Archive for the ‘Banking Fraud’ Category

Authenticating caller party numbers shouldn’t be a masquerade ball

Posted on: May 15th, 2013 by art 3 Comments

The challenge of spotting criminals over the telephone channel often plays out like a game of cat and mouse. Crooks use false information to mask their true identities. After spoofing their caller ID to make it look like someone else is calling, they try to convince call center agents they are genuine banking customers.

Armed with enough personally identifiable information (PII) to apply for credit, activate bank cards, transfer funds and defeat PII-based authentication solutions, many criminals continue to successfully socially engineer bank representatives by correctly answering the security questions required by more traditional knowledge-based authentication (KBA) tools.

From an authentication standpoint, the call center environment has somewhat turned into a masquerade ball of disguises, where it’s anybody’s guess as to who is who. The financial services industry can no longer operate within a guessing game environment anymore. Fielding more than 50 billion calls a year, call centers need to have the appropriate tools in place to quickly and accurately authenticate all inbound calls.

As criminals do everything they can to slip past PII-based authentication solutions, it’s more important than ever for financial institutions to deployed effective security measures to identify customers in real time.

Using a patent-pending telephone firewall that includes telephony databases, real-time network forensics and specialized analytics, the TRUSTID® Physical Caller Authentication tool authenticates the calling party number before the call center agent picks up. This allows banking institutions to prevent spoofed calls from being routed to bank representatives, and in doing so, call center agents don’t waste their time interrogating known high-risk calls. Instead, they spend more time servicing good customers and improving the overall customer experience.

With the volume of customer calls increasing every year, operational efficiency is becoming a key component in the authentication process. By invisibly identifying risky calls and not interrupting the customer service process with unnecessary telephone interrogations, TRUSTID helps banks unmask criminals before they’re allowed into the party.

 

Researchers find flaw in two-factor authentication system

Posted on: March 6th, 2013 by art 65 Comments

The idea behind two-factor authentication is to provide a multi-layered security defense that allows good users to safely access their accounts while preventing criminals from illegally accessing other peoples’ accounts. In theory, this is a sound method that many of today’s financial institutions use to authenticate their customers over various banking channels.

Implementing more effective security initiatives is also the byproduct of stronger federal regulations like the FFIEC (Federal Financial Institutions Examination Council), which recommends banks deploy at least two-factors of authentication as defined by its 2011 Supplement to the Authentication.

Sometimes, however, even effective security measures can fall short of their goal.

This was widely illustrated last week when researchers announced they found a loophole in Google’s two-factor authentication system. In the article, “Google Two-Factor Authentication Bug Allowed Account Hijacking,” Duo Security reported that the search engine giant’s two-step verification system for authenticating users had a flaw that could allow accounts to be hijacked — the vary thing the security platform was designed to prevent.

This is yet another case where a company that has done their due diligence to implement a multi-layered security strategy still had vulnerabilities within its system that could allow criminals to sneak past their authentication processes.

This is why financial institutions need to understand the importance of having at least two-factors of authentication, which still may not be enough to secure online account. Shortcomings like those revealed last week could apply to other customer channels, as well.

Take, for example, the telephone. Today, banks still use knowledge-based authentication (KBA) solutions to identify their customers over the phone. For many, KBA (“something you know”) is a critical piece to their verification strategy. It’s also part of the FFIEC’s two-factor authentication criteria, along with “something you are” (fingerprint, DNA, retinal pattern) and “something you have” (ID card, security token, telephone). Unfortunately, KBA has become a solution that thieves have proven to beat time and time again.

Designed to ask callers security questions that only the customer would know, crooks can now slip past KBA methods by combining identity theft with social engineering. By correctly answering challenge questions, criminals can ironically break down a security barrier that’s precisely designed to prevent criminals from getting through in the first place.

