All of us need to be vigilant and safeguard our financial lives against social engineering and other attacks that have grown in frequency and sophistication over time. One key part of staying safe is that we guard our account-related identities. Authentication is the process of proving to our bank, credit card provider or other holder of our accounts, who we are. Obviously, only you should be able to do this to access your account and no one else should be able to convince the bank that they are you. That’s the theory. Butler Lampson, a well-known computer scientist and security expert, includes authentication as one of the three pillars of the gold standard of computer security (other ones being authorization and audit). Clearly, we need to get authentication right to secure our online lives.
The reality is not so neat. Since authentication has received much attention in the context of the web channel (did you choose hard-to-guess passwords?), we now face attacks on the less-protected telephony channel. In the past, the telephony system was trusted. People assumed that a Caller-ID did really tell who was calling you. Banks even allowed you to activate your credit card just by calling from your registered phone. A top executive at a major telecommunications company once told me that the major difference between telephony and web channels was that the former is trusted while the latter will never be. Unfortunately, this is no longer true. In fact, cyber criminals are exploiting the past trustworthiness of the telephony channel to their advantage. They are using it as an entry point for compromising online services by requesting password resets for accounts over the phone to undermine web authentication.
The rapid change in the telephony ecosystem, driven by technological advances and deregulation, has led to a point where it has become extremely hard to figure out who really is calling us on the phone. There are readily available tools for spoofing Caller-ID (and the related ANI). New technologies like VoIP have made it possible to craft Internet style attacks over the telephone. Robocalling can deliver fraudulent messages to your voice mail like email spam in your inbox at almost no cost. With Caller-ID spoofing, you do not know if it really is your bank at the other end of the call. Also, when someone calls your bank’s customer contact center, the agent handling the call can no longer assume that it is you because the Caller-Id is your phone number. Because of the rapidly growing problem of telephony fraud, the FTC even hosted a summit in October 2012 to discuss the threats that can come over the traditionally trusted telephony channel. In addition, the FTC organized an innovation challenge with a $50K award to develop novel solutions to protect citizens against fraud coming over the telephony channel.
So what can we do about authentication over the telephony channel to combat phone fraud? Stay tuned.