Last week, the IRS announced that, from February through mid-May this year, criminals accessed the past tax returns of 100,000 Americans using the IRS website. Yesterday, the US Senate Committee on Homeland Security & Governmental Affairs held a hearing to learn more about what went wrong at the IRS, and what steps could be taken to protect American’s personal information going forward.
Dr. Kevin Fu, a cybersecurity expert and Associate Professor at the University of Michigan, highlighted Pindrop’s audio and voice based fraud detection in his testimony: “Pindrop Security, they actually work for financial services companies. They listen to the audio of the phone calls as people call in and they’re able to actually identify repeat offenders who are calling in pretending to be other people based on the delay in the phone line from the country they’re calling from, some interesting characteristics of the copper wires. You could use some of these advanced technologies not to eliminate, but at least reduce the risk of fraudsters trying to go from one fraudster doing 100,000 accounts to at least making it more difficult to scale up to so many different accounts from one adversary.”
Pindrop has been a part of this conversation in the past, when we exposed an attacker caught in the act, when we quantified numbers of attacks, and when we mapped the attack as it spread across the US. Consequently, we were gratified to find our work being credited for contributing to possible solutions.
Fraud against the IRS hurts everyone in the US. We’re glad if we can be part of the solution.
Point-of-sale (POS) security breaches, like those at Home Depot and Target, are a major concern for financial institutions. Banks must protect their customers from fraud, knowing that many have had identifying information stolen during these breaches. Experts are now predicting that financial institutions can expect an even greater number of attacks in the coming months.
In an attempt to stop these breaches, the US is slowly migrating to the global Europay, MasterCard, Visa card standard (EMV), which processes transactions with a microchip and pin number (“Chip and Pin”) instead of the easy to counterfeit magnetic strip in use today. But, according to Bob Russo of the PCI Council, this transition will mean a significant rise in fraud in the short term. Hackers see their window of opportunity shrinking, and will increase the scale and frequency of their attacks to get as much information as possible before the new chip and pin technology goes into effect.
“These hackers [will] take advantage of, at least in the face-to-face environment, getting this credit card data,” said Russo. “As we saw in other, mature EMV markets, typically the fraud is going to go up before EMV becomes embedded here in the United States. So, get prepared, for fraud is coming, and it’s coming very, very strongly.”
We discussed in an earlier post how fraudsters are using stolen POS information to launch fraud attacks over the phone channel. These breaches often provide enough information for a fraudster to launch account takeover attacks against banks that rely on Knowledge-Based Authentication (KBA) questions. As more stolen data becomes available in the coming months, banks should expect phone fraud attempts to increase.
Pindrop co-founder and CEO, Vijay Balasubramaniyan, recently moderated a panel discussion of cross channel and cross enterprise fraud at the Financial Services Information Sharing and Analysis Center (FS-ISAC) Fall Summit in Washington, DC. There, security leaders from Bank of America, E*TRADE, Citi, and TD Ameritrade discussed the technical and organizational changes required to stem these attacks. As one speaker put it, “We used to ask: what if one of out customers is breached? Now we have to ask: what if all of our customers are breached?”
Pindrop continues to help banks and financial institutions fight phone fraud. Pindrop’s Fraud Detection System (FDS) is used by call centers, automated systems, fraud investigation and incident response teams to quickly evaluate callers as part of their anti-fraud and transaction approval processes. FDS allows financial institutions to reduce the burden of proving identity on their customers while improving their prevention of fraud through identification of deception techniques such as call spoofing.
Fraud attempts may increase before the EMV Chip and Pin rollout completes, but the technology to defeat these fraudsters in the phone channel is now available.
The Telephone Consumer Protection Act (TCPA) of 1991 gave the FCC the power to regulate telemarketers’ use of artificial or prerecorded voice messages, now known as robocalls, in calls to consumers. Today, consumers can add their home landline and mobile numbers to the National Do Not Call Registry.
However, B2B robocalls calls made with the intent to solicit sales are exempt from these Do Not Call provisions. Robocallers who exclusively call other business lines are not required to obtain or scrub their list against the National Do Not Call Registry.
US businesses spend over 20 million hours answering unwanted phone calls each year. Yet, under the TCPA, the FCC offers no protection for businesses against the robocalls. Instead, businesses are advised to simply hang up.
The FCC has held regular contests to crowdsource ideas for robocall blocking technology. In 2013, Serdar Danis and Aaron Foss won for proposals that filtered robocalls using a CAPTCHA style test. While the idea might work in an enterprise environment, most businesses cannot risk frustrating legitimate callers who may be calling for support or to make a sales inquiry.
Pindrop offers an alternate solution for businesses to block unwanted calls. Phone Reputation Service (PRS) is the most complete database of spam phone numbers and robo dialers available on the market today. Instead of verifying each caller using a CAPTCHA or other complicated activity, PRS assigns each incoming phone number a risk score based on factors like complaint history, device type, and service provider.
PRS integrates with current enterprise phone systems. A business can set a custom risk score threshold to automatically block numbers with a known history of robocalls, fraud, or other unwanted activity. Pindrop customers report PRS True Detection Rates (TDR) of nearly 80%. Learn more about PRS.
Pindrop Security CEO Vijay Balasubramaniyan spoke and joined a panel on Caller ID Spoofing at the FTC Robocall Summit on October 18. Visit the site for video of the session. Vijay takes the stage at 32:40.
The Federal Trade Commission (FTC) launched a competition this past week that challenges small businesses to discover an innovative solution that will block illegal robocalls on landlines and mobile phones. The agency is offering a $50,000 prize to the team that presents the best technical solution. The competition was launched because complaints to the government are up sharply about unwanted phone solicitations. Government figures show monthly robocall complaints have climbed from about 65,000 in October 2010 to more than 212,000 this April. More general complaints from people asking a telemarketer to stop calling them also rose during this period from about 71,000 to 182,000.
The federal do-not-call list was put in place nearly a decade ago to limit telemarking sales calls to people who did not want to receive them, the registry has more than 209 million numbers on it. Although in recent years telemarketers have rarely checked it to update their lists, or ignored it completely. Telemarketers may think twice in future though, Sen. Chuck Schumer has introduced legislation that would up the penalty from a misdemeanor to a felony that carries up to 10 years in prison, per call!
Robocalls with prerecorded messages have become the marketing vehicle of choice for phone fraudsters. Fraudsters use caller-ID spoofing so that when a person tries to call back the robocaller, they get a disconnected number or something other than the source of the original call. Robocalls are an attractive option for fraudsters because they can use an autodialer that can blast out millions of calls in a matter of hours, they are hard to trace, and they are cheap. Fraudsters will often try to trick a consumer into thinking the call is from a charity or a political candidate then eventually switch to an illegal telemarketing sales pitch in an attempt to get the victims information.