The Fraud Blog with Tracy Kitten

Lessons from Paul Allen ID Theft

Microsoft Founder's Card Breach Highlights Growing Concern

The Paul Allen debit card scandal just reiterates a concern financial fraud experts have been screaming about for years: Socially-engineered schemes that compromise employees are among the industry's greatest threats. And technology alone won't overcome them.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

While many banks and credit unions have invested in technology solutions to thwart and prevent phishing attacks and online fraud, some have ignored one key entry point: the call center. As a result, fraudsters have redirected their aim.

Allen, who co-founded Microsoft and now owns the Seattle Seahawks and Portland Trailblazers, is worth an estimated $14 billion. He's a public figure. And his name's ubiquity could make him, in theory, more susceptible to identity theft than the average consumer.

But the ease with which Allen's Citibank debit card and bank account details were stolen via a call center dupe raises serious questions about measures the bank had in place to protect Allen's identity - and his money.

According to a complaint filed with a U.S. District Court in Pennsylvania, federal authorities believe an Army deserter fooled a call center service rep at Citi. The caller convinced the employee he was Paul Allen, when, in fact, the alleged phisher was Brandon Price, a Pittsburgh resident who hijacked Allen's Citibank debit card after he changed Allen's account mailing address to his own.

"An individual identifying himself as Paul Allen called the customer service department of Citibank," states Federal Bureau of Investigation Agent Joseph J. Ondercin in the court filing, which was unsealed this week. "The caller stated that he had misplaced his debit card at his residence, but did not want to report it stolen. The individual then successfully ordered a new debit card on the account of Paul Allen and had it sent via UPS."

Citi says it picked up on the scam through internal fraud monitoring, but only after suspicious transactions started hitting Allen's account.

Alas, this is an all-too-familiar story. Call centers at top tier U.S. banks are increasingly proving to be sweet spots for fraudsters, says Julie McNelley, a fraud analyst with Aite.

"In October 2011, I published a piece about where financial institutions were feeling the most pain, and one of the responses to that was the call center."

Among the security specialists within North American banking institutions Aite surveyed, more than half identified themselves as leading fraud departments for the top 35 banks in the United States. "The call center was a concern among larger institutions," McNelley says.

Matthew Speare, who oversees security for M&T Bancorp., which, with $80 billion in assets, is the United States' 17th largest bank holding company, says smaller institutions have the advantage of more direct customer relationships on their sides when it comes to avoiding call-center scams.

"The larger you get, the more extraction you have between the customer and the call center," Speare says. "In a smaller institution, the people who answer the phone are more likely to know the customer, so they won't be so easily fooled."

It's great that Citi detected the fraud. But the incident could have been avoided. What could Citi do to improve? Ramp up employee education, and adopt enhanced user authentication and out-of-band verification of transactions initiated via the call center.

The important point for all institutions: Socially-engineered attacks depend on human manipulation. Until banks and credit unions address the human risks, they'll remain vulnerable, and crafty fraudsters will get through.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.