BANKING STRATEGIES
As if you weren’t already wary about answering phone calls from unknown numbers, here’s another concern to consider. And it isn’t just talk—though you’ll want to watch what you say, how you say it and who you say it to.
Here’s how it works: Imagine a caller/fraudster trying to “steal” your voice by capturing it over the phone, all to steal your money. Now imagine no more. It’s a new form of attack against financial institution call centers called “synthetic speech”— part of a growing trend by bad actors to illicitly syphon funds that call centers are scrambling to fight—that is, when they can fight it at all.
Using commercially available technology, fraudsters are “generating interactions using captured voice patterns from pretext calls with the victims,” says Jonathan Care, research director for Stamford, Connecticut-based Gartner, a research and advisory company.
It’s a way, says Care, to circumvent the very voice authentication systems designed to protect call centers in the first place. This security method has customers register their voices so that automated systems can match voice patterns as a means of identification.
Synthetic speech, along with what Care calls “cross-channel fraud” (where call center attacks begin online and end with a visit or written request), form a one-two punch that casts vulnerable call centers adrift—often because financial institutions direct the bulk of their cybersecurity resources elsewhere.
For those institutions, such attacks are costly. Call centers are losing more than a half-cent to fraud per every call, says Care: “Across the U.S., losses are exceeding $14 billion.”
The scope of those losses, he says, confirms his 2013 prediction that fraudsters would move from physical and online attacks to call center fraud “due to a lack of protection and outdated authentication measures such as knowledge-based authentication (KBA).”
Sunil Madhu, founder of software security firm Socure, agrees with Care that call centers are at risk in large measure thanks to outdated security procedures.
“They are rife for attacks, as most fraudsters have the answers to the questions about the legitimate account owner at hand thanks to data breaches and easy availability of stolen data on the internet,” Madhu says. “The use of KBA in general should be seen as a risk as it creates an easy attack surface to exploit.”
Some legacy KBA solutions have been adapted to use private transaction information as opposed to public information, in an effort to make the solution more robust. But answering questions about the most recent transactions on the account might strain some customers’ memories, says Madhu.
“Moreover a fraudster could attempt to spoof the system by crafting fraudulent charges against the account with the intent to overcome KBA,” he says. They’d base this “on prior transaction information to take over an account. Nevertheless, all KBA solutions present a point of friction to the consumer and these solutions are very ineffective in today’s world.”
That’s a double whammy for centers operating on legacy platforms. In an ideal scenario, call centers should institute layered defenses such as Digital Identity Verification (DIV) that limit friction, says Madhu.
When an intelligent machine identifies a risky call, the interactive voice response or call center agent can perform secondary step-up authentication, such as triggering a push notification to the user if they’re subscribed to the mobile app (more secure). That subsequently asks the consumer to use biometric verification on their mobile app (even most secure), says Madhu.
Technology deficits aside, call centers have become lucrative targets because they constitute the soft spots in the financial institution security chain, he notes.
“By attacking the call center, the fraudsters aim to exploit human beings as the weakest link,” says Madhu. “Using stolen data and caller ID spoofing or SIM swapping to convince the call center worker that they’re the legitimate account owner, fraudsters can provision stolen credit cards to their iPhone wallets to commit Apple Pay fraud or reset account passwords to take over an account.”
At telecom call centers, the fraudsters can convince the agent to temporarily call forward or port the legitimate account owner’s phone number to a different number—so that they can exploit the forgotten password recovery mechanism on most websites. That sends a one-time password or PIN to the fraudster’s phone and allows the fraudster to take over, say, someone’s bank accounts.
Says Madhu: “SIM swaps use the same attack vector but without the need to attack the telecom company call center first, focusing instead on attacking the mobile network infrastructure itself.”
Doug Johnson, senior vice president for payments and cybersecurity policy at the American Bankers Association, acknowledged in November that financial institutions need to keep an eye on contact center fraud, especially the human factor. To that end, consumers and bank leaders depend on the folks behind the phones.
“I do think employee education at the call center needs to an be area where banks are eternally vigilant,” Johnson contended. “We tend to spend more time focusing on customer protections: making sure they have anti-viral software and aren’t tempted by phishing scams.”
While a number of technical solutions to call center fraud exist, the financial services industry should employ one simple solution more frequently, says Denise Mainquist, founder and managing director of ITPAC Consulting, a Lincoln, Nebraska-based cybersecurity firm with several community banks as clients.
Unlike calls from fraudsters, these are definitely ones you will want to answer.
“One of the best controls is non-technical: Always do call backs,” Mainquist advises. “Even though banks and credit unions are required to have this control in place when receiving wire requests and automated clearing house files on-line, I find they often don’t do it. Excuses range from ‘Our clients don’t like us to bother them’ to ‘This client is getting on a plane and wants this money transferred by the time it lands.’”
Mainquist boils her reaction to those excuses down to one word.
“Yikes,” she says. “Nearly every time I hear of a big loss it is because someone didn’t do a call back. It’s critical and will save everyone money. Big yikes on both fronts.”
- BAI: https://www.bai.org/banking-strategies/article-detail/the-call-center-commandment-don-t-put-fraud-protection-on-hold/
- Internet Archive: https://web.archive.org/web/20191112053933/https://www.bai.org/banking-strategies/article-detail/the-call-center-commandment-don-t-put-fraud-protection-on-hold/