I’m not saying that using passwords, personally identifiable information (PII) or PIN numbers are worthless for customer authentication, but exposure to social engineering schemes over the telephone can pose a weakness in two-factor authentication systems. It’s vulnerabilities like these that the FFIEC recommends at least two factors of authentication for defending banking networks and their customers from today’s criminal threats.

How pre-answered caller authentication helps prevent telephone bank fraud

Posted on: February 20th, 2013 by art

Prevention vs. clean up. It’s a security question all financial institutions should ask themselves.

When it comes to providing a trusted customer environment, banks are typically better at resolving problems stemming from non-predictive authentication and fraud than preventing them. That’s because they continue to allow criminals to get their foot in the door.

What I mean by this is when banking customers place a call into a contact center, the very act of answering the telephone sets the stage for criminals to start their elaborate social engineering schemes. And once the dialog starts, anything goes.

Javelin’s director of security, Phil Blank, has long said when it comes to safeguarding customer environments, the biggest challenge is prevention. Done right, however, it can also have the biggest payback for both the bank and customer.

The typical scenario for customer calls looks something like this. A call center agent picks up the phone then proceeds to ask the caller their customer ID and social security number. Based on the level of information the customer is requesting, the bank representative may ask a number of challenge questions. At this point, they’ve already taken up a minute or more of the customer’s valuable time using knowledge-based authentication (KBA) methods that, quite frankly, can no longer assure that the person on the other end of the line is who they say they are.

In today’s many banking channels, criminals armed with the right personal and financial details they’ve collected over the Internet can convincingly impersonate an actual banking customer. In the telephone channel, for example, the very moment they’re able to talk with a call center agent, they have the upper hand.

Whether the caller is a valid banking customer or an impersonator, telephone interrogations impact banks and their customers in several ways, including:

 

  • Employee costs: Every second a bank has to validate and serve their customers counts. If a bank’s contact center agents still rely on KBA for customer identification, they’re likely overspending in many areas for identity authentication, including employee training, security systems and other internal processes.
  • Bank-customer relationship: Burdening customers with lengthy interrogations tests the goodwill of customers and impacts the overall customer experience. This can put a heavy toll on the profitable bank-customer relationship that’s important to any bank’s overall success.
  • Non-predictive authentication: Because personally identifiable information (PII) is used to socially engineer banks, it is not predictive for positively identifying customers calling into a contact center. Therefore, financial institutions should not rely solely on PII for identity authentication.

The TRUSTID® Physical Caller Authentication solution helps banking institutions solve these problems by validating all customer calls before they are answered. Using real-time telephone network forensics to proactively validate the physical location of the landline or mobile device calling the contact center, banks can determine the risk of each inbound call before it is picked up. This insight allows banks to eliminate the time spent authenticating bad calls and serve good customers faster and more seamless. As a result, preventing high-risk callers from reaching bank representatives builds a safer banking environment and strengthens the bank-customer relationship without having to worry about the time, resources and costs associated with cleaning up fraud after it has already happened.

Can banks prevent social engineers from lying?

Posted on: February 13th, 2013 by art

In a world where security technologies work around the clock to stop cyber threats, sometimes the most deceptive and under-appreciated bank crimes can stem from the ancient act of lying.

The opening minutes of the new film, “Identity Thief,” shows just how easy it can be to con someone into providing their private personal and financial details over the telephone. While it might seem unlikely that it could happen to you or your company, the scene illustrates how anyone answering the telephone, even a top accountant for a financial services firm, can be at risk.

We’ve spoke volumes about the various types of lies that criminals rely on to defraud banks. With most financial institutions fully invested in sophisticated hardware to detect and stop fraud over the Internet, the challenge of recognizing when someone is lying over the telephone can be a risk hard to deal with.

In the article, “Social engineering: Clear and present danger,” skilled liars are taking advantage of information shared over online social networking websites to socially engineer their way into the corporate world. One of the ways banking institutions have tried to combat social engineering is to strengthen security policies that make their employees and customers more aware of the dangers they potentially face, said Jason Hong, CTO at Wombat Security.

