Social engineering is one of the most common forms of con artistry – manipulating another person during what seems like a normal interaction, like greeting someone at a reception desk or opening an email from what looks to be a trusted source. It has been an effective way for criminals to gather sensitive information, gain access to systems, and commit fraud. Of course, the phone is a great tool for a social engineer. It doesn’t take much for an unknown caller to gain an employee’s trust by discussing familiar people or topics, invoking empathy, or simply delivering a well–thought-out lie. Determining whether the person on the other end of the phone is actually who they say they are can be near impossible for the average user, and despite technologies like Caller ID, phone-based social engineering remains one of the most difficult criminal tactics to detect.
Social engineering is also a huge financial burden, with fraudsters frequently targeting financial institution call centers to cash in on bank accounts. Phone technology simply hasn’t been modified to adequately address the threat of social engineers.
In fact, the only consistent protection against these attacks is KBA. KBA (Knowledge-Based Authentication), is an authentication scheme in which the user is asked to answer at least one “secret” question – a process we’ve all been through many times. KBAs ask for information like your mother’s maiden name, your address in 1998, and other obscure facts. KBA Spoofing is an attack that relies primarily on the social engineering of the call center representative using a combination of guesswork and evasion. In many financial institutions this is the only thing that stands between your money and the criminals intent on stealing it.
Fraudsters spend a lot of time researching their victims and spending a few dollars to buy this information on the black market is just part of their research. Well-prepared fraudsters often spoof the account holder’s phone number to make it even harder to tell they’re not who they say they are. They call pretending to be the account holder, the phone number says it is the account holder and the caller knows all the required information to effect a transaction.
Our most recent report on the state of phone fraud found that one in every 2,500 phone calls to a financial institution call center is a fraud related attempt. Furthermore, our report also found an average of $42,546 in losses per financial account in the first half of 2013 and that for every phone call into a financial institution call center there is a $0.57 loss.
So what’s the solution? Fortunately, technologies have been developed in recent years that can help the financial services sector address this threat by upping the sophistication of their phone anti-fraud technology. Voice biometrics, which confirms the claimed identity of a speaker from his or her voice, and Phoneprinting technology, an advanced method of call analysis that evaluates multiple factors of every unique call in order to verify it’s legitimacy, are two of the best solutions. Failure to do so will only allow phone fraud to remain a constant financial drain on the major banks and financial institutions.
Vijay Balasubramaniyan, CEO and Founder.
Pindrop Security provides solutions to protect enterprise call centers and phone users. Pindrop’s solution combines authentication and anti-fraud detection technology to verify legitimate callers while detecting malicious callers. Pindrop’s unique Phoneprinting™ technology is the first of its kind to analyze and fingerprint individual phone calls, providing the caller’s true location and calling device and matching them to Pindrop’s fraud database.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.