8 Charged in ID Theft Fraud SchemeExposed AT&T Customer Info Highlights Call Center Security Gaps
Eight defendants in Florida have been charged for their alleged role in an identity theft fraud scheme involving the theft of personal information from a call center for use in unauthorized wire transfers and to obtain credit and debit cards.
The scheme involves exfiltrating data from a call center that handles direct sales and customer inquiries for AT&T and then using it for fraudulent purposes.
All of the defendants were charged with one count of conspiracy, and several were charged individually with access device fraud and aggravated identity theft, according to the U.S. Attorney's Office for the Southern District of Florida. The defendants face decades in prison if convicted. Two of the defendants remain at large.
The case highlights once again the security issues involved at call centers and the gaps in authentication measures used by financial institutions.
Payments fraud expert Tom Wills says insider fraud at call centers is an increasingly common problem. "I have worked with numerous call centers, and every one of them had internal fraud activity to deal with," says Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation. "Out of 100 employees, you could usually count on one, two or more being 'bad eggs.'"
Al Pascual, a lead fraud analyst at consultancy Javelin Strategy & Research, says the case illustrates one of the biggest problems with how financial institutions authenticate customers through the use of identifiers.
"Among those banks examined by Javelin, 80 percent still authenticate customers using Social Security numbers," Pascual says. "For all of the improvements that have been made to securing online accounts, it is mind boggling that a criminal can rely on a static nine-digit number to effectively take over an account."
Pascual says that, historically, nearly half of all account takeover victims had their Social Security number compromised. "There are practical alternatives available for authenticating customers through the call center, which is where the SSN-authentication practice is most prevalent," he says.
Fraud analyst Shirley Inscoe of Aite Group says this prosecution is encouraging. "These criminals operate with impunity, thinking they will not get caught," she says. "Sending a message that prosecutions will take place, even if the losses are relatively low, is crucial in fighting account takeover fraud."
The indictment alleges that Chouman Emily Syrilien, of Lauderdale Lakes, Fla., was employed by Interactive Response Technologies, Inc., located in Margate, Fla., a company that provides staffing for call centers to handle direct sales and customer inquiries for AT&T. Employees of IRT have access to personal information for customers of AT&T, including names, addresses, e-mail addresses, telephone numbers, Social Security numbers, dates of birth, credit and debit card numbers, credit card verification numbers, personal identity numbers and passwords, according to a copy of the indictment obtained by Information Security Media Group.
Syrilien, along with another defendant, allegedly provided co-conspirators with the personal identifying information from multiple AT&T customer files.
Three other defendants - Carlos Antonio Alexander of Orlando, Fla., Shantegra La'Shae Godfrey of Deerfield Beach, Fla., and Monique Smith of Pompano Beach, Fla. - in exchange for money, goods or other items of value, or the promise of money, allegedly allowed for their names to be added as "authorized users" on the credit or debit card accounts or bank accounts of the victims who had their personal information stolen, authorities say.
Once a co-conspirator's name was added as an authorized user, the bank or credit card company was directed to mail additional debit or credit cards bearing the names of these newly-added users to their addresses or addresses under their control, without the true account holder's knowledge or consent, authorities allege.
The defendants used these credit and debit cards to make purchases or obtain money. Alexander, Smith and Godfrey each made retail purchases as well as cash advances in excess of $24,000, $12,000 and $8,200, respectively, authorities say.
If convicted, the defendants face a maximum penalty of 30 years in prison for the conspiracy charge; a maximum of 10 years in prison for the access device fraud charge; and a mandatory term of two years in prison for each aggravated identity theft charge, at least one of which must be served consecutive to any other term in prison.
Mitigating the Risks
For organizations employing call centers, Javelin's Pascual recommends dynamic knowledge-based authentication, voice biometrics and phone printing as three "far superior" alternatives for authenticating customers. "Until this status quo changes, I expect this type of information to be targeted and misused unabatedly," he says.
Payments fraud expert John Buzzard, who oversees FICO's Card Alert Service, recommends that companies that deal with PII consider limiting personal devices, like employee cellphones, from being used at individual workstations.
"Corporate e-mail should have an enterprise fraud solution component that detects PII from being passed outside of the organization," Buzzard says. "And something as simple as a paperless environment can eliminate small amounts of PII from being jotted down and used later for fraudulent purposes."
Buzzard says organizations should also have an audit trail established so frequent or unusual access to information from an employer can be quickly questioned and investigated.
Inscoe of Aite Group says organizations should install data leakage monitoring software to ensure insiders are not misusing sensitive customer information, including personal and financial data.
Wills says criminal background checks should be run on candidates for call center work, regardless of whether their positions are permanent or temporary, internally hired or outsourced. "This is especially important if they will be exposed to sensitive customer data in the course of their work, as was the case at AT&T," he says.
Further, Wills recommends organizations keep to a minimum the call center staff's exposure to sensitive customer data, employing the principle of least privilege. "In other words, each user of the call center system should be able to access only the applications, application functions, file directories and data needed to perform the work," he says.
"In context of this particular case, adding an authorized user to an account is definitely a high-risk activity and should come under all of the security controls that I've mentioned," Wills says.
Access to applications, functions, file directories, data and physical spaces where sensitive data is should be monitored using a combination of video surveillance, system logging, regular audits and fraud detection software, Wills adds. "[And] payment transactions conducted on accounts where sensitive customer information has recently been charged, and on brand new accounts, should be monitored closely," he says.