Crooks targeting authentication weaknesses in automated phone systems

Posted on: September 18th, 2014 by Art Barger

In a way, the telephone channel is the forgotten link in bank fraud. Stuck between identity theft and identity fraud, the call center is the platform where criminals use stolen personal data to access customer accounts and ultimately, clean out their financial assets.

The recently disclosed Home Depot credit and debit card breach illustrates just how a data breach can lead to telephone fraud.

While no debit card PIN data was compromised in the attack, crooks did get their hands on valuable card information including cardholders’ names and the city, state and ZIP codes that the card data was stolen from. This information is enough for savvy criminals to piece together additional customer credentials that are sold on underground websites.

When thieves have acquired a person’s card info, Social Security number and date of birth, they’ve gathered enough sensitive customer data to defeat an automated call-in system, or Voice Response Unit (VRU) that uses knowledge-based authentication (KBA) methods to identify customers. Once a caller correctly enters the customers’ date of birth, the last four digits of their SSN, the 3-digit CVV/CV2 code and the card’s expiration date, they are allowed to reset their PIN. And that’s when accounts become vulnerable to fraud through ATM withdrawals.

According to Krebs on Security, several banks have had thousands of dollars stolen from customer accounts from PIN fraud on debit cards that were used at Home Depot. Our good friend, Gartner fraud analyst Avivah Litan, said this activity is similar to what banks experienced following last year’s Target breach.

“We saw this same activity in the wake of the breach at Target, where the thieves would call in and use the VRUs to check balances, remove blocks on cards, get the payment history and of course change PINs.”

While I’ve discussed the many drawbacks of using KBA methods for customer identification, many bank contact centers today still rely on sensitive customer data to verify inbound calls. As long as they do, we will likely continue to see an increase in telephone fraud that exploits authentication weaknesses in the automated phone system.

you may also enjoy