Posts Tagged ‘social engineering’

Authenticating caller party numbers shouldn’t be a masquerade ball

Posted on: May 15th, 2013 by art 2 Comments

The challenge of spotting criminals over the telephone channel often plays out like a game of cat and mouse. Crooks use false information to mask their true identities. After spoofing their caller ID to make it look like someone else is calling, they try to convince call center agents they are genuine banking customers.

Armed with enough personally identifiable information (PII) to apply for credit, activate bank cards, transfer funds and defeat PII-based authentication solutions, many criminals continue to successfully socially engineer bank representatives by correctly answering the security questions required by more traditional knowledge-based authentication (KBA) tools.

From an authentication standpoint, the call center environment has somewhat turned into a masquerade ball of disguises, where it’s anybody’s guess as to who is who. The financial services industry can no longer operate within a guessing game environment anymore. Fielding more than 50 billion calls a year, call centers need to have the appropriate tools in place to quickly and accurately authenticate all inbound calls.

As criminals do everything they can to slip past PII-based authentication solutions, it’s more important than ever for financial institutions to deployed effective security measures to identify customers in real time.

Using a patent-pending telephone firewall that includes telephony databases, real-time network forensics and specialized analytics, the TRUSTID® Physical Caller Authentication tool authenticates the calling party number before the call center agent picks up. This allows banking institutions to prevent spoofed calls from being routed to bank representatives, and in doing so, call center agents don’t waste their time interrogating known high-risk calls. Instead, they spend more time servicing good customers and improving the overall customer experience.

With the volume of customer calls increasing every year, operational efficiency is becoming a key component in the authentication process. By invisibly identifying risky calls and not interrupting the customer service process with unnecessary telephone interrogations, TRUSTID helps banks unmask criminals before they’re allowed into the party.

 

Alternative authentication methods needed in today’s call center environment

Posted on: April 17th, 2013 by art 7 Comments

The need for alternative methods to identify customers over the telephone has been a long time coming. In my opinion, every day that a bank waits to add new authentication solutions into the mix is another day criminals can take advantage of defeatable security tools.

You see, crooks want financial institutions to continue to use things like security questions to identify customers. That’s because they’ve pretty much mastered the art of beating knowledge-based authentication solutions. When banks rely on personal information that, ideally, only the customer should know, they put themselves at a disadvantage because today’s digital world exposes more personal identifiable information (PII) than every before.

Combing the Internet, today’s thieves are able to collect enough information on an individual to correctly answer challenge questions and socially engineer bank call center agents into divulging sensitive financial data; enough data, in fact, to access other people’s bank accounts.

Even the FFIEC (Federal Financial Institutions Examination Council) recognizes that more information is needed to identify bank customers today. While the FFIEC authentication standards include “something you know” (password, PII) methods, they strongly recommend combining that with at least a second layer of authentication to improve the level of verification for identifying customers over the phone. That would come in the form of either “something you have” (telephone, ID card, security token) or “something you are” (fingerprint, DNA, retinal pattern) that takes separate approach to verify customers.

What differentiates the TRUSTID® Physical Caller Authentication tool from other solutions is it goes straight to the heart of the crime — the telephone — to proactively validate the Caller ID and ANI as the phone rings. By identifying the physical location of the phone making the call, TRUSTID gives banks real-time intelligence on inbound calls before they are answered. This works as the first layer for authenticating customers.

If TRUSTID’s real-time telephone network forensics authenticates the call as genuine, it routes the call to a call center agent without interrupting the customer experience. If it determines the call is spoofed, the bank can route the call based on the risk it poses to the system. By better understanding the risk of each call, TRUSTID provides a critical extra layer of authentication that’s sorely needed in today’s call center environment, as well as to help fulfill the latest federal security requirements.

Call centers warned about Telephony Denial-of-Service (TDoS) attacks

Posted on: April 10th, 2013 by art No Comments

Imagine a call center without the ability to take inbound calls or make outbound calls. That’s the impact that growing Telephony Denial of Service (TDoS) attacks can have on targeted call centers. Sort of the cousin to online DoS attacks, TDoS as designed to incapacitate call centers after initial calls for fraudulent transactions are made.

According to the article, “Telephony Denial-of-Service Attacks Prompt Federal Attention,” the Department of Homeland Security and FBI recently issued a “situational awareness bulletin” after a number of TDoS attacks were targeting public safety and emergency services call centers. The alert warned that criminals were phoning the call centers impersonating agencies to collect outstanding payday load debt of $5,000. If the targeted employees didn’t agree to pay, the caller would launch the attack that flooded the call center with enough traffic to disable any incoming or outgoing calls for a period of time.