“The underlying strategy and rationale for social engineering attacks is to circumvent all of the security measures in place by tricking people. For this reason, it’s critical for organizations to train people to be aware of the tactics that bad guys use, so that they can identify them and know how to react in given situations.”

The problem with relying on individuals to identify a lier over the phone is through knowledge-based authentication (KBA), which are essentially challenge questions. The shortcomings of using personally identifiable information (PII) to detect criminals is that they can bypass them quit easily.

But what if you didn’t have to rely on intuition or defeatable security questions to detect when somebody is lying? Would if you could spot a social engineer before he starts to lie?

Without relying on KBA or your call center agents from having to determine whether someone is who they say they are, the TRUSTID® Physical Caller Authentication solution uses network-based forensic technology to automatically validate the caller’s phone location before bank employees pick up. By invisibly identifying whether a banking customer is real or not, financial institutions can eliminate the phone conversation a criminal depends on to socially engineering a bank.

Banks continually challenged with securing growing sales channels

Posted on: January 23rd, 2013 by art

Along with providing faster and more convenient ways to bank, financial institutions are constantly challenged with making sure all of their customer channels are protected. The problem with offering customers more tools for customers to bank remotely is the ability to successfully secure the growing number of sales channels without impacting the user experience.

While the recent Computerworld article, “How Emerging Technology Fights Fraud in the Call Center,” highlights the progress that banks have made detecting and preventing online fraud, there’s more to be done on other channels that criminals are turning to because of their lack of success over the Internet. Ori Bach, director of solution management for call center provider NICE Systems, said the potential for human error makes contact centers the weakest link in today’s enterprises.

“It’s a remote channel with a large human factor. As fraudster’s have gotten less successful online, they’ve either moved solely to contact center attacks or to cross-channel attacks–starting in the call center and migrating to another channel using a credential they’ve attained.”

One of the points called out in the story is the fact that call center agents are not security experts. Their job is, first and foremost, to make the customer happy. The challenge with this is telephone representatives not privy to the latest scams can be susceptible to fraud attempts. And it doesn’t stop there. The entire phone system can be at risk, too.

Today, it’s too easy for criminals to steal anyone’s personally identifiable information (PII) from social media websites. Someone with the right data and the capability to spoof Caller ID or ANI can, as the article suggests, “whiz passed the typical call center authentication process.” That’s a frightening thought for any financial institution that doesn’t have proactive security measures in place to identify spoofed calls before they are answered.

That said, financial institutions should not rely on non-predictive PII to determine whether a caller is a real customer or a fraud. Too many security methods like knowledge-based authentication (KBA) are vulnerable to social engineering schemes because they depend too much on PII to catch crooks posing as customers on the telephone. And this says nothing about the damage that security questions can have on the goodwill of banking customers.

By automatically validating the location of the landline or mobile phone “pre-answered”, the TRUSTID® Physical Caller Authentication tool enables banks to invisibly identify crooks before they can attempt to a fool bank agent. Proactively identifying criminals in real time not only eliminates the need for unpleasant telephone interrogations that impact customer trust, it allows bank representatives to immediately begin servicing customers at the onset of the call, which improves the overall banking experience and plays a critical role in strengthening the profitable bank-customer relationship.

Security concerns prompting banks to invest in multi-factor authentication

Posted on: January 16th, 2013 by art

It shouldn’t come to anyone’s surprise that account takeover attacks are up around the globe. With fraud against financial institutions on the rise, what will banks be focusing on in the coming year? That’s the question recently posed to Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC).

The recent BankInfoSecurity article, “New Insight on How to Respond to 2013’s Top Fraud Trends,” suggests that fraud attempts against banks and credit unions will continue to increase this year. While the number of attacks is certainly a growing concern with the global banking community, it has also prompted financial institutions to take extra security precautions to help reduce the amount of losses resulting from account takeovers and other fraud attacks, said Nelson.

