What You Can Expect After the Verizon Breach

By: Tim Prugar

Yesterday, ZDNet broke the story that a data breach at Verizon resulted in the exposure of the names, phone numbers, and PINs for over 14 million Verizon customers. The data was accessed in June after it was discovered to be improperly stored on a server maintained by Nice Systems, an Israel-based company. 

The scope of the damage has yet to be established, but here are some safe bets on what you will see in the wake of this breach:

Explosion of Call Center Fraud at Verizon

Obtaining customer names, phone numbers, and PINs is pretty much the Holy Grail for fraudsters. Having this information allows fraudsters to order new handsets, obtain additional personal information for a secondary attack, set up call forwarding, or engage in number porting. Attacks using this information will almost always center around spoofing, and will most likely look something like this:

1) Fraudster researches the individual who owns the account they wish to breach online or through social media to figure out the answers to Knowledge-Based Authentication Questions.

2) Fraudster spoofs the number of the account they're attacking in order to present a matching ANI to the IVR system or the live agent.

3) Fraudster gives the name they've obtained from the breach to the agent when they reach a live person.

4) Fraudster gives the PIN they obtained through the breach. If there are any Knowledge-Based Authentication questions, Fraudster answers them easily based on their prior research. They're in. The Account Takeover is complete. 

 

Exploitation of Two-Factor Authentication (2FA)

Fraudsters will attack the Verizon Call Center directly - but for most fraudsters this will be the first step in a two-step plan. 

Many banks leverage 2FA to ensure the security of the accounts. 2FA largely relies on mobile devices, leveraging callbacks or SMS messaging to ensure the security of the customer. 

As Fraudsters set up call forwarding or port numbers during their primary attack on the Verizon Call Center, they will have the ability to intercept this 2FA from financial institutions. By successfully navigating this authentication process, fraudsters can attempt to execute wire transfers, open lines of credit, order replacement credit cards, or any amount of nefarious behavior. Expect fraudsters to leverage spoofing once again to present as the compromised customer to the financial institution to execute this plan. 

 

Increased Attacks on ISPs

We predicted in this post that ISPs would encounter "Hacktivism" and retaliatory breaches in the wake of the Net Neutrality debate. There isn't evidence yet that this breach is a direct result of internet unrest, but ISPs would be wise to batten down the hatches on their cyber and telephony channels. 

 

Tim Prugar is the Director of Customer Success at Next Caller. He can be reached at tim@nextcaller.com.

 

 

Merchants Stand To Lose HOW MUCH to CNP Fraud?

 

By: Tim Prugar

           Regular readers of this blog should be no stranger to Next Caller’s stance that the EMV migration has had a significant impact on Card-not-Present (CNP) Fraud in the retail and financial services spaces. The call center channel and eCommerce are the most vulnerable due to the volume of transactions and vulnerability to social engineering. We always knew that the threat was a potentially catastrophic one, but the amount of money at stake may be even greater than anyone realized.

            A recent report by Javelin estimates that $71 billion will be lost to CNP Fraud over the course of the next five years. With those staggering numbers in play, it’s even more alarming that so many merchants still insist that the costs of combatting fraud are too high to justify. This is false: the majority of real-time fraud solutions are less expensive and less labor intensive than salaried Analysts who perform manual reviews of instances after the fact. Javelin also indicates that in the eCommerce space, address fraud in the form of freight forwarding and Synthetic ID fraud are of particular threat to the industry.

            So, in the face of this oncoming tsunami of fraud, what is a merchant or financial institution to do?

 

Prioritize Real-Time

The reason for the growth in CNP Fraud is twofold: one, the difficulty of traditional Card-Present Fraud post EMV migration, and two, the enormous volume of transactions fraudsters can pump through CNP channels. Merchants and Financial Institutions simply do not have the time and resources to hand-review the massive amount of fraud that is coming and will continue to come their way. Visionary organizations will prioritize real-time, first-stage fraud detection systems over second-stage review solutions.

 

Leverage Geographic Intelligence

Businesses know where their fraud is taking place. Why not view those regions with a greater degree of skepticism? Setting up business rules to trigger automated, real-time reviews of orders going to suspicious locations is a must for dynamic fraud teams. According to Javelin, Fraud chargeback rates in Brazil jumped from .5% of all transactions to 3.5% - with a jump from 1.25% to 2.75% reported during the same period in Mexico. Wouldn’t it make sense to pay a touch more attention to orders going to those locales?