While the recent attacks have targeted public safety telephone lines, the complaints don’t stop there. Many believe criminals are expanding the types of industries they are targeting. In the memo, the DHS said attackers are “targeting various businesses and public entities, including the financial sector and other public emergency operations interests, including air ambulance, ambulance and hospital communications.”

Using network-based forensics to verify in real-time the exact location of the telephonic device calling bank call centers, we at TRUSTID has seen similar TDoS attempts. Because spoofing Caller ID and ANI is a key component to TDoS attacks, curbing these attacks requires the ability to understand if inbound calls pose a risk before the phone is picked up.

In doing so, financial institutions need to find a better way to authenticate their customers over the telephone channel and protect their call center agents from answering spoofed calls in the first place. The TRUSTID® Physical Caller Authentication solution validates whether all inbound calls can be trusted, or if they are high risk. By knowing if a call is trustworthy or not before it happens, banks can mitigate their risk of TDoS attacks and other social engineering scams without having to invest precious time and resources on known fraudulent calls.

All banking channels need to be prepared for customer impersonators

Posted on: March 19th, 2013 by art 1 Comment

I’ve often spoke about the many dangers of depending on personally identifiable information (PII) for customer authentication. As we recently learned from the high-profiled credit report celebrity hacking, relying on accessible personal information such as date of birth, mother’s maiden name and Social Security number can put a company’s customers and corporate data at serious risk.

In the article, “FBI Investigating Hackers Who Posted ‘Secret Files’ Of Celebrities, Politicians,” the consumer credit reporting agency, Equifax, released a statement last week confirming that the sensitive financial data that hackers posted on celebrities and political figures was the result of a security breach to the credit reporting agency’s annualcreditreport.com channel, not a break-in to their computer system.

Using PII that could have been accessed through any number of online social networks or public information websites, the perpetrators had enough personal identifying details to correctly answer the challenge questions required to access their intended victims’ private financial files, said Equifax spokesperson, Timothy Klein.

“Our initial investigation shows the perpetrators had the PII of the individuals whose files were accessed and were therefore able to pass the required authentication measures in place. We have launched a full investigation into this matter and we are also working closely with law enforcement authorities on this matter.”

In recent years, cybercriminals impersonating genuine customers or conducting similar social engineering schemes across other sales channels have been responsible for the illegal exposure of tens of thousands of credit reports. These compromises can all lead to identity fraud, account hijacking and other identity-related crimes.

Because customer-impersonating scams are conducted remotely, they can easily be performed over the telephone channel, as well. Social engineering against call center agents is a threat that all financial institutions should not only be concerned with, but adequately prepared for. If we are to learn from incidents like what occurred last week, it’s that relying on knowledge-based authentication (KBA) is not an effective defense against such criminal tactics.

Bank contact centers, which handle billions of calls each year, need an authentication method that goes beyond telephone interrogations such as defeatable security questions. What they need is a security tool that allows them to proactively identify callers before the phone is picked up.

A security tool like the TRUSTID® Physical Caller Authentication solution identifies high-risk calls before the phone conversation begins. Through TRUSTID’s real-time telephone network forensics, banks are able to invisibly identify the physical location of the landline or mobile phone while it is still ringing.

This automated process uses the Caller ID and ANI as trusted sources for validating customers over the telephone. By restoring the usability of calling party numbers to authenticate customers over the phone channel, financial institutions can identify high-risk calls faster, as well as instantly confirm legitimate calls so bank representatives can begin serving customers at the start of each call, without relying on non-predictive and risky PII methods.

Using automated caller authentication to transform the customer experience

Posted on: March 13th, 2013 by art 60 Comments

There’s always been this notion that once a process or system is automated, the people who once performed that task will soon be out of a job. While some tools have certainly earned that reputation, when it comes to automating customer authentication over the telephone, it’s not about replacing people. Rather, it’s about proactively detecting spoofing risks, reducing call center expenses, and transforming authentication into a positive customer experience.

When caller authentication is not automated, this means contact center agents must perform a number of steps to verify that the caller is who they say they are. As we know, security questions are a drawn out identity-interrogation process that requires banking customers to answer a bunch of personal questions that can be beaten by clever social engineers.

