Call Center Fraud Targets ProcessorsThe Reasons Behind the Shift in Fraudsters' Strategies
The massive number of retail point-of-sale breaches we've seen in the last two years has fueled an uptick in call center fraud that targets payments processors.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
I first heard about this emerging trend last month, while in Chicago for Information Security Media Group's Fraud Summit.
Processors may handle transactions for hundreds or even thousands of institutions, making them prime targets for criminals.
A fraud specialist from an Alabama credit union and a risk manager from a regional payments processor that services credit unions told me about this emerging trend that aims to fool payments processors into approving fraudulent card transactions before they are sent to the issuer.
Fraudsters feigning to be the legitimate cardholder ask the payments processor to approve a card transaction that might get flagged, either because it's out of the country, over a specific dollar amount, or because the card has not been used in a while or not used for a certain type of transaction.
Using stolen card details obtained in retail breaches, fraudsters call payments processors, before the transactions are flagged as suspicious by the issuing institutions, and convince the call-center staff that the transactions are legitimate.
This new fraud trend is concerning to both the credit union and the processor executive because the criminals have figured out how to bypass many of the automated fraud-detection systems credit unions have in place to flag suspicious or anomalous card activity.
What's more, the stolen card details being used are not from the most recent breaches, the Alabama credit union representative told me. In this credit union's case, the cards used were linked to the Albertson's and SuperValu breaches, both of which occurred in June 2014 (see Supervalu: Linked to Other Breaches?).
Cards assumed to have been compromised in those breaches have long ago been reissued. So, either the hackers had waited to sell the stolen card information until the issuers were convinced they had not been compromised, or the fraudsters were cunning enough to convince call-center staff at the processing level that they were not aware replacement cards had been issued.
Either way, the scheme resulted in fraudsters convincing a processor's call center staff to approve transactions, so they never went through the issuers' approval process.
Obviously, this is a security gap that only skilled attackers who know the logistics of payments processing could figure out how to exploit.
Card Processors Prime Targets
Just how common is processor call center fraud? This week, phone fraud security firm Pindrop Security issued a report that found card processors were targeted by phone fraud scams nearly three times more than banking institutions within the last year.
David Dewey, who heads up Pindrop's research team, tells me that the company discovered the trend of payments processor call-center fraud in its review of millions of calls made to call centers at banking institutions, retailers and payments processors over the last year.
"Basically, when we listened to calls made to processors, we found that the fraudster will call in and say, 'I am the cardholder, and I am about to make a big transaction; something I think you would try to block. But this is really me, so please let the charge through.'"
Dewey says Pindrop heard several slight variations of that attack, but the method was basically the same.
"In one case, the fraudster was based in a very popular vacation destination in Europe, so he called in and said, 'I'm going to be traveling to Europe, so please don't shut my card down. Oh, and by the way, I'm going to make a very big charge in the next couple of days, so don't turn it down,'" Dewey explains.
In other scenarios, fraudsters call feigning to be a merchant that needed to have a transaction approved at the POS, he adds.
I understand why fraudsters would call a processor pretending to be a merchant. But why would they pose as a consumer? Wouldn't consumers call their card issuer, rather than a processor, when preparing for travel or a large purchaser?
"We wondered the same thing," Dewey tells me. "But we found that this is actually quite common. Processors do receive these types of calls from consumers in large volume."
Pindrop estimates the potential for fraud linked to these types of call-center attacks could be as high as $15 million per payments processor.
Al Pascual, director of fraud and security at Javelin Strategy & Research, says this method of attack works because transaction approval at the processor level is quite common, especially for smaller institutions that outsource a large portion of their card-processing services.
"Processors may handle transactions for hundreds or even thousands of institutions, making them prime targets for criminals who identify vulnerabilities in how access is authenticated via the phone channel," Pascual says. "Given what I have heard anecdotally from financial institutions about their specific in-house challenges, I am surprised that suspected losses are that low."
Call Center Fraud
We've been writing about upticks in call-center fraud for the last three years (see How to Stop Call Center Fraud). But this type of fraud usually involves a social engineering or phishing attack, which fools unwitting call-center staff into coughing up details about consumers' bank or credit-card accounts. And most such attacks have been were waged against banking institution's call centers.
The emergence of attacks waged against processors points to the need for more training of call-center staff at the processing level to help them identify socially engineered schemes.
"There also needs to be a second check of these transactions on the issuing side," Dewey says, which could be challenging for smaller institutions that already outsource much of this automated monitoring to the processor.
Have you seen evidence of new forms of call-center fraud? If so, how are you dealing with it? Please comment in the space below.