 

Verify Everything

With Synthetic ID fraud on the rise, it serves as the perfect compliment to CNP Fraud. It’s not enough anymore to verify that a phone number and/or a postal address are valid. Fraudsters are providing valid information in invalid combinations to circumvent detection systems. Fraud teams, particularly in eCommerce, should not only be validating each order line, but should be verifying that the information has been seen together before – an offering that Next Caller provides.  

 

Tim Prugar is the Director of Customer Success at Next Caller. He can be reached at tim@nextcaller.com.

Speed Read: How to Hack Biometrics

Hot off the presses, two quick articles to start your week. Both on the subject of hacking biometrics, voice or otherwise. 

  • The Register breaks down how scientists are trying to identify and stop the methods that hackers and fraudsters circumvent voice biometric authentication systems. SPOILER ALERT: spoof plays a major role. 

 

  • A lively debate focusing on the "hackability" of biometrics. It looks like the question isn't if biometrics can be hacked, but how easy it is to do. 

 

Click to learn more about Next Caller's unique approach to real-time caller authentication and fraud prevention.

Social Security: Social Media Phishing Attacks Are on the Rise, Here’s How You Can Protect Yourself

While phishing, or the practice of sending emails or making phone calls purporting to be from legitimate companies in an effort to get victims to reveal personal information is nothing new, fraudsters are increasingly turning to new channels to target victims. One such channel is social media.

Recently, a social media attacked carried out by Russian hackers was able to infiltrate the computer of a Pentagon official. And it didn’t take much for the hackers to find their way in; a simple link attached to a Twitter post advertising a vacation package was enough. Once the linked was clicked, the official’s computer was infected.

In November 2015, the State Department revealed that its 7,000 of its employees took the first step toward being compromised by clicking on a link that appeared in their social media feeds.

According to one report, social media phishing attacks increased 500% from beginning of 2016 to end of 2016. While that’s a scary statistic, the success rate of these types of attacks may be even more frightening.

Research published by the cybersecurity firm ZeroFOX found that 66% of spear phishing messages sent through social media sites were opened by their intended victims.

The reason for the increase in attacks on social media is rather simple. These attacks are targeting channels where users usually have a high-degree of trust. When you share something to your social network, or see a post from someone else, it’s unlikely that you screen the content for fraud potential.

With the number of attacks on the rise, and the vulnerability that social media channels presents making headlines, corporations and government agencies around the world are starting to realize the importance of educating and training staff on the dangers of social media fraud.

However, these attacks aren’t relegated to big organizations. Anyone who uses social media should be aware of the potential threats as well as the steps they can take to make it less likely that they will be hooked in a social media phishing attack.


To help, we’ve put together the following infographic:

Should ISPs Prepare for "Hacktivism" in the Wake of Net Neutrality Vote?

     The internet erupted in a collective fury last week as the FCC voted to rollback net neutrality regulations. From the internet commons of Reddit to the New York Times Editorial Page, observers noted with concern, anxiety, or full-blown rage that the policy shift was a threat to the concept of a free and open internet. The popular wrath was directed at two main sources: FCC Chairman Ajit Pai and massive Internet Service Providers (ISPs) who potentially stand to gain from the deregulation. With ISPs squarely in the sights of the internet’s vengeful wrath, the rise of “hacktivism” should give ISPs significant pause about the security threats this policy change can bring to their organizations.

 

What is Hacktivism?

            A blend of hacking and activism, hacktivists leverage security breaches or other cyber attacks to advance a political or social cause. Rather than looking for money, Hacktivists are seeking to combat perceived injustices. Examples include an attack on the state of Michigan’s website in the wake of the Flint Water Crisis, the hacking of DNC Emails, and even the data breach at Ashley Madison.

 

Why Should Net Neutrality Make ISPs “Productively Paranoid”?

            First and foremost, there’s already been an alleged hacktivist attack as a result of the net neutrality vote. The FCC itself has claimed that it suffered multiple distributed denial-of-service (DDoS) attacks that they believe had the goal of shutting down the public commenting system in advance of the net neutrality vote. These tactics are becoming increasingly common as an expression of internet outrage, and ISPs don’t need to look much further than headlines to see the anger that these policy changes have caused:

Comcast and Verizon’s Sneaky Push to Kill Net Neutrality is Just Embarrassing

Comcast and other ISPs celebrate imminent death of net neutrality rules

Verizon Apparently Thinks You’re Stupid 

FCC Buried By Fake and Hate-Filled Comments on Net Neutrality

            To sum…many people are very unhappy.

 

 What Can You Do To Protect Yourself From Hacktivist Attacks?

            The most important thing to recognize is that attackers focus on vulnerabilities and weaknesses. Any plan to shore up security must identify and secure frequently-overlooked channels.

