authorized user, TrustID allows banks to route the incoming call based on the authenticity of the actual call. By making the Caller ID and ANI a trusted resource for identifying customers over the telephone, TrustID provides a strong certainty that the incoming call is truly the customer. Doing so also eliminates the conversation criminals rely on to socially engineer bank representatives.

By automatically validating the physical location of the caller before the phone is answered, financial institutions can proactively identify fraudulent calls and address good customer inquiries faster, all without putting them through burdensome and costly telephone interrogations that are required by KBA solutions. In turn, if the TrustID solution deemed the incoming call as either spoofed, altered, or determined the source of the call was not trustworthy, then regardless of the customer request the bank may want to put the call to a representative for a second level of questioning.

Now that the bank has a much smaller population of customers they need to deploy expensive KBA towards, they can reduce costs, dramatically improve the customer experience through reduced interrogation for the majority of good customers, and fulfill the FFIEC’s multi-factor authentication best practices for identifying customers.

Today it is paramount for banks to develop a mutual ongoing trust with their customers. By allowing financial institutions to invisibly identify and stop telephone fraud before it happens, TrustID improves the level of customer service that’s critical to protecting customers, reducing fraud rates, and maintaining the sacred trust between banks and their valued customers.

Tags: ANI, automatic number identification, call center fraud, challenge questions, FFIEC guidance, fraud rates, KBA, knowledge-based authentication, multi-factor authentication, Physical Caller Authentication, telephone channel, TrustID
Posted in ANI Spoofing, Authentication, Call Center, Caller ID Spoofing | No Comments »

Fraud survey shows banks concerned about FFIEC compliance, best security investments

Posted on: April 17th, 2012 by art No Comments

The new FFIEC security guidelines may be raising fraud awareness and motivating banks to invest in anti-fraud technologies, but results from the 2012 Faces of Fraud survey highlight ongoing confusion around compliance and concerns around the right investments and resources to reduce fraud risks.

In the article, “Fraud Survey: Banks Get Bigger Budgets,” 58% of the banks and credit unions surveyed said they will see increased investments in fraud resources of 10-20% in 2012. However, only 11% said they have conformed to the updated guidance, with half saying they don’t confirm now and 29% unknown of their current state of conformance with the FFIEC recommendations.

Other key survey findings included:

61% of respondents plan to enhance fraud detection and monitoring systems within the next 12 months. Improving staff training (49%) and enhancing customer and member education efforts (43%) rounded out the top three planned investments.
84% of financial institutions said credit and debit fraud was their top threat, with only 41% saying their organization was not prepared to prevent and detect fraud.
Half of the respondents ranked Phishing and Vishing (Socially Engineered Schemes) as the third highest threat, with only 28% believing they could detect and prevent such attacks.

While the updated FFIEC guidance has played a central role in driving financial institutions to consider security investments, Gartner analyst, Avivah Litan, said the survey results tell just how much banks are struggling to figure out the best investments and security technologies that will allow them to comply with authentication guidelines and enhance their ability to detect cross-channel fraud.

“The survey results reflect the confusion among most banks as to what’s expected of them when it comes to practical technical solutions. Many banks are wondering if they need to switch their modus operandi for challenge questions, to follow the explicit guidance in the FFIEC update about using the more elaborate and expensive challenge questions from public data aggregators.”

The problem with challenge questions used in more traditional knowledge-based authentication (KBA) solutions is today’s more tech-savvy criminals that are prepared with the right personal identifiable information (PII) can defeat such methods. This is why the FFIEC’s updated recommendations include a multi-factor authentication strategy for detecting fraud threats over all banking channels, including the telephone channel.

Despite many banks using both passwords and KBA techniques to identify customers, these two methods only satisfy one authentication criteria (“Something you know” [e.g., password PIN number, PII]), as defined by the new FFIEC authentication guidelines. A security solution such as the TrustID® network-based Physical Caller Authentication tool, which doesn’t rely on non-predictive PII to identify banking customers over the telephone, fulfills a separate authentication criteria (“Something you have” [e.g., ID or ATM card, security token, telephone]).

Using both methods to identify customers helps financial institutions conform to updated authentication recommendations and provides a necessary multi-layered defense against more dangerous forms of fraud that many fraud experts recommend for protecting all banking channels.

