The wealth of information housed by contact centers can be leveraged by fraudsters for data mining and cross-channel attacks. In an effort to prevent phone fraud, many businesses implement authentication methods; however, most fail to administer the authentication required to provide a layered defense system. As social engineering and fraud technologies have become more advanced, standard authentication methods have proven to become less sufficient. “You have to assume the criminals can get through one layer [of authentication]; they can get through two, they can even get through three,” says Avivah Litan, Vice President with the consultancy Gartner. “But if you have multiple layers, up to five, and you’re continuously authenticating that user and continuously looking at their activities against their profile, you should be in pretty good shape.”
Multiple layers of security allow organizations to meet regulatory requirements and effectively safeguard customer data. Knowledge-based authentication (KBA), has served as a standard authentication method for years; however, 10-15% of KBA fails entirely, proving that authentication requires another layer of security in order to ensure data protection. A layered approach to authentication starts with “protecting the endpoint, trying to secure the browser, going all the way up to looking at the navigation, building profiles of users and accounts and looking for anomalies, doing that across channels,” says Litan. This kind of identity assessment analyzes endpoint and user data, metadata, and ehavior as it identifies linkages across and between entities.
No singular authentication method used on its own is sufficient enough to keep determined fraudsters out. Creating a layered defense system makes it more difficult for an illegitimate caller to access desired information, such as a physical location, computing device, network, or database. If one barrier is broken or compromised, the fraudster still has at least one more barrier to breach before successfully accessing the desired information. This system ensures that each layer defends the previous layer, making it more difficult for a fraudster to circumvent the security of the entire system.
Fraud poses a substantial risk to the integrity of federal programs and weakens the public’s trust in government. Though government agencies have made great strides in online security over the past few years, they have neglected to implement similar protections for the phone channel.
Fraudsters commonly use the call center as a first step in launching a fraud attack. By impersonating a citizen over the phone, fraudsters are able to gather private financial or personal information. Agencies that hold significant amounts of personal data, like the IRS and Social Security Administration, are particularly at risk.
Today, too many government agencies are relying on outdated Knowledge Based Authentication (KBA) questions as their primary form of security over the phone channel. These questions are ineffective at stopping fraudsters, as recent data breaches have flooded the black market with the answers to these questions. Even when the fraudsters don’t already know the answers, they can use social engineering techniques to bypass security measures.
So what can government agency call centers do to more effectively solve this problem? Pindrop solutions are designed to analyze all aspects of the call to assess the true identity of the caller and detect indicators of fraud. Built around patented Phoneprinting technology, Pindrop analyzes 147 features of the call audio to determine the caller’s true location, device, and risk. Pindrop combines Phoneprinting with reputation analysis, voice biometric blacklisting, and a private enterprise consortium, which allows sharing of threat intelligence across industries.
Government agencies are using Pindrop to avoid data breaches and protect citizen information in the call center, as well as for forensic investigation and analytics. To learn more about how Pindrop is helping government agencies, check out a recent interview with our VP of Public Sector, Eric Forseter in Meritalk.
Aite Group, an independent research and advisory firm focused on business, technology, and regulatory issues, interviewed 25 executives at 18 of the top 40 largest U.S. financial institutions based on asset size in order to provide an accurate evaluation of the most effective technology solutions to protect against fraud. On Tuesday, Aite’s Senior Analyst, Shirley Inscoe, joined Pindrop’s Director of Research, Dr. David Dewey, for an online discussion of the growing threat of fraud in the contact center.
Top 10 Takeaways
- As EMV continues to gain momentum in the US, organized fraud rings will move to the phone channel, replacing traditional counterfeit card fraud.
- The contact center is the cross-channel fraud enabler. Current authentication factors in the contact center often fail due to various data fraudsters can acquire through social engineering tactics.
- The majority of financial institutions (72%) expect contact center fraud loss to continue in an upward trajectory.