1.     The Phone

Whether it’s PBX, VOIP-based UC systems, or a consumer-facing call center, the phone channel is a prime target for bad actors. ISPs should be certain that PBX/UC systems have secure passwords and that systems are in place to detect suspected breaches. A hacked PBX can run up hundreds of thousands of dollars in long-distance calls in a single weekend, and would be a perfect way for hacktivists to make ISPs feel financial pain for the net neutrality shifts.

ISPs who operate consumer-facing call centers should employ technology that can detect instances of call spoofing or robodialing in real-time. Executing a Telephony Denial-of-Service (TDos) attack by flooding a call center with robocalls is an effective way to completely shut down a call center, like what happened at the Minnesota insurance exchange. ISPs want to be sure to have strong anti-spoofing technology in place to prevent account takeover protect their customers’ personal data in the event of an attack.

2.     Phishing Attacks

The human being is always the weakest link in the fraud chain. From Snapchat to the World Anti-Doping Agency to GoogleDocs, significant cyber threats can be facilitated by an employee clicking on a link or downloading and opening a file they shouldn’t. It is essential that ISPs exhibit a heightened sense of internal security, and ensure that all employees have received recent training on phishing attacks, social engineering practices, and basic email safety.

3.     Third Party Vendors

With the rise of interconnectivity and the Internet of Things, it’s no longer enough to worry about your own security protocols and practices – you must also be rock-solid certain as to the security credentials of your third party vendors. An air conditioning vendor contributed to Target’s data breach, and Lady Gaga’s album was leaked after a collaborator was hacked. How are you being certain that your vendor partners aren’t accidentally putting your business at risk?

3 Lessons Contact Center Leaders Can Learn From WannaCry

By: Tim Prugar

     The transnational WannaCry Ransomware Attack exploded across the internet early Friday Morning on May 12th, and it’s aftershocks are still being felt early this week as some machines in Asian Markets are being booted up for the first time after the weekend. For the curious, Nicole Perlroth over at the New York times provides an outstanding overview of the background events leading up to this cyber attack, but the basic facts are relatively simple. A hacker or team of hackers identified a vulnerability in the Server Message Block (SMB) Protcol in Microsoft Software, and put together a ransomware attack that spreads through a system’s file-sharing capabilities. The attack would immediately encrypt all of the system’s files, demanding a Bitcoin payment for the de-encryption and safe release of the pertinent documents. The attack, like many, was unleashed via a simple phishing ploy – an unsuspecting victim downloaded and opened a file they shouldn’t have that contained the malicious software. The rest was a nightmare for the cybersecurity community.

     While the WannaCry threat can reasonably be classified as “cyber terrorism”, and patches to protect machines from being infected have already been issued, Information Security Officers should use this incident as an opportunity to pull lessons about protecting all channels from attacks from bad actors. What can fraud experts, CISOs, and Call Center Leaders learn from the WannaCry attacks?

 

1. The Human is the Weakest Link In the Fraud Chain

The methods through which WannaCry spread and replicated may have been automated, but the door for access was opened by a human being. Basic social engineering is at the heart of many of these phishing, SMSishing, and vishing scams, and the phone is one of the most lucrative channels for manipulating a human being to a desired end. CISOs and Call Center Leaders should be investing heavily in training agents to identify and recognize common social engineering methods and tricks, and should consider exploring technologies that are able to identify calls real-time that have been spoofed or otherwise manipulated. There is a high correlation between ANI Spoofing and phone fraud attempts, so more information allows agents to “trust but verify” with more complete data.

 

2. The Cost of Attacks Go Beyond Money

     The big story of the WannaCry attacks isn’t the absolute value of the money extorted (some reports have it at less than $60,000), but the “collateral damage” losses of disruption to services, man hours lost, and even potential health implications. The WannaCry ransomware didn’t just infect computers in a vacuum – it infected computers at Universities, the British National Health System, train stations in Germany, and multi-national corporations based out of France and China. Similarly, when fraud teams do cold “dollars and cents” cost benefit analyses of fraud solutions for the Contact Center, they often look only at their absolute number of fraud losses, and compare that to the cost of the solution. CISOs and Contact Center Leaders should look at the problem holistically: How much time are we losing due to caller authentication? Can we quantify the damage being done to our brand due to fraud and data breaches? Are fraudsters leveraging information stolen at the contact center level to make larger, more costly fraud attacks elsewhere?