Tags: authentication credentials, bank fraud, caller authentication, Federal Trade Commission, FFIEC compliance, FFIEC guidance, KBA, knowledge-based authentication, multi-factor authentication, personally identifiable information, phone fraud, Physical Caller Authentication, PII, telephone authentication, telephone channel, TrustID, vishing
Posted in Authentication | No Comments »

A single layer of authentication is an “open door” for bank fraud

Posted on: April 10th, 2012 by art No Comments

In today’s fraud landscape, a single layer of authentication can be an open door invitation to fraud. These may sound like harsh words, but the fact of the matter is, they’re true. Any financial institution that relies on one security technology is going to run into trouble. If not today, then some time down the road. It’s really just a matter of time.

The recent Investors.com article, “Zappos Breach Shows Hacker Hits Just Keep Coming,” hits the nail on the head in regard to layered security. Despite technology improvements, even the most secured companies with layered security can be penetrated to a certain degree, said Amir Orad, CEO of the financial services security firm, Nice Actimize.

“It shows the value of layered security. One has to assume that some of the layers will be breached — if not today, then tomorrow.”

Having a multi-layered defense that includes two-factor identification technology can make a big difference in how far a perpetrator gets and how much confidential customer or company data they get away with. This is why the new Federal Financial Institutions Examination Council (FFIEC) security guidelines call for banks to use layered authentication to minimize the risk of fraud. More specific, having at least two of the following three categories is essential to meeting this authentication criteria:

1. “Something you know” (e.g., password, PIN number, personally identifiable information [PII])

2. “Something you are” (e.g., fingerprint, retinal pattern, DNA)

3. “Something you have” (e.g., ID or ATM card, security token, telephone)

Most banks use both passwords and knowledge-based authentication (KBA) techniques (security questions) to identify customers. The problem is both of these methods fall within the same (“Something you know”) category. This not only leaves financial institutions susceptible to criminals who know all the information, they are not in compliance with the FFIEC’s new multi-factor authentication recommendations.

When it comes to one of the most widely used banking channels today — the telephone — the TrustID® network-based Physical Caller Authentication tool takes a unique approach to authenticating customers dialing into a bank’s call center. Instead of relying on what the caller knows, TrustID makes the telephone number a valid “Something you have” credential by automatically validating the claim of Caller ID and ANI before the call is answered. This, combined with authentication methods that use KBA, PII or PIN numbers to identify customers, gives banks a critical layer of defense needed for protecting customer and company data, and at the same time, helps them meet the FFIEC’s guidelines for true multi-factor authentication.

Tags: ANI, automatic number identification, bank fraud, call center fraud, FFIEC, KBA, knowledge-based authentication, layered security, multi-factor authentication, personally identifiable information, Physical Caller Authentication, PII, telephone channel, TrustID
Posted in Authentication, Banking Fraud, Call Center | No Comments »

Financial fraud experts recommending a layered security approach

Posted on: April 3rd, 2012 by art No Comments

Ever since criminals discovered how to use stolen personal information to apply for credit or socially engineer their way into another person’s bank account, security experts have warned against relying on knowledge-based authentication (KBA) to identify customers.

In the blog, “New credit card data breach revealed,” Gartner fraud analyst, Avivah Litan, said in light of the recently disclosed VISA and MasterCard data breach, businesses need to expand their security defenses beyond traditional KBA methods that are constantly being bypassed by determined crooks.

“A layered approach is always best, since you have to assume the bad guys will get through one or two or even three layers.”

Litan recommends against using knowledge-based authentication and other types of personally identifiable information (PII) methods on administrative accounts, and I couldn’t agree more.

Taking a layered approach to prevent fraud is essential to fighting today’s savvy criminals, who actually take advantage of the reliance and trust that companies put into KBA and PII solutions to defend their customers’ data and confidential company information. The problem is, once a thief has successfully beaten KBA, they’re in without further questions. This is why a multi-layered security defense is so important.

It’s cases like the VISA and MasterCard data breach and the Paul Allen debit card breach, where the Microsoft founder’s bank account details were stolen via a call center dupe, that have security experts like Litan pushing for a layered security approach that spans across all customer channels.

An authentication solution that doesn’t rely on the customer’s personal information can be a valuable tool for identifying customers over the telephone channel. With the TrustID® network-based Physical Caller Authentication solution, financial institutions can automatically validate customers calling into their contact center before the phone is answered. By re-establishing the Caller ID and ANI as a trusted resource for identifying customers over the phone, TrustID eliminates the conversation criminals depend on to socially engineer bank telephone agents, and provides an additional layer of authentication that banks need in today’s dangerous fraud landscape.