“[Account takeover] attempts are up, and we’re really seeing that around the world… The good news is that financial institutions are doing a good job to detect and prepare for these attacks.”

Because stronger security measures have contributed to a decline in actual fraud losses, Nelson believes the financial services industry will continue to see more investment in anomaly detection and multi-factor authentication in 2013 to help banks verify the increasing volume of customer transactions. We at TRUSTID strongly agree. Deploying a multi-factor authentication strategy can play a critical role in preventing fraud across all banking channels.

With tens of thousands of calls coming into bank call centers every day, financial institutions need a way to quickly and non-intrusively identify whether every customer call can be trusted or not. The TRUSTID® Physical Caller Authentication tool does this by verifying the physical location of the telephone calling in before the call is answered. By validating whether the call is coming from a legitimate customer or poses a risk, TRUSTID gives financial institutions have an additional layer of authentication that allows them to serve good customers faster or stop known spoofed calls before a criminal has a chance to socially engineer a contact center agent.

In 2013, financial institutions investing in complementary authentication solutions like TRUSTID will achieve true multi-factor authentication that is recommended today for protecting banking channels from account takeovers and other unwanted criminal activity.

Combating bank fraud that targets user behavior

Posted on: January 2nd, 2013 by art

Even with fraud defenses in place, individuals are still the ones who have to ultimately make banking decisions that could put them at risk. In other words, while anti-fraud technologies are designed to provide red flags and help detect fraudulent transactions, they can’t always stop people from being duped by clever social engineering schemes. That risk is often left up to the individual’s discretion, whether it’s a customer or employee.

The recent article, “How to Address Security’s Weakest Link,” explores one of the most inherent security vulnerabilities that banks face today — people. Broadly recognized as a bank’s most valuable asset as well as its biggest weakness, Matthew Speare, M&T Bank’s senior VP for information technology, said it doesn’t matter how much awareness effort is made, the ongoing challenge for every banking institution is to continually educate people about fraud trends while influencing user behavior.

“Whether it’s internal employees or customers, unfortunately, people end up being their own worst enemy, as well as ours.”

While today’s security strategies are largely focused on various technologies that protect banking channels and their customers, and rightly so, many see the value in incorporating educational programs to raise awareness around fraud and emerging social engineering schemes.

There’s no denying the role education can play in any bank’s anti-fraud strategy; however, that can be complemented with fraud prevention solutions that both educate and inform bank representatives about the level of risk of each customer call. The TrustID® network-based Physical Caller Authentication incorporates proactive fraud detection to instantly educate bank agents about the legitimacy of incoming calls.

By automatically validating the physical location of the telephone (landline or mobile device) before the call is answered, TRUSTID gives contact center representatives more insight into the call before they pick up. So, even when a criminal tries to manipulate their Caller ID or ANI in an effort to socially engineer a bank’s call center, financial institutions can instantly see if the call is coming from a legitimate customer, or if it poses a higher risk for fraud.

As a result of having a real-time customer authentication solution like TRUSTID that non-intrusively identifies legitimate customers and invisibly sees when criminals have spoofed their Caller ID — all before the call is answered — banks can make faster, better educated business decisions to reduce the risk of social engineering schemes that target unsuspecting customer care agents over the telephone channel.

10 bank fraud lessons of 2012

Posted on: December 26th, 2012 by art

As much as we’d like to think that remote banking is safe, the reality is threats across all customer channels still exist. If we aren’t ready for them we could find ourselves victims of these often preventable crimes.

Persistent criminals proved throughout the year that they aren’t going to stop anytime soon. With new and emerging threats facing financial institutions every day, banks need to stay one step ahead of today’s tenacious criminals. Throughout 2012, we’ve covered many issues around the threats and authentication solutions that directly affect call center environments.

As we gear up for a new year, I wanted to take a look back at some of the lessons of 2012, and what we learned that can help us better protect our customers and business information moving ahead. Here are some of the top stories and lessons we discussed:

1. Continued education is essential for fighting bank fraud: With crooks cooking up new schemes all the time, bank fraud teams need to keep up with the latest criminal trends and tactics.