Ultimately, this process drives up average call handling (ACH) times, increases operating costs, and can damage the important bank-customer relationship. And because personally identifiable information (PII) is not predictive of identity, knowledge-based authentication (KBA) methods, when used alone, can actually create a false sense of trust that puts company data and customers at risk.

A security tool like the TRUSTID® Physical Caller Authentication solution, however, automatically authenticates the caller using a combination of three core components, including:

 

  • Telephony databases (e.g., local number portability, numbering plans, carrier / line attributes, billing data, routing tables, HLR data, LERG tables, geospatial data, carrier and switch data)
  • Real-time telephone network forensics (e.g., call progress, call messages, network tones, SS7 and SIP signaling, DSP audio energy and voice analysis tools)
  • Specialized analytics (real-time delivery of proprietary credential scores that enable enterprise risk decisioning, customer-specific reason codes, caller data and reports for custom risk model and scoring)

Automatically validating the caller before the phone is answered doesn’t eliminate jobs, it provides stronger customer authentication while streamlining customer service.

What I mean by this is instead of using up valuable time and resources questioning customers over the telephone, call center agents are now free to immediately begin servicing and selling good customers at the initial “golden minute” of the telephone call.

By undetectably authenticating customers through their calling party numbers, TRUSTID helps financial institutions lower customer authentication expenses, reduce the cost of fraud as a result of telephone-based social engineering, and gets call center agents selling and serving customers, not identity-interrogating, which in the end can transform the overall customer experience.

How pre-answered caller authentication helps prevent telephone bank fraud

Posted on: February 20th, 2013 by art

Prevention vs. clean up. It’s a security question all financial institutions should ask themselves.

When it comes to providing a trusted customer environment, banks are typically better at resolving problems stemming from non-predictive authentication and fraud than preventing them. That’s because they continue to allow criminals to get their foot in the door.

What I mean by this is when banking customers place a call into a contact center, the very act of answering the telephone sets the stage for criminals to start their elaborate social engineering schemes. And once the dialog starts, anything goes.

Javelin’s director of security, Phil Blank, has long said when it comes to safeguarding customer environments, the biggest challenge is prevention. Done right, however, it can also have the biggest payback for both the bank and customer.

The typical scenario for customer calls looks something like this. A call center agent picks up the phone then proceeds to ask the caller their customer ID and social security number. Based on the level of information the customer is requesting, the bank representative may ask a number of challenge questions. At this point, they’ve already taken up a minute or more of the customer’s valuable time using knowledge-based authentication (KBA) methods that, quite frankly, can no longer assure that the person on the other end of the line is who they say they are.

In today’s many banking channels, criminals armed with the right personal and financial details they’ve collected over the Internet can convincingly impersonate an actual banking customer. In the telephone channel, for example, the very moment they’re able to talk with a call center agent, they have the upper hand.

Whether the caller is a valid banking customer or an impersonator, telephone interrogations impact banks and their customers in several ways, including:

 

  • Employee costs: Every second a bank has to validate and serve their customers counts. If a bank’s contact center agents still rely on KBA for customer identification, they’re likely overspending in many areas for identity authentication, including employee training, security systems and other internal processes.
  • Bank-customer relationship: Burdening customers with lengthy interrogations tests the goodwill of customers and impacts the overall customer experience. This can put a heavy toll on the profitable bank-customer relationship that’s important to any bank’s overall success.
  • Non-predictive authentication: Because personally identifiable information (PII) is used to socially engineer banks, it is not predictive for positively identifying customers calling into a contact center. Therefore, financial institutions should not rely solely on PII for identity authentication.

The TRUSTID® Physical Caller Authentication solution helps banking institutions solve these problems by validating all customer calls before they are answered. Using real-time telephone network forensics to proactively validate the physical location of the landline or mobile device calling the contact center, banks can determine the risk of each inbound call before it is picked up. This insight allows banks to eliminate the time spent authenticating bad calls and serve good customers faster and more seamless. As a result, preventing high-risk callers from reaching bank representatives builds a safer banking environment and strengthens the bank-customer relationship without having to worry about the time, resources and costs associated with cleaning up fraud after it has already happened.

Can banks prevent social engineers from lying?

Posted on: February 13th, 2013 by art

In a world where security technologies work around the clock to stop cyber threats, sometimes the most deceptive and under-appreciated bank crimes can stem from the ancient act of lying.