 

3. Hackers and Fraudsters Are Very, Very Good At Exploiting Vulnerabilities

     Some hackers and fraudsters are organized criminal enterprises; others are impish troublemakers. Either way, these people are experts at identifying weaknesses in security systems and exploiting them for their own gain. Just as the architects of the WannaCry attack masked their malicious software to get a foot in the door, so too do those looking to commit account takeover or identity theft through the Contact Center mask their phone number to minimize the likelihood of detection. By using ANI Spoofing, fraudsters look to mimic the phone number of an existing customer to bypass ANI-matching authentication procedures, or look to mimic a completely random phone number to hide their own identity. Either way, these fraudsters are leveraging spoof as the main method for their attacks, and any technologies that can detect these spoofing attempts real-time provide an added layer of much-needed security at the Contact Center level.

 

     So what can CISOs and Contact Center Leaders do in the wake of the WannaCry attack to ensure that all channels are adequately defended from bad actors?

     Security Leaders would be wise to conduct a thorough audit of Contact Center authentication and security protocols to ensure that vulnerabilities and weaknesses in the call flow are identified, isolated, and addressed in a timely fashion. Tools such as blacklists, voice biometrics, and anti-spoof technology are all strong safeguards to keep bad actors out, but they are used best in tandem as a layered solution to provide the highest possible level of Contact Center security.

 

Tim Prugar is Next Caller's Director of Customer Success. He can be reached at tim@nextcaller.com.

6 Takeaways from the RoboCall StrikeForce

Yesterday, the FCC RoboCall StrikeForce presented their final report, actions, and recommendations. Next Caller Account Executive Tim Prugar sat in on the webcast, and here are his takeaways.

There are few greater pleasures in life than taking a seat in a cozy chair, slipping on some headphones, and watching an hour-long livestream of a government hearing. Yesterday, at 1:00 PM EST, that’s precisely what I got to do. Believe in yourself kids…dreams really do come true.

Before getting to the meat of the presentation, a solid recognition, admiration, and appreciation of the work that the StrikeForce members put in is in order. The StrikeForce was assembled in Late July, and over the course of 60 days the committee engaged in over 100 meetings, produced a 47 page report, and rolled out an aggressive timeline for continued action steps. From my estimation, this committee worked at blazing speed, and should be commended for that.

Now, onto my key takeaways:

 

1.     The FCC Has Fantastic Taste in Music

The waiting music the FCC plays on its website before the livestream kicks in? A soft jazz version of Michael Jackson’s “Man in the Mirror”, inarguably one of the greatest songs ever recorded.

 

 

2.     Both the FCC and Carriers Will Focus on Increasing Consumer Information

 One of the largest tangible outputs of the StrikeForce was the launch of a brand new FCC website:

https://www.fcc.gov/stop-unwanted-calls

The site approaches RoboCalls from a perspective of lessening their impact. The site gives consumers information on what RoboCalls are, the legal regulations surrounding telemarketing, remedies that customers can take to protect themselves from RoboCalls, as well as a clearly identified place for lodging complaints.

As technical solutions are much more difficult and costly to build, look for both carriers and government actors to create better-educated consumers, particularly those consumers that fit demographics that are at-risk for phone fraud.

 

3.     VOIP Throws a Wrench in the System

 One of the trends that came up multiple times during the report is that any technical solution to be launched by Carriers to stop RoboCalls and Call Spoofing needs to be able to detect both calls that originate from traditional landlines as well as internet-based VOIP calls. AT&T stated explicitly that the majority of call spoofing originates through VOIP, so being able to analyze and detect these type of calls is of primary importance. Look for Carriers to heavily invest in R&D or vendor solutions that can analyze landline, mobile, and VOIP to detect spoofing…preferably real-time.

 

4.     Info-Sharing and Cooperation Among Carriers is a Must

One of the most celebrated outputs of the StrikeForce was the “Do Not Originate” (DNO) List. The DNO list, as documented here, allows organizations who do not make outbound calls displaying their inbound number (IRS, 911) to petition to have their number blocked by carriers when it displays as the outbound number. The IRS made written DNO Requests for a series of numbers, and reported a 90% reduction in reports of IRS scam calls following the deployment of a DNO.

To be fair, it’s unclear how much of that reduction was due to these raids in India, but it is still an impressive result.

A successful adoption of a national DNO Registry requires cooperation across Carriers. In addition, the StrikeForce made recommendations to increase sharing of information on “bad actors” across networks, effectively creating a “telecommunications profile” of a phone scammer. The committee also suggested creating “Call Categories” as an industry that will limit false positives when blocking spoofed or potentially fraudulent calls.

 

5.     The Government Has a Tolerance For False Positives

One of the largest concerns for Carriers when cracking down on RoboCalls and Call Spoofing is pretty straightforward: what are the legal and business ramifications for blocking flagged calls that are actually legitimate?