- The root source of fraud, the contact center, is often misdiagnosed due to fraud enablement in other channels, such as debit card, credit card, and check order takeover – online fraud that exists from reset credentials being reset by the contact center agent.
- Fraud will move downstream toward smaller institutions and credit unions as phone fraud solutions are integrated into larger firms.
- Organized fraud rings are using automated attacks, specifically robotic fraudsters, targeting interactive voice recordings (IVRs), to keep their cost down while still managing to dramatically increase market coverage.
- In the U.S., Contact center fraud is expected to double to a $775 million problem by 2020.
- 61% of account takeover losses trace back to the contact center.
- For every 1-second authentication is reduced, an organization can save $1 million annually.
- Of the 23 different technology solutions reviewed by leading executives, Pindrop’s phoneprinting and voiceprinting technologies hold the highest combined ranking on industry awareness of the product, overall product ranking, and likelihood of recommending to colleagues.
75% of Tuesday’s webinar attendees confirmed having seen a recent rise in fraud. Contact centers will continue to enable cross-channel fraud until technology solutions are implemented to thwart it. Ensuring optimal protection against fraud in the contact center requires multiple layers of security that provide high coverage, high accuracy, high speed, and low friction without being easily fooled by fraud techniques, such as spoofing, voice distortion, and social engineering. Pindrop’s technology provides multi-factor authentication through layered intelligence scores, reason codes, and risk factors.
Thank you for listening!
Contact center fraud attacks have increased substantially in recent years due to the EMV transition and data breaches. Despite the intent to administer positive and timely customer experiences, contact centers often fall victim to social engineering methods that enable fraud attacks.
Fraud attacks increase operational costs, decrease customer satisfaction, and jeopardize brand reputation as customer data is repeatedly lost to fraud. Aite Group, an independent research and advisory firm focused on business, technology, and regulatory issues, interviewed 25 executives at 18 of the top 40 largest U.S. financial institutions in order to examine the current condition of the market and determine the most effective technology solutions for solving cross-channel fraud.
Current State & Fraud Loss Prevention Highlights
- Contact center fraud loss is expected to double by 2020.
- 61% of fraud can be traced back to the contact center, but it doesn’t end there. Fraud is a cross-channel problem.
- Contact center security vulnerability severely burdens a business.
- The right technology solution provides security without minimizing customer satisfaction.
According to Aite, guaranteeing optimal protection against fraud in the contact center requires multiple layers of security. Since contact centers have been under attack more than ever before, several types of security solutions have been created to solve the problem. Of the 23 different technology solutions reviewed by leading executives, Pindrop’s phoneprinting and voiceprinting technologies hold the highest combined ranking on industry awareness of the product, overall product ranking, and likelihood for referral.
Join Aite’s Senior Analyst, Shirley Inscoe, and Pindrop’s Director of Research, Dr. David Dewey, for an online discussion on the growing threat of fraud in the contact center and the best practices for detection and prevention.
Contact Centers: The Fraud Enablement Channel
September 13, 11:30 AM – 12:30 PM
On Tuesday, Pindrop released its annual Call Center Fraud Report. SC Magazine spoke to Pindrop’s research director, David Dewey about the drivers behind this year’s increase in phone fraud. According to Dewey, new US chip cards make it harder for fraudsters to reproduce phony cards, so the bad guys are crafting social engineering attacks that target call centers in order to make malicious transactions.
Dark Reading spoke to both Pindrop’s David Dewey and Chris Hadnagy, CEO of Social Engineer LLC. Hadnagy confirmed the Pindrop report findings, pointing out that voice represents the next big attack vector. Organizations should expect to see an increase in call center fraud and multi-vectored attacks.
Fox5: ID thief: here’s how to stop me – He would research his victims’ birthday and other personal info already online. Then he’d call merchants who use overseas customer service reps. When he would get the security answers wrong, they’d be more likely to cut him some slack.
Finextra: The Transatlantic State of Phone Fraud – Pindrop’s VP and GM of EMEA, Matt Peachey sat down with Fintextra to discuss the 2016 Call Center Fraud Report released by Pindrop Labs. The report has uncovered a loss at £0.51 to fraud in call centers in 2015.