2. Financial institutions could face liability for failing to prevent fraudulent transfers: Several court cases have ruled against banks for failing to detect and stop bad transactions despite having fraud defenses in place.

3. Exceptional customer service has become a banking necessity: The way banks service their customers can have a direct impact on customer satisfaction and retention.

4. Customers want a quick, safe and hassle-free banking experience: The best banking experience is one that resolves issues in a timely fashion without requiring anything from the customer.

5. FFIEC compliance means understanding true multi-factor authentication: To meet the FFIEC standards, banks need to understand the three categories for multi-factor authentication.

6. Out-of-band verification is counterproductive to compliance and security efforts: Knowledge-based authentication tools increase expenses, frustrate customers and don’t always stop criminals.

7. Ignoring the telephone channel leaves banks susceptible to social engineering: With all eyes on online banking, financial institutions need to also turn their focus on the call center.

8. Call center service has a direct impact on a bank’s bottom line: As one of the most frequent touch points for customers, poor service over the telephone can impact a bank’s ability to retain existing customers and attract new ones.

9. A single layer of authentication is an open door to phone fraud: Any bank call center still relying on a single layer to identify customers is setting themselves up for trouble.

10. The call center is a growing target for bank criminals: Security analysts agree that call centers are once again becoming a sweet spot for fraudsters.

With the demise of Caller ID and ANI, banking institutions need to take proactive steps to ensure they meet new authentication guidelines to better detect and stop fraudulent transactions before they happen. They also need to continually educate themselves about fraud trends and re-evaluate their current security strategies to make sure they have the most effective authentication methods in place to stop evolving forms of fraud over all customer channels.

As we move into 2013, we appreciate you reading the TRUSTID blog. We look forward to discussing these and other important issues that affect the financial services industry, and what we can do to better protect our customers and banking environments in the years to come.

The value of education in fighting telephone bank fraud

Posted on: December 5th, 2012 by art

It used to be that talking to your bank over the telephone was reassuring. Hearing a knowledgeable, friendly voice was enough to feel as though your transaction was quickly being handled by a trustworthy bank representative. Today, that friendly sounding individual may not be the person you think it is. In fact, it may be the last person a consumer would want to share their private personal information with.

In the recent article, “Survey Finds Consumers Eager to Work with Institutions,” a global study by ACI Worldwide found consumers’ confidence in fighting bank fraud is waning. With 56 percent of bank cardholders experiencing card fraud, Aite fraud analyst Shirley Inscoe said consumers are willing to work with their banks to protect their identities from payment fraud.

“The most interesting thing I saw come out of the survey is just how very interested consumers are in working with their institutions in the [fraud prevention] process. In many countries, they preferred mobile phone calls and SMS messages [about suspicious activity]. In some places, they even preferred e-mails.”

While getting callbacks or SMS messages from their bank seems safe, it’s not. Telephone calls that ask for personal or account data can pose a risk for consumers. For example, unsolicited calls from what appears to be their bank could be a criminal hiding behind a spoofed Caller ID to socially engineer individuals and get them to divulge financial information. On the flip side, even traditional security methods such as customer callbacks can put banking institutions at risk.

One such method is the Zeus malware variant, Ice IX, which collects a bank customers’ telephone number to find out who their phone carrier or service provider is. Once that’s discovered, instead of calling back call centers armed with somebody’s banking credentials, criminals use call-forwarding to automatically reroute bank verification calls to customers. Unbeknownst to bank agents, the customer picking up the other line is actually a crook.

This is where education can provide value. Without knowing such bank schemes exist, many consumers fall for criminals’ traps because they tend to trust more traditional lines of communications such as the telephone. After all, the Caller ID says it’s their bank and they’re talking to a friendly, knowledgable person. While collaborating with banks to fight fraud is a good idea, this is exactly why consumers, as well as call center bank representatives, need to be aware of all types of emerging bank telephone scams, including Caller ID spoofing and social engineering.