The FCC made it clear that, if Carriers are doing their due diligence and making a good faith effort when blocking calls, the FCC will push for “safe harbor” to protect Carriers from litigation, either criminal or civil.

As Commissioner Rosenworcel stated, “If you need to break things to get this done, just ask.” This was my second favorite quote of hers on the day, finishing slightly behind “I DON’T BELIEVE IN PARTICIPATION TROPHIES.” The FCC should hire Mike Gundy.

 

6.     The Carriers are Expected to Foot the Bill

check-splitting-etiquette_600x390-600x390.jpeg

So it’s easy to agree in theory that RoboCalls and Call Spoofing are bad. It’s even somewhat easy to agree on the technology that’s most effective for stopping said calls. Where things get tricky is identifying how, and who, exactly, will be paying for the R&D, technology, training, and deployment. Luckily, FCC Chairman Tom Wheeler laid out the government’s position pretty clearly:

The Carriers will be expected to foot the bill, as stopping RoboCalls is “the cost of doing business” and falls under the umbrella of supplying a high-quality service.

It will be interesting to see what impact that stance will have on timelines, innovation, and deployment. 

The FCC vs. The Proliferation of Robocalling

 

By: ShirWan Little

 

Lets face it, few things are as annoying as answering the phone and being immediately greeted by a recording trying to lure you into handing over your credit card information. This increasingly common situation is a result of robocalling.  Currently, robocalling scams account for over $350 million in financial losses every year in the United States.  Moreover, the robocalling scourge has become the most common complaint that the FCC receives from the public. The “Do Not Call List” was created over ten years ago to resolve this very problem.  Unfortunately, the Do Not Call list has failed miserably at this goal. Let’s dive into why the DNC List fails to stop these fraudsters, why robocalling has become so popular and what the FCC is doing to try to stop it.

 

Do Not Call

At the creation of the “Do Not Call List,” the majority of robocalls were legitimate telemarketers selling real products.  Against those calls, the “Do Not Call List” has remained largely effective.  However, a lot has changed since the “Do Not Call List” went into effect in the early 2000s. In particular, the widespread availability of commercial Voice over Internet Protocol(VoIP) services.  The advancement of VoiP technology made international calling, and phone spoofing (falsifying caller ID information) very cheap.  Consequently, the majority of modern day robocalls blatantly ignore the “Do Not Call List” in attempts to commit fraud.

 

Tricking the Caller ID

Today, anyone with a laptop and an Internet connection can flood millions of phones with robocalls from any location in the world. Spoofing is perhaps the most nefarious aspect of this type of fraud; people are more likely to answer phone calls when seemingly legitimate organizations appear on caller ID. Furthermore, caller ID is often used to verify one's identity when gaining access to banks.  For that reason, robocalling scams rely heavily on phone spoofing. For instance, one of the more notable scams entails fraudsters masquerading as IRS officials and demanding immediate payment for overdue taxes.  Over the past two years this scam alone has cost taxpayers $31 million.

 

"Do Not Originate" vs. Do Not Call

In spite of these findings, many in the telecom industry have been hesitant to adopt solutions to stop robocalling, citing concerns that existing alternatives will inadvertently block a portion of legitimate calls. Nonetheless, the FCC has continued to urge these companies to take action.  FCC Chairman Tom Wheeler even wrote letters to the chief executives of the largest companies in the telecom industry asking them to produce solutions to reduce robocalls. Currently, all of the notable alternative solutions fall into 3 distinct methods; "Do Not Originate" list, Authentication/ Identity validation and filtering.

 

The “Do Not Originate” list, basically the opposite of the Do Not Call list, would stop robocalls at the VoIP gateways that connect VoIP calls to the traditional phone system.  While VoIP robocalls can be placed from anywhere in the world, all such calls pass through these gateways to enter the traditional circuit-switched phone lines.3 This list would allow commonly spoofed entities such as the IRS, FBI and banks to register their outbound numbers in a database. Calls from those numbers that originate from certain gateways would then raise red flags and most likely be blocked. Additionally, this approach can be implemented without any changes in telephony protocols and does not require cooperation of other phone carriers. Yet it still is no substitute for authentication.

 

Authentication and Filtering

Authentication is the most effective way to prevent spoofing. There are a few different ways to implement this methods, one of the more promising is through the use of third party APIs to analyze the meta data of callers.  Authentication is crucial to stopping robocallers from impersonating others and to facilitate effective filtration. The main drawback of this method is that it would most likely require the difficult task of gaining the cooperation of the major telecom companies to be successful.

 

Filtering works by checking each incoming call against a white list of trustworthy phone numbers or a black list of numbers you should reject. Although filtering can be very helpful in reducing robocalling it still has several drawbacks. Most notably, if there is nothing in place to stop spoofing, filtering can be easily circumvented by spoofing a new number.