Pindrop: Pindrop’s 2016 Call Center Fraud Report Reveals 45% Increase in Phone Fraud Attacks – Pindrop today announced research indicating increases in phone fraud incidents and costs in multiple areas in its 2016 Call Center Fraud Report. Researchers at Pindrop Labs analyzed over 10 million calls to major enterprise call centers in the US and UK.
Forbes: The Day I Was Almost Defrauded By ‘The IRS’ – I thought I would know the signs. I have spent years teaching graduate students about fraud schemes, developed fraud training seminars for corporations around the world, and have even conducted prison interviews with convicted white-collar felons.
Security Magazine: Call Center Fraud Attacks Have Increased 45% Since 2013 – Strong online and mobile security, coupled with the rollout of EMV chip cards in the US means cybercriminals are changing tactics, exploiting the weakest link in the organization: the call center. The rate of call center fraud attacks has grown 45 percent since 2013.
FindBiometrics: Call Center Fraud on the Rise: Pindrop – Pindrop, the developer of call analytics security solutions, has released a new report indicating alarming trends in call center fraud. Composed by Pindrop Labs researchers using Pindrop’s Phoneprinting technology to analyze more than 10 million call center calls in the US and UK
This week the NPR shared a Pindrop researcher’s undercover IRS phone scam conversation with a real fraudster. More than 5,000 victims have been duped out $26.5 million since 2013.
BBC reported this week that last year in the UK, fraud losses totaled ₤755m. Pindrop’s Matt Peachey sat down with BBC to discuss the need for multi-layered security, including monitoring behavior.
The Guardian: The terror of swatting: how the law is tracking down high-tech prank callers – In 2014, a swatting attack was launched on an Atlanta suburb police station that led to a year-long investigation in the US and Canada. This hoax was implemented by a 16-year-old who initiated nearly 40 attacks on homes, schools, and businesses.
The Boston Globe: Why police are having a tough time finding culprits in school robocalls – Dozens of Massachusetts schools are being plagued with a series of hoax robocalls including threats of bombs and roaming shooters. Why can’t authorities trace the calls? Using VoIP, these callers are able to hide their identities.
Ars Technica: “This is the IRS regarding your tax filings” says trio of overseas robocallers – While the FTC searches for a technology to combat robocalling, scammers have now started posing as agents of the IRS using robocalls. Pindrop has found that the wave of IRS scammers can be traced back to 3 distinct groups operating outside the US.
CreditCards.com: Credit card companies may be analyzing your voice – While credit card companies often record phone calls from cardholders, it’s not always for the purpose of quality assurance. Many banks are now analyzing calls and using advanced voice biometrics to root out criminals in the fight against call center fraud.
This is Money: You’re on your own if a conman raids your bank account – This week, This is Money and Money Mail have reported that just 2 out of 1,000 cases in identity theft are investigated and that 70% of customers affected by scams never get a penny back.
ITProPortal: Nationwide develops behavioral authentication prototype – Nationwide’s Innovation Lab, BehavioSec and Unisys are developing an authentication system that uses a customer’s behavior to allow access rather than requiring an additional password to access their banks account from their mobile device.
This week the Guardian shared the story of account takeover fraud at Nationwide bank in the UK. In this multi-part attack, fraudsters took over the target’s mobile account, registered for mobile banking, and increased overdraft protections all by contacting call centers. Fraudsters monetized the attack using Apple Pay.
Consumer Reports published the results of a new study on Monday that found millennials are the most likely to lose money to a phone scam. 38 percent of millennial men report having lost money to a phone scam, compared to 11 percent of average Americans.
Schneier on Security: Bypassing Phone Security through Social Engineering – Undercover police officers in the UK used social engineering techniques to bypass iPhone security when investigating a terrorist suspect. Police impersonated the suspect’s work manager, asking for proof that he was in the office on a particular day.