Courts ruling against banks not compliant with FFIEC regulations

Posted on: November 14th, 2012 by art

A number of recent court cases have ruled against banks for failing to prevent fraudulent bank transfers. While you would think this type of liability would help motivate financial institutions to implement a multi-layered security system that meets the Federal Financial Institutions Examination Council’s (FFIEC) regulations, banks still operate without complying with the new multi-factor authentication recommendations.

In the article, “Coping with the Threat of Fraudulent Funds Transfers,” three banks that have falling victim to fraud may have to pay upwards of $460,000 in damages. That’s a steep price for not implementing adequate security measures to stop the vast scope of criminal schemes like stolen credentials, account takeovers and social engineering that target the financial services industry.

If today’s dangerous cyber attacks or costly court rulings aren’t enough to get banking institutions to comply with the FFIEC guidelines, I don’t know what will.

From an authentication perspective, any financial institution operating today should either be in the process of either implementing or evaluating their current security strategy because that’s what it takes to protect their multiple banking channels against the growing list of fraud attacks. Making sure your bank has the strongest fraud detection solutions in place is essential to building a multi-layered defense that’s needed in today’s quickly changing banking environment.

This means employing at least two of the three types of authentication procedures recommended by the FFIEC for identifying banking customers across multiple banking channels, including online banking and the telephone channel. The three factors include: 1) something the user knows [e.g., password, PIN], 2) something the user has [e.g., ATM card, telephone], and 3) something the user is [e.g., biometric, fingerprint].

For financial institutions that perform high-risk transactions, this is a must. According to a legal memorandum recently published on the NC Bankers Association website, customer authentication that employs a single-factor authentication such as the widely used challenge questions (otherwise known as the knowledge-based authentication (KBA) method), or even two factors of authentication that fall under the same category as defined by the FFIEC, can be defeated by today’s advanced fraud tactics, leaving customer accounts and confidential banking information susceptible to fraud.

Challenge questions are not always effective. When frequently repeated, they are more likely to be exposed to fraudsters. FFIEC guidance notes that a search engine is all it takes to discover the answer to many challenge questions, such as mother’s maiden name or year of graduation. Due to the amount of information available on the Internet, the FFIEC no longer views these basic challenge questions to be an effective risk mitigation technique. 

The ability to prevent various types of fraud attacks across all banking channels requires financial institutions to deploy multiple fraud-fighting solutions that help achieve the FFIEC’s three critical authentication factors. The TRUSTID® Physical Caller Authentication tool is a complementary customer authentication solution that fulfills the important “something the user has” category. Using undetectable network-based caller authentication to validate the Caller ID and ANI, TRUSTID helps financial institutions secure the telephone channel from fraudulent bank transfers.

  • REQUEST INDUSTRY BRIEFING PAPERS
  • VIEW DEMO
  • USE CASE
  • ANI SPOOFING TOOL

  • CISO Text

             

    Authentication without caller involvement materially improves the customer experience, especially for ‘premier accounts.’ TRUSTID will greatly assist with not only customer service, but also with board level compliance issues.

    – CISO, top 10 global bank

  • CISO 2 Text

             

    As less customer PII is made available to our contact  center advocates for identity validation, our enterprise risk of a costly data  breach is dramatically decreased.

              – CSO, global financial company

    Offshore agents are highly vulnerable to fraud schemes  and social engineering. TRUSTID’s solution enables informed routing decisions,  optimizing agent cost reduction programs.

             - CISO, top 10 global bank           

  • VP Quote text

         

    Since  it is now commonly sold by criminals, personal information for identity authentication is no longer the single solution to identity resolution. The  value of knowing reliably that a customer is calling from their phone is far better security than knowing the last four digits of someone’s SSN.

    - VP of Card Fraud, large international bank