The Paul Allen debit card scandal just reiterates a concern financial fraud experts have been screaming about for years: Socially-engineered schemes that compromise employees are among the industry's greatest threats. And technology alone won't overcome them.
See Also: Rethinking Endpoint Security
While many banks and credit unions have invested in technology solutions to thwart and prevent phishing attacks and online fraud, some have ignored one key entry point: the call center. As a result, fraudsters have redirected their aim.
The ease with which Allen's Citibank debit card and bank account details were stolen via a call center dupe raises serious questions.
Allen, who co-founded Microsoft and now owns the Seattle Seahawks and Portland Trailblazers, is worth an estimated $14 billion. He's a public figure. And his name's ubiquity could make him, in theory, more susceptible to identity theft than the average consumer.
But the ease with which Allen's Citibank debit card and bank account details were stolen via a call center dupe raises serious questions about measures the bank had in place to protect Allen's identity - and his money.
According to a complaint filed with a U.S. District Court in Pennsylvania, federal authorities believe an Army deserter fooled a call center service rep at Citi. The caller convinced the employee he was Paul Allen, when, in fact, the alleged phisher was Brandon Price, a Pittsburgh resident who hijacked Allen's Citibank debit card after he changed Allen's account mailing address to his own.
"An individual identifying himself as Paul Allen called the customer service department of Citibank," states Federal Bureau of Investigation Agent Joseph J. Ondercin in the court filing, which was unsealed this week. "The caller stated that he had misplaced his debit card at his residence, but did not want to report it stolen. The individual then successfully ordered a new debit card on the account of Paul Allen and had it sent via UPS."
Citi says it picked up on the scam through internal fraud monitoring, but only after suspicious transactions started hitting Allen's account.
Alas, this is an all-too-familiar story. Call centers at top tier U.S. banks are increasingly proving to be sweet spots for fraudsters, says Julie McNelley, a fraud analyst with Aite.
"In October 2011, I published a piece about where financial institutions were feeling the most pain, and one of the responses to that was the call center."
Among the security specialists within North American banking institutions Aite surveyed, more than half identified themselves as leading fraud departments for the top 35 banks in the United States. "The call center was a concern among larger institutions," McNelley says.
Matthew Speare, who oversees security for M&T Bancorp., which, with $80 billion in assets, is the United States' 17th largest bank holding company, says smaller institutions have the advantage of more direct customer relationships on their sides when it comes to avoiding call-center scams.
"The larger you get, the more extraction you have between the customer and the call center," Speare says. "In a smaller institution, the people who answer the phone are more likely to know the customer, so they won't be so easily fooled."
It's great that Citi detected the fraud. But the incident could have been avoided. What could Citi do to improve? Ramp up employee education, and adopt enhanced user authentication and out-of-band verification of transactions initiated via the call center.
The important point for all institutions: Socially-engineered attacks depend on human manipulation. Until banks and credit unions address the human risks, they'll remain vulnerable, and crafty fraudsters will get through.