The Sidney Morning Herald: Fraudsters rip off $5m from elderly victims using telephone scam – In one case, the scammers netted $600,000. The scam started with a phone call from someone purporting to be the manager of a Rolex store, who said that a youth posing as their nephew had been detained trying to use Albert’s credit card.
No Jitter: Hacking as a Service Part Two: Help is Here – At this point, a caller has been deemed safe enough to be allowed into the system and potentially into the ear of a real human being. Even still, security measures can be applied by listening in on the call to programmatically find anomalies.
The Atlantic: The Long Life (and Slow Death?) of the Prank Phone Call – Advances in technology apparently bring with them new possibilities for playfulness at someone else’s expense. There’s still something to be said for the visceral thrill of trying to fool someone voice to voice, it seems—even if you don’t quite pull it off.
South China Morning Post: Phone scammers pretend to be Hong Kong immigration officers – Bogus immigration officers have duped Hongkongers out of about HK$1 million in the latest round of phone scams as con artists have come up with a new ruse, the Post has learned. About 20 victims fell for the new tactic.
Gizmodo: Do Not Call the Number in This Instagram Ad – Yesterday on my Instagram feed was a sponsored post claiming “Millions of Americans are applying for Obama’s New Student Debt Forgiveness Program” and promising I could qualify in less than five minutes if I tagged a friend and called a toll-free number.
This week, Mashable reported that NPR accidently hacked listener’s Echoes with a radio broadcast, proving the devices can be ‘hijacked’ by a speaker outside the home. NPR listeners reported the news story prompted Alexa to reset thermostats, play news summaries, and more. As the Echo begins to offer more features like paying for music and pizza, larger security concerns are beginning to arise.
According to Forbes, the IRS is warning consumers about a new variation on the IRS phone scam. Consumers are reporting that scammers are calling, saying they need to verify some information to process your return. Those details generally lead to identity theft.
FTC Blog: Avoiding imposter scams – Maria got a phone call one day. The caller, who claimed to be an attorney, told Maria there was a court order against her and that she had to pay hundreds of dollars to settle an old debt. If she didn’t pay, there would be dire consequences.
New York Post: ‘Prophet’ harassing NYers with robocalls demanding cash: suit – Self-proclaimed “prophet” Yakim Manasseh Jordan, 25 — who lives a “lavish lifestyle” with multi-million dollar homes and luxury cars — bombards personal phone lines across the country with up to six automated calls a day, according to the class action lawsuit.
Atlanta Business Chronicle: Georgia Department of Revenue gets ‘spoofed’ – The Georgia Department of Revenue (DOR) reported its phone lines have been subject to Caller ID spoofing. Spoofing occurs when the Caller ID of the caller appears to be coming from a valid number. DOR was first made aware of the scam on March 10.
On the Wire: On the Wire Podcast: David Dewey – In this episode of the podcast, Dennis Fisher talks with Dewey about the research, how the card issuers have addressed the problems he found, and what can be done to further secure mobile payment systems.
On the Wire: IRS Phone Scammers Shift Tactics – The variety of IRS tax scams is continuing to increase, and the agency is now telling consumers to be wary of a recent shift in scammers’ tactics. The latest version involves scammers calling to “verify” details of tax returns and harvesting valuable personal information.
BBC: Pensioner loses £20,000 in phone scam – The woman was contacted by someone claiming to be from the Visa Fraud Unit over suspicious account activity. She was asked to transfer funds to another account to “protect” them but when she did so the money was taken and the scam completed.
On Tuesday, BBC Radio investigators demonstrated two ways to take over a NatWest bank account using the phone. Using social engineering, a fraudster could simply report a victim’s phone lost or stolen, then ask to have their phone number switched to a new SIM card, owned by the criminal. Alternately, the fraudster can simply steal the victim’s phone.
The FBI recently announced a Jamaican lottery scammer has been sentenced to 10 years in prison. According to Special Agent John Gardner, “The Jamaican lottery scammers are like an organized cyber crime group. They are closely knit, highly structured, and have U.S. associates—money mules—who help launder their money.”