 

A Cocktail Approach

In total, the three methods complement each other very well. Each of the methods does its part to reduce robocalling in a different way; if used in combination with one another, these methods could eliminate the current robocalling epidemic. The “Do Not Originate List” eliminates the ability to spoof high-profile numbers like the IRS.  Authentication makes fraudulent calls less likely to pay off by stopping robocallers from impersonating others. Filtering can help block all confirmed fraudsters.

So Sayeth The Times: 3 Reasons Why Biometric Authentication Should Give You Pause

 

In Tuesday's New York Times, the Room for Debate blog took on concerns surrounding the growing use of biometric authentication in the banking sector. Typically these arguments are more polarizing, with a traditional "A IS GOOD vs. A IS TERRIBLE!" style of debate. But when it came to Biometrics, something interesting happened: both sides agreed that Biometric Authentication is an imperfect, and sometimes deeply flawed, science. They merely disagreed on the implications of that for banking security. 

Look, Biometric Authentication is LIGHT YEARS ahead of static passwords and easily-researchable security questions. It's here to stay. The debate isn't whether or not banks should utilize biometric authentication - the debate is whether these financial behemoths should be relying on biometrics as their sole, or even their main, first-stage fraud solution. To make a football analogy, the Carolina Panthers would never say to their quarterback "Hey, Cam, you're revolutionizing the quarterback position and doing things we never thought possible - we can just rely on you and don't need to have an offensive line, or receivers, or running backs - I'm sure you can do it all and won't fail." No coach would ever say that. Of course not. After all, that's the Chicago Bears' patented offensive strategy. 

                                Not Funny, Tim.

                                Not Funny, Tim.

So let's take a deeper dive into the challenges presented by Biometric Authentication:

1. Just Because It's Biometric Doesn't Mean It's Not Data

Target. Snapchat. Ashley Madison. Data breaches that have exposed the personal information, home addresses, credit card information, or even Social Security Numbers of customers and employees have made front page news on dozens of occasions. As Claire Gartland of the Electronic Privacy Information Center points out, citizens have action steps they can take when this type of information is released. They can cancel cards or apply for new SSNs. But what recourse do people have when biometric information is leaked? The Office of Personnel Management has already admitted that 5.6 million fingerprints were stolen in a recent data breach, and hackers have already shown their ability to replicate fingerprints and iris scans to game security systems. Voice biometrics has similar flaws. If your customer data can be breached, so too can your biometric data (regardless of the encryption or tokenization).  

 

2.  Do Your Customers Trust You?

Just because I'd let my friend hold $100 for me doesn't mean I'd trust him to hold onto my fingerprints and DNA. I've seen enough Law & Order to know better. Biometric authentication brings about very real Orwellian concerns on behalf of consumers. What are you going to do with this information? What assurance do I have that this will only be used for authentication? While James Lewis of the Center for Strategic and International Studies writes these concerns off as "nervous dystopian projections" and "irrational" (ouch!), the comments show a very different perception of this development in technology. 

                   "I, for one, welcome our new Biometric Overlords!"

                   "I, for one, welcome our new Biometric Overlords!"

3. Impact on Customer Experience

The number one concern for Fraud Analysts is "Catching and Stopping Fraud." However, "Limiting False Positives" and "Ensuring a Seamless Customer Experience" finish a close second and third. Biometric Authentication can have serious impacts on both of those exceedingly important CX metrics. Will MasterCard spring for me to become better looking if my face is consistently judged not to be my actual face? Voice biometrics necessitate 15-30 seconds of analysis at the time of connection on a call - increasing average handle time and also increasing customer frustration at the outset. Biometric authentication also requires certain technologies that can serve as a barriers-to-entry for customers that may not be able to purchase smart phones. Are banks going to be in the business of only offering security to those who can afford it?

So What Now?

While the debate in the Times cast a significant amount of doubt on the viability of Biometric Authentication as the sole solution for banks, we should refrain from throwing out the baby with the bathwater. Biometric Authentication is an enormously promising development in the world of security, but it is a mistake to view this development as a panacea, or a reliable sole method for thwarting fraudsters. Banks who are looking to increase first-stage fraud prevention at the payment and call center level would be wise to combine known fraudster block lists, Biometric Authentication, and carrier and transaction level metadata to best defend against nefarious attacks and protect their customers' assets...and peace of mind. 

