If you are like me, the never ending stories on hackers breaking into businesses don’t even merit a passing glance anymore. We never stop to think how we are connected to these events.
Recently, LexisNexis was again in the news over data breaches. Now, LexisNexis has some of the most sophisticated security controls in the industry but what most people miss is the reason they are a target in the first place. An article by Brian Krebs at his Krebsonsecurity site relayed that an underground group that sold stolen personal information had been hacked by other hackers and their database eventually made public. While proving the old adage “there is no honor among thieves” it revealed that the data was first harvested by a botnet run by the original group. Tracking the activities of this botnet showed multiple servers were infected including servers at LexisNexis.
This brings us to John Q. Public (you and I). LexisNexis and similar services are used to provide information to financial institutions for Knowledge Based Authentication – KBAs for short. Everyone is familiar with KBAs – your mother’s maiden name, your address in 1998 and other obscure facts. In most financial institutions this is the only thing that stands between your money and the criminals intent on stealing it. Fraudsters spend a lot of time researching their victims and spending a few dollars to buy this information on the black market is just part of their research.
“The woman on the phone was asking the applicant, ‘Hey, what is the amount of your last mortgage payment?’, and you could hear the guy on the other line saying hold on a minute… and you could hear him clicking through page after page for the right questions,” [Gartner analyst Avivah] Litan said.
When Pindrop first starts working with a client we see a regular pattern of well prepared fraudsters adept at social engineering and armed with stolen KBA information and often spoofing the account holder phone number. They call pretending to be the account holder, the phone number says it is the account holder and the caller knows all the required information to effect a transaction. Some even use voice morphing to fool voice detection. It is effective and very profitable for the bad guys.
With Pindrop phone printing technology revealing a lot more information on the callers, we can quickly identify fraud tactics like spoofing ANI’s, distorting voices, and even more subtle things like the same person calling again and again and calling on different accounts. Game over? Hardly. If we know one thing, it’s that bad guys innovate.