Wired: Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid – TDoS attacks are similar to DDoS attacks that send a flood of data to web servers. In this case, the center’s phone systems were flooded with thousands of bogus calls that appeared to come from Moscow, in order to prevent legitimate callers from getting through.
PYMNTS: Apple Pay’s Low-Tech Security Problem – “Fraudsters and hackers are like water: They’re going to take the easiest path to get what they want. Right now, this is that easiest path … There’s no point of even trying to find a vulnerability in EMV because this works so well,” said Pindrop’s David Dewey.
The Telegraph: Thousands of immigrants targeted for cash in phone scam – Immigrants are being targeted by fraudsters posing as Home Office staff who demand money in exchange for allowing them to remain in the UK, it has been claimed. Visa holders have been pressured into handing over thousands of pounds.
eSecurity Planet: 3 Ways to Defeat ‘Microsoft’ and ‘Dell’ Phone Scams – Technological solutions can also make a significant difference. Knieff suggests looking into voice solutions from companies like Pindrop, which can watch out for recognized criminals. Advanced data loss prevention solutions are also worth looking at, Knieff said.
Consumerist: Lawmakers Renew Push To Curb Unwanted Robocalls – Sen. Ed Markey (MA) introduced the HANGUP Act, which would close the robocall loophole. Even though robocalls is one of the few issues that is not currently a partisan issue, the bill has been sitting idle in committee since being introduced.
On The Wire: Bypassing Phone Fingerprint Sensors With an Inkjet Printer – Researchers at Michigan State University have developed a clever hack that allows them to scan and then print a target user’s fingerprint and then use it to unlock a mobile phone via the fingerprint sensor.
This week, Forbes reported on Pindrop’s 2016 RSA session, “The Art of Avoiding Authentication.” Pindrop’s Director of Research, David Dewey, tested how Apple Pay’s call center authentication option could be compromised at major financial institutions.
On Tuesday, American Banker‘s Penny Crosman interviewed Pindrop’s CEO, Vijay Balasubramaniyan, on how fraudsters are using the phone channel. Balasubramaniyan pointed out, “If you’re able to detect suspicious IVR activity, you can forewarn banks on average 30 days before account takeover even starts happening. It’s almost like ‘Minority Report.”
Krebs on Security: Credit Unions Feeling Pinch in Wendy’s Breach – Even if thieves don’t know the PIN assigned to a given debit card, very often banks and credit unions will let customers call in and change their PIN using automated systems that ask the caller to verify the cardholder’s identity by keying in static identifiers.
Money: IRS System Meant to Protect ID Theft Victims Seems to Have Been Hacked – Knowledge-based authentication (sometimes called KBA), asks taxpayers four multiple-choice questions about their credit history — such as “On which of the following streets have you lived?” And these questions can be easily answered with random guessing.
Speech Technology Magazine: Pindrop Launches IVR Anti-Fraud Solution – Pindrop recently launched IVR Anti-Fraud, which the company says is the first comprehensive call center fraud detection capable of monitoring all customer voice channel interactions. Fraudsters can use IVR systems as their gateway into more extensive fraud.
The Wall Street Journal: Cybersecurity Startups Describe New Fundraising Hurdles – “VCs were much more discerning and they wanted proof that you have a real product that is delivering a strong return on investment to customers,” said Vijay Balasubramaniyan, CEO and co-founder of Pindrop.
On The Wire: Sidestepping Apple Pay Enrollment Authentication – “Authentication through an app is very secure, because if they’re doing it properly they know specifically it’s your device they’re sending the authorization to,” Dewey said. “A phone call is the weakest of these possible options.”
Network World: New products of the week 2.29.2016 – Our roundup of intriguing new products: Pindrop’s ‘IVR Anti-Fraud analyzes multiple layers of information to help identify suspicious callers for live agent calls in contact centers in the financial services, retail, insurance, and government industries.