By: Tim Prugar (tim@nextcaller.com)

 

As Credit Cards Migrate to EMV Chips, Expect an Increase in Phone Fraud

EMV Chip.jpg

This article originally appeared in the March 2016 issue of the CFCA Communicator.

by: Jeffrey Kirchick (jeff@nextcaller.com) and Tim Prugar (tim@nextcaller.com)

In Steven Kerr’s On the folly of rewarding A, while hoping for B, Kerr points out that change agents often unwittingly undermine their own efforts to solve a problem by rewarding behaviors that run counter to the agents’ ultimate goal. To make his point, Kerr references basketball coaches who espouse the value of teamwork but readily hand out MVP awards and Universities who desire professors who are strong teachers but only hire or promote according to research and publication. The current EMV migration project being undertaken by American credit card companies follows a similar challenge – hoping to eliminate credit card fraud while only addressing the type of fraud that involves the physical card (“Card Present” fraud). In this article we will discuss the specifics of the EMV migration, the lessons we can learn from Europe’s experience with this migration, and the extreme likelihood that the United States will experience a significant surge in “Card Not Present” fraud during and after the migration – specifically, an increase in phone fraud.

 

The credit card industry is no stranger to the law of unintended consequences. Outside of de-railing theft, credit cards offered customers the ability to not have to carry one’s money around or risk having it lost or stolen. However, with the rise of the credit card also came new challenges: merchants memorizing customers’ credit card numbers, fraudsters sifting through the mail to find newly-issued cards, and even criminals sending applications using other peoples’ information to obtain credit in their name. Criminals have even mastered the art of cloning the magnetic strip from the back of a card or wholesale counterfeiting strips in order to make fraudulent purchases. As all of the members of CFCA know intimately – where there is money to be made, there will be fraud.

 

These are the exact challenges that the credit card industry is seeking to address through the introduction of EMV chips to cards in the United States. To put it in its simplest terms, the EMV chip is computer chip that replaces the traditional magnetic stripes used to make a credit card transaction. The main difference, however, is that traditional magnetic stripes never change, while the EMV chip “changes” with every transaction – every time an EMV chip is used it creates a new transaction code, unique to that transaction. This development (hopefully) makes it exceedingly difficult for fraudsters to commit “Card Present” fraud. In fact, it already has. So difficult, in fact, that fraudsters have reverted to more historically profitable techniques of financial fraud. Specifically, phone fraud.

 

European credit card companies began large-scale introduction of EMV chips during the 1990s. While this may appear as a technological acceleration on behalf of Europe, it was actually a response to significant legal, cultural, and technological differences between Europe and the United States. At the time of the European introduction, American credit card companies were significantly more advanced and effective in detecting and stopping fraudulent attempts at the point of sale. Furthermore, European companies were expected to take responsibility for covering the cost of credit card fraud in a way that their American counterparts were not – as they say, necessity is the mother of invention. Lastly, the sheer volume of card users in the United States was significantly larger than the population of cardholders in Europe, making for a much more expensive and time-intensive roll-out process.

 

While the European EMV roll-out led to an immediate and massive reduction in “Card Present” fraud, it also universally led to an increase in phone fraud and other “Card Not Present” techniques. After the roll-out, France, England, and Australia all experienced statistically significant increases in CNP fraud, and Cifas (a European fraud prevention agency) estimated that 36% of internal fraud was taking place through call centers. The image of a balloon works well: by squeezing the “Card Present” fraud side of the balloon, the “Card Not Present” side swelled with fraudsters and criminals looking to commit financial crimes and identity theft via phone fraud.

 

We have every reason to believe that the United States will experience a similar increase in phone fraud and other “Card Not Present” scams – and financial institutions, telecommunication providers, and health professionals should all be prepared. With the rise of VOIP, it has grown significantly easier to execute telephonic scams through spoof tactics. These scams include, but are not limited to: commercial phishing, swatting, consumer phishing, and outright impersonation/identity theft. Businesses, merchants, and providers can all expect to see a significant increase in non-spoof scams as well, including cramming, subscriber fraud, and PBX hacking.

 

So where does this bleak picture of the next five years in phone fraud leave us? Namely, that it is never too early to start preparing for what inevitably lies before us. Securing phone systems should be a top priority for Chief Security Officers or any individuals involved in IT Security Infrastructure. The response to these attacks that are growing increasingly technologically-enhanced and automated in nature will not be single-channel. A strong omni-channel approach to preventing phone fraud that includes a combination of state-of-the-art spoof detection technology, biometrics, agent training in social engineering tactics, and predictive analytics to identify irregularities in billing or network usage will all be necessary to combat this coming threat. An ounce of prevention is worth a pound of cure, and well-prepared firms will be equipped to address the challenges that will accompany the EMV migration.

image courtesy of pymnts.com

Disaster Planning: Five Tips To Safeguard Your IT Infrastructure

Contributor:

John Fakhoury is the Founder and CEO of Framework Communications. Framework is a single-source Managed IT and Telecommunication firm that makes technology more user-friendly and approachable for businesses. John is a value-driven technology entrepreneur and he works hard to give back to the community.


