While many banks and credit unions have invested in technology to thwart phishing attacks and online fraud, some have ignored the call center. As a result, fraudsters have redirected their aim.
To address the threat posed by these socially engineered attacks, security experts advise financial institutions to ramp up employee education as well as adopt critical practices, such as enhanced user authentication and out-of-band verification of transactions initiated via the call center.
In recent weeks, U.S. banks have reported upticks in call-center schemes that rely on social-engineering tricks. The attack: Convince customer service representatives to share or change account details.The problem is not a new one. Late last year, Gartner fraud analyst Avivah Litan talked about phone-based scams that continually hit banks and credit unions.
"The misfortune here for the banks is that they can have the best fraud-detection systems out there that flag suspect transactions, but it all breaks down when they call the 'hacker' to verify the transaction as OK," Litan said, referencing the Ice IX Zeus variant, which earlier this year caught the attention of security experts because it targeted telephone numbers. [See Banking Malware Finds New Weakness.]
Litan also wrote a report that touched on call-center risks. Her report notes that while most U.S. banking institutions devote great deals of attention to online user authentication and verification for electronic funds transfers, they pay little, if any, attention to authentication and verification at the call center.
"The call centers typically validate customers by asking basic information - all easily stolen - such as account number, phone number, address, DOB [date of birth] and the last four digits of their Social Security number or tax ID," Litan says.
The Ebb and Flow of Fraud
Call centers at top-tier U.S. banks are proving to be sweet spots for fraudsters, says Julie McNelley, a fraud analyst with Aite.
"In October 2011, I published a piece about where financial institutions were feeling the most pain, and one of the responses to that was the call center."
Among the security specialists within North American banking institutions Aite surveyed, more than half identified themselves as leading fraud departments for the top 35 banks in the United States. "The call center was a concern among larger institutions," McNelley says.
Matt Speare, who oversees security for M&T Bancorp., which, with $80 billion in assets, is the United States' 17th largest bank holding company, says smaller institutions have the advantage of more direct customer relationships on their sides when it comes to avoiding call-center scams.
"The larger you get, the more extraction you have between the customer and the call center," Speare says. "In a smaller institution, the people who answer the phone are more likely to know the customer, so they won't be so easily fooled."
Institutions also are more likely to fall victim to social engineering schemes that target branch and call center staff as they undergo conversions linked to acquisitions. "Any time there is a change event, like an acquisition, there is opportunity for a fraudster to exploit a weakness," Speare says.
For M&T, the change event that proved fortuitous for fraudsters came in May 2011, when M&T acquired Wilmington Trust Corp. "We did not see anything significant, but we did see an uptick," Speare says. "You have acquired customers being migrated over, usually over a weekend, and the bad guys know that's going to occur. So they will attempt to hit you on the day that conversion is going on."
Fraudsters call in to have an account opened or some credential changed, knowing call-center staff won't be able to fully verify all the details until a few days after the conversion is complete. "The employee is trying to be helpful, so they sometimes end up giving out information they shouldn't or they set up accounts or make changes based on information provided by those who are not the actual accountholders," Speare says.
But even banks that are not in a transition phase tell Speare they are seeing increases in call-center schemes. "I think it's more about desperation than anything," he says.
McNelley says higher investments in sophisticated online fraud detection systems account for some of the variance between large and small banking institutions. Where top-tier banks have upped measures to detect and prevent online fraud, they've pushed fraud to other, more vulnerable channels. At smaller institutions, where online fraud is still profitable, a migration to the call center has not been necessary.
The call center, however, is not a new target. "It ebbs and flows," McNelley says. "Financial institutions are definitely seeing a migration, and we've seen it before."
A decade ago, the call center was a hot target for fraud. But once banks and credit unions put new controls in place, fraud shifted to the online channel. "Now that institutions have bolstered controls there, fraudsters are going back to call center," she says.
Some of the most important steps to take to mitigate call center risks, experts say, are:
- Employee Education. Institutions that are going through conversions linked to mergers and acquisitions have to be vigilant to hammer home social engineering threats. Staff members in new or acquired departments, especially those that touch on customer and member verification and authentication, have to be informed of policies and procedures. "You have to be able to train your call center employees effectively about the types of questions they can and cannot answer," McNelley says.
- Authentication. Call center and branch staff must consistently pose challenge-and-response questions.
- Out-of-Band Verification. Certain types of transactions should be restricted or limited until authorized callbacks confirm the transaction or account change.
- Voice Biometrics. Though the technology, which detects voice patterns, is not perfect, it can provide an additional layer of user authentication.
The important point to remember is that socially engineered attacks depend on human manipulation. No one technology or solution is going to address all vulnerabilities.
"Unfortunately, there is not just one answer that is the panacea that solves all ills," Speare says. "It's a balancing act, and it's not a pure black and white line. There's a lot of gray."