Phone fraud is a multimillion-dollar industry led by professional, organized hackers that impacts consumers in their homes and on their phones. It also impacts businesses, both through individual employees and call centers. Financial institutions are at the center of this world – they are both targeted by attackers and impersonated by attackers to steal from consumers.
The phone system presents a perfect storm of characteristics, both new and old, that invite this malicious abuse. Pindrop Security CEO Vijay Balasubramaniyan has identified five vulnerabilities that enable phone fraud.
Click through for the top five phone system vulnerabilities that enable fraud, as identified by Pindrop Security.
Caller ID is broken – Caller ID (CID) and Automatic Number Identification (ANI), two systems designed to provide information on callers, actually have no security built-in or available. They originally were designed to be used internally by the phone companies, and therefore lacked a true security component. The result is that spoofing Caller ID data is very easy.
It’s cheap and easy – With the rapid spread in VoIP networks beginning in the 1990’s, the world of telecommunications changed significantly. The cost of long distance calls fell drastically, making it practical to call the U.S. from anywhere in the world cheaply. VoIP allowed wide use of PC applications to perform a wide range of activities, many beyond the scope or intent of the phone network. This included automated dialing and easy-to-use spoofing technology.
No metadata – Every phone call traverses multiple networks, no two of which are exactly alike. In fact, if you use your cell to call your own landline while standing next to it, you’re using at least two networks. Since phone networks are also very bad at sharing information with each other about the call, the only data to get through every network the call traverses is the actual call audio. There is no data shared that provides caller verification or origination. And even call audio suffers degradation – we’ve all experienced poor quality calls. The recipient of a phone call cannot count on any information about the caller coming through intact.
Call centers are vulnerable
Talking to a call center representative presents a fraudster with several advantages. First, fraudsters are typically professional social engineers – they are experts at manipulating people. Second, call center representatives rightfully prioritize being helpful – they want the customer to get the password right or successfully complete the transaction. Third, despite the overall fraud call volume being high, the average call center representative will only be dealing with a fraudster once in approximately every 2000 calls. Identifying and handling a fraudster is not a core competency for that rep.
Automated phone systems
Fraudsters can also steal from you and your customers without talking to a representative. Automated systems or IVR’s (interactive voice response) systems provide a wide range of account activities that allow a fraudster to make substantial inroads to taking over an account. As with a live rep, getting an account address, email or phone number changed can allow a fraudster to order a replacement credit or debit card and then clean funds out of an account. And they only need access to the account for a few hours prior to detection to be successful. In addition, fraudsters will check account balances on accounts to identify high value targets.