Tags: ANI, Avivah Litan, bank fraud, caller authentication, Caller ID, KBA, knowledge-based authentication, layered security, multi-factor authentication, personally identifiable information, phone fraud, Physical Caller Authentication, PII, telephone authentication, telephone channel, TrustID, VISA and MasterCard data breach
Posted in ANI Spoofing, Authentication, Banking Fraud, Call Center, Caller ID Spoofing | No Comments »

Despite heavy security investments, identity theft and fraud continue to proliferate

Posted on: March 27th, 2012 by art No Comments

The Federal Trade Commission recently published its annual 2011 report on consumer complaints. The report, “Consumer Sentinel Network Data Book,” lays out in extensive detail the types and frequencies of reported complaints to the FTC from consumers. Here are a few pertinent points from the report:

The CSN received over 1.8 million complaints during calendar year 2011
Identity theft was the number one complaint category in the CSN for calendar year
A total of 990,242 in 2011 complaints were fraud-related
For military consumers, identity theft was the number one complaint category
Government documents/benefits fraud (27%) was the most common form of reported identity theft, followed by credit card fraud (14%), phone or utilities fraud (13%), and bank fraud (9%). Other significant categories of identity theft reported by victims were employment fraud (8%) and loan fraud (3%).

Personally, I think it is very telling that the top two complaints are identity theft and fraud. These two categories are inherently related, connected at the hip, if you will, because criminals essentially steal identities to commit fraud.

The second important takeaway for me was that despite all of the heavy investment banks and other institutions are making to safeguard customer information, particularly in the online channels, identity theft and fraud continue to proliferate. This is quite alarming.

Over the past several months, I’ve written a number of blogs that talk about the need to bake cyber security and risk management into all customer channels, including ATMs, Internet and the telephone.

One of the reasons telephone fraud and social engineering have picked up in recent years is the fact that criminals now have the ability to access or change an address or account data that is necessary to perpetrate larger and more profitable online crimes. Once a criminal controls a customer’s information – primarily through the telephone channel – criminals use the newly acquired personally identifiable information (PII) to commit crimes through the online channel.

Financial Institutions that ignore the telephone channel as a primary source for fraud and don’t address the same security and authentication requirements as the online channel, will continue to put themselves at risk as the CSN report painfully articulates.

The fact is, if you want to automate business processes, enhance customer communications, and take advantage of new technologies, you have to “bake” cyber security and risk management across all customer channels.

Deploying an effective, non-intrusive identity authentication tool like the TrustID® network-based Physical Caller Authentication enables financial institutions to convert ANI and Caller ID into a powerful physical security and customer authentication tool that can be used to close the security gap that too many bank call centers still operate with today.

An identity authentication solution that helps banking institutions protect the telephone channel by making the phone number a valid “Something you have” authentication credential, is an essential piece of the FFIEC’s multi-factor authentication paradigm for identifying customers. By automatically validating the physical location of the caller before the phone is answered, financial institutions proactively identify fraudulent calls and address good customer inquiries faster, all without putting them through burdensome telephone interrogations that are required by other knowledge-based authentication (KBA) solutions.

Tags: authentication credentials, bank fraud, caller authentication, CSN Report, cyber security, Federal Trade Commission, FFIEC, identity authentication, KBA, knowledge-based authentication, multi-factor authentication, personally identifiable information, phone fraud, Physical Caller Authentication, PII, risk management, telephone authentication, telephone channel, TrustID
Posted in Authentication, Banking Fraud | No Comments »

Security analysts warn banks about rise in call center fraud

Posted on: March 19th, 2012 by art No Comments

Telephone banking scams are nothing new. Once a hot target, security measures eventually forced criminals to turn to the online channel. Now that so many financial institutions have invested heavily in security tools to detect and stop online fraud, fraud analysts like Gartner’s Avivah Litan are warning that banking institutions need to shift their attentions back to authenticating and verifying customers at the call center.

In the BankInfoSecurity article, “How to Stop Call Center Fraud,” Aite fraud analyst Julie McNelley said call centers are once again becoming a sweet spot for fraudsters, particularly with the top-tier U.S. banks.

“In October 2011, I published a piece about where financial institutions were feeling the most pain, and one of the responses to that was the call center… The call center was a concern among larger institutions.”

Interestingly, Matt Speare, who oversees security at M&T Bancorp, said one of the reasons large institutions have more trouble with call-center scams is because the larger they get, the further removed they are from their customers.

“The larger you get, the more extraction you have between the customer and the call center. In a smaller institution, the people who answer the phone are more likely to know the customer, so they won’t be so easily fooled.”