The opening minutes of the new film, “Identity Thief,” shows just how easy it can be to con someone into providing their private personal and financial details over the telephone. While it might seem unlikely that it could happen to you or your company, the scene illustrates how anyone answering the telephone, even a top accountant for a financial services firm, can be at risk.

We’ve spoke volumes about the various types of lies that criminals rely on to defraud banks. With most financial institutions fully invested in sophisticated hardware to detect and stop fraud over the Internet, the challenge of recognizing when someone is lying over the telephone can be a risk hard to deal with.

In the article, “Social engineering: Clear and present danger,” skilled liars are taking advantage of information shared over online social networking websites to socially engineer their way into the corporate world. One of the ways banking institutions have tried to combat social engineering is to strengthen security policies that make their employees and customers more aware of the dangers they potentially face, said Jason Hong, CTO at Wombat Security.

“The underlying strategy and rationale for social engineering attacks is to circumvent all of the security measures in place by tricking people. For this reason, it’s critical for organizations to train people to be aware of the tactics that bad guys use, so that they can identify them and know how to react in given situations.”

The problem with relying on individuals to identify a lier over the phone is through knowledge-based authentication (KBA), which are essentially challenge questions. The shortcomings of using personally identifiable information (PII) to detect criminals is that they can bypass them quit easily.

But what if you didn’t have to rely on intuition or defeatable security questions to detect when somebody is lying? Would if you could spot a social engineer before he starts to lie?

Without relying on KBA or your call center agents from having to determine whether someone is who they say they are, the TRUSTID® Physical Caller Authentication solution uses network-based forensic technology to automatically validate the caller’s phone location before bank employees pick up. By invisibly identifying whether a banking customer is real or not, financial institutions can eliminate the phone conversation a criminal depends on to socially engineering a bank.

Real-time telephone authentication needed to identify risky in-bound calls

Posted on: December 12th, 2012 by art

Card-not-present (CNP) fraud and account takeover typically refer to online crimes, but an increasing number of criminals are targeting call centers to perpetrate crimes that are normally associated with the Internet.

With financial institutions pouring so much effort and investment in online security strategies, banks really need to consider the same when protecting their call centers. Without effective authentication tools that can verify telephone locations, bank contact centers remain vulnerable to various types of fraud over the phone channel.

The way criminals scam bank phone representatives typically comes in the form of social engineering. For example, after placing a call to a bank’s contact center, the criminal impersonates a real customer in the attempt to trick a bank agent into revealing various pieces of financial information. Once they’ve acquired the person’s financial details, they call right back and talk to another representative to change the username and password on the account. When the information has been changed, they’ve hijacked the account. At this point, the legitimate account holder is unable to access their own account.

When this happens, quite often the victim does not have the immediate knowledge that their account has been taken over. As a result, the criminal has enough time to conduct a myriad of crimes including fraudulent purchases and transfers that can clean out an entire account before any wrongdoing is discovered.

In an age of highly sophisticated criminal tactics, sometimes it can be the simplest methods that catch banks off guard. This is why it is so important for financial institutions to make sure all customer channels have effective authentication solutions in place to mitigate their risk of fraudulent transactions.

Today’s banks need to arm their call centers with authentication solutions that provide true multi-factor protection against risky inbound calls. While many banking institutions still depend on knowledge-based authentication (KBA) security questions to identify customers over the telephone, these methods can be defeated by sophisticated criminal tactics.

 A complementary fraud prevention tool like the TrustID® network-based Physical Caller Authentication can provide an extra layer of protection to proactively identify risky calls before they are answered. By automatically validating the actual physical location of the landline or mobile phone calling into a contact center, financial institutions can automatically identify in real-time when a Caller ID or ANI has been spoofed to better protect their phone channel and make sure their customer information and confidential data does not get in the wrong hands.

The value of education in fighting telephone bank fraud

Posted on: December 5th, 2012 by art

It used to be that talking to your bank over the telephone was reassuring. Hearing a knowledgeable, friendly voice was enough to feel as though your transaction was quickly being handled by a trustworthy bank representative. Today, that friendly sounding individual may not be the person you think it is. In fact, it may be the last person a consumer would want to share their private personal information with.

In the recent article, “Survey Finds Consumers Eager to Work with Institutions,” a global study by ACI Worldwide found consumers’ confidence in fighting bank fraud is waning. With 56 percent of bank cardholders experiencing card fraud, Aite fraud analyst Shirley Inscoe said consumers are willing to work with their banks to protect their identities from payment fraud.

“The most interesting thing I saw come out of the survey is just how very interested consumers are in working with their institutions in the [fraud prevention] process. In many countries, they preferred mobile phone calls and SMS messages [about suspicious activity]. In some places, they even preferred e-mails.”

While getting callbacks or SMS messages from their bank seems safe, it’s not. Telephone calls that ask for personal or account data can pose a risk for consumers. For example, unsolicited calls from what appears to be their bank could be a criminal hiding behind a spoofed Caller ID to socially engineer individuals and get them to divulge financial information. On the flip side, even traditional security methods such as customer callbacks can put banking institutions at risk.

One such method is the Zeus malware variant, Ice IX, which collects a bank customers’ telephone number to find out who their phone carrier or service provider is. Once that’s discovered, instead of calling back call centers armed with somebody’s banking credentials, criminals use call-forwarding to automatically reroute bank verification calls to customers. Unbeknownst to bank agents, the customer picking up the other line is actually a crook.

This is where education can provide value. Without knowing such bank schemes exist, many consumers fall for criminals’ traps because they tend to trust more traditional lines of communications such as the telephone. After all, the Caller ID says it’s their bank and they’re talking to a friendly, knowledgable person. While collaborating with banks to fight fraud is a good idea, this is exactly why consumers, as well as call center bank representatives, need to be aware of all types of emerging bank telephone scams, including Caller ID spoofing and social engineering.

Growth of mobile banking reinforces need for multi-factor authentication across all customer channels

Posted on: November 21st, 2012 by art

When it comes to banking, we know customers are looking for ease and convenience. To satisfy those demands, financial institutions are doing whatever they can to provide highly efficient and secure banking environments that allow customers to bank over a number of channels. At this point, it’s safe to say the banks that don’t already offer banking services across multiple channels have missed the boat, and will probably be playing catch up for some time.

According to the report, “The Dangers of Mobile Banking,” convenience appears to be the driving factor behind the rapid growth of mobile banking. The 2011 Customer Trends Survey released some interesting findings, including 70% of customers use their mobile devices for 24×7 banking access while 65% said it saves them time. In other words, customers want to make payments fast and on their terms, whenever they want.

While speed and convenience tops the priority list for many customers, this has created another significant challenge for banks offering new channels — security. With research firm Frost & Sullivan expecting the number of people using mobile banking services to increase from 12 million in 2009 to 45 million by 2014, it really doesn’t matter how many channels banks offer; the simple fact is financial institutions operating without a secured environment won’t be able to retain current customers or win over new ones, no matter how fast and convenient the service is.

Last year’s FFIEC supplemental guidance outlined the blueprint for the level of security that financial institutions need to combat fraud and succeed in today’s competitive banking environment. At the heart of those requirements is customer authentication. This doesn’t mean a single type of authentication solution across all channels, but multiple security tools that give all channels true multi-layered authentication, whether the customer is paying online or requesting a bank transfer over the telephone.

The TrustID® network-based Physical Caller Authentication validates the actual physical location of the landline or mobile phone calling into a bank’s call center to identify the “something you have” device, an essential component of the FFIEC’s multi-factor authentication paradigm. By invisibly validating the Caller ID and ANI before the telephone is picked up, banks can accept business from good customers faster, saving them valuable time on their banking activity. At the same time, financial institutions can secure their telephone channel by spotting spoofed calls in real time to proactively stop criminals from getting through to socially engineer contact center agents.

  • REQUEST INDUSTRY BRIEFING PAPERS
  • VIEW DEMO
  • USE CASE
  • ANI SPOOFING TOOL

  • CISO Text

             

    Authentication without caller involvement materially improves the customer experience, especially for ‘premier accounts.’ TrustID will greatly assist with not only customer service, but also with board level compliance issues.

    – CISO, top 10 global bank

  • CISO 2 Text

             

    As less customer PII is made available to our contact  center advocates for identity validation, our enterprise risk of a costly data  breach is dramatically decreased.

              – CSO, global financial company

    Offshore agents are highly vulnerable to fraud schemes  and social engineering. TrustID’s solution enables informed routing decisions,  optimizing agent cost reduction programs.

             - CISO, top 10 global bank           

  • VP Quote text

         

    Since  it is now commonly sold by criminals, personal information for identity  authentication is no longer the single solution to identity resolution. The  value of knowing reliably that a customer is calling from their phone is far better security than knowing the last four digits of someone’s SSN.

    - VP of Card Fraud, large international bank