Speare added that banks undergoing conversations linked to acquisitions can be vulnerable to social engineering schemes, something his company experienced in 2011.

“Any time there is a change event, like an acquisition, there is opportunity for a fraudster to exploit a weakness… We did not see anything significant, but we did see an uptick. You have acquired customers being migrated over, usually over a weekend, and the bad guys know that’s going to occur. So they will attempt to hit you on the day that conversion is going on.”

Fraudsters typically set the social engineering trap by building a profile from personal information they’ve collected online. When they call a bank’s call center to open an account or change credential information on a legitimate account, they are fully armed with the data needed to answer specific account or security questions required by knowledge-based authentication (KBA) solutions.

Once they’ve convinced the customer service representative they are the accountholder, they can prompt the accommodating call center agent to provide more information and even make changes to the account. This, of course, puts the criminal in position to clean out the bank account.

One of the most effective ways to reduce Caller ID spoofing and social engineering crimes over the telephone channel is validating the Caller ID and ANI. Unfortunately, today’s sophisticated social engineering schemes outsmart more traditional telephone authentication methods that rely solely on personally identifiable information (PII) like KBA. To recognize call center fraud, banks need to proactively identify fraudulent calls before the phone is picked up.

By automatically locating the physical location of the landline phone or mobile device prior to being answered, the TrustID® network-based Physical Caller Authentication solution gives financial institutions a leg up on criminals attempting to socially engineer banks over the telephone. Invisible to criminals and non-intrusive to legitimate customers, TrustID uses the Caller ID and ANI as trusted credentials for authenticating customers, and in doing so, helps banks stop call center fraud and improve the overall customer experience.

Tags: authentication credentials, Avivah Litan, bank fraud, bank security, call center fraud, caller authentication, Julie McNelley, KBA, knowledge-based authentication, Matt Speare, personally identifiable information, phone fraud, Physical Caller Authentication, PII, telephone authentication, telephone channel, TrustID
Posted in Authentication, Banking Fraud, Call Center, Caller ID Spoofing | No Comments »

TrustID eliminates game of wits with sophisticated bank criminals

Posted on: March 13th, 2012 by art No Comments

When it comes to credit card fraud, financial institutions follow rigorous processes to catch identity theft and fraudulent transactions. On the Internet, their online fraud teams deploy any number of IT security solutions to help identify and stop cybercrime. This is not the case, however, with the telephone channel, which continues to be the missing link in helping aid bank fraud.

If this didn’t already leave banks vulnerable to low-tech banking scams, many of the banking institutions that do include the telephone channel in their security strategy still rely on non-predictive personally identifiable information (PII) to spot fraud. The problem with this method of customer authentication is the security questions call center agents ask customers over the telephone are too easily defeated by today’s Internet-savvy identity thieves, who can collect enough information online to answer bank questions.

With Caller ID spoofing trickier, and more prevalent, than ever before, financial institutions can no longer afford to trust unvalidated Caller ID and ANI claims to determine whether a call is authentic or not. The way I see it, engaging in a game of wits with highly sophisticated criminals is a losing proposition because knowledge-based authentication (KBA) solutions alone don’t stand a chance against cleverly crafted social engineering schemes.

When it comes to identifying criminals over the telephone, wouldn’t it make sense to use the phone to identify fraud? While telephonic authentication as we know it is dying, there are reliable authentication tools that re-establish Caller ID and ANI as trusted credentials for identifying customers over the phone.

By automatically confirming the physical location of the landline phone or mobile device before the inbound call is answered, the TrustID® network-based Physical Caller Authentication solution uses Caller ID and ANI as validated sources to instantly authenticate legitimate customers and identify fraudulent ones. By spotting criminals before the call is picked up, TrustID eliminates the manipulation of IVR systems and human interaction that criminals need to socially engineer banks.

The truth is, the rules and regulations for stopping bank fraud on multiple platforms are constantly changing. While many financial institutions have invested in comprehensive strategies to reduce online crimes, including the telephone channel in any bank’s security arsenal is essential for reducing fraud in one of the most widely used banking channels available — the telephone — and gaining an additional layer of identity authentication that’s necessary for protecting customer accounts and confidential banking information.

Tags: authentication credentials, bank fraud, bank security, call center fraud, caller authentication, Caller ID Spoofing, KBA, knowledge-based authentication, personally identifiable information, phone fraud, Physical Caller Authentication, PII, telephone authentication, telephone channel, TrustID
Posted in ANI Spoofing, Authentication, Banking Fraud, Caller ID Spoofing | No Comments »