What’s the real cost of a long-term power outage, server failure or widespread malware attack? According to a recent EMC survey, the double threat of data loss and downtime sets back businesses more than $1.7 trillion each year. What’s more, 71 percent of IT professionals said they’re “not fully confident in their ability” to get back on track after a disaster-type incident. With IT infrastructure now a critical line-of-business asset, protection and planning are key: Here are five tips to help safeguard your technology platform:

Defining Disaster

First up? Decide what constitutes “disaster.” As noted by Small Business Computing, it’s critical for organizations to understand the threats they face and the impacts of specific loss scenarios on the bottom line. For example, financial-sector companies must be especially wary of mobile malware, while health care agencies face compliance and continuity challenges if servers suddenly fail or cloud providers experience a security breach. Managing disaster risk means developing a plan that describes specific events, ranks their likelihood, and describes their impact. This allows IT staff to design targeted responses and prioritize issues — essential if multiple issues emerge concurrently.

Safety in Three Parts

The next step in disaster planning covers three key aspects of IT safety: Prevention, detection and correction. While many recovery systems focus on the last part of this triad — correction — this forces companies to react in the event of disasters, rather than making allowance for proactive efforts. Start with prevention: This could take the form of surge protectors to eliminate the risk of power spikes or off-site data backups to remove the chance of total data loss. Detection is next. Event monitoring tools can warn IT professionals about possible malware threats and resource consumption issues, while physical tools such as fire alarms reduce the chance of total loss.

Testing, Testing

IT Web offers clarity: “If you don’t test it, then it’s not really a disaster recovery plan.” Too often, companies design complex and redundant DR plans but fail to conduct regular tests. The result? When disaster does occur, the system doesn’t work as intended. Often, failure can be traced to one of two causes: Changes in system configuration that seem incidental or innocuous — such as an update to newer server software — or unexpected interactions that prevent DR processes from executing. Bottom line? Regular, end-to-end testing of disaster recovery plans is critical.

Getting Back Up

It’s not about getting your data backed up. It’s about getting your data back up and running. Many back up services guarantee your data is backed up somehow/somewhere but don’t help you actually get back up and running. Eg a new server may need to be set up for the data to be used/usable.“

How do you get your system back up and restore data access after a disaster? Answering this question means identifying two key components: Recovery time objectives (RTO) and your recovery source. Setting an RTO is critical, since this gives you an acceptable “baseline” — how long could systems be unavailable without compromising your bottom line? Achieving this objective means selecting the right recovery option. For some companies, this is off-site storage that can be mobilized and migrated as needed, while others require the on-demand speed and scalability of a cloud backup provider.

Beyond IT

According to Information Age, it’s also important to think beyond IT and consider other aspects of your DR plan that could impact recovery objectives. These might include emergency contact numbers for water, electricity and gas suppliers to your building, or an up-to-date list of IT staff numbers in the event of a weekend or nighttime emergency.  What if the problem isn’t with IT — if a fire or flood cuts off power to your server stack, what’s the game plan and how will services be restored?

Safeguarding your IT infrastructure means creating the best defense for the worst possible outcome. By defining your risks, addressing prevention, detection and backup issues, and devising a regular test schedule that goes beyond IT silos, it’s possible to improve your DR outcome.

Contact Center Phone Fraud and Prevention

by guest blogger Laura Zegar (@laurakzegar)

Phone fraud is rampant in today’s contact centers. Companies are sitting up and paying attention to the advanced techniques that today’s fraudsters use to attack vulnerable contact centers.

Over the past 10-15 years, fraud prevention focused heavily on securing online channels, while contact center phone security took a back seat as customers increasingly turned to the Internet for their transactions. Sophisticated online fraud detection technology developed to minimize risk. Meanwhile, fraudsters watched as online security tightened and began exploiting security holes in contact center technology, authentication practices and social media sites.  

Today, an estimated 90% of fraud incidents include at least one contact center interaction.

Wow.

How does this happen?

Fraudsters employ a host of advanced techniques to commit contact center fraud.

Many pose as customers via “spoofing” by manipulating caller ID to display a customer’s phone number and name to conceal the fraudster’s actual number and identity. Upon calling the contact center, they appear to be the actual customer if the information matches customer records on file. Fraudsters who also successfully authenticate as the customer further avoid detection by presenting no outward indications of fraud when interacting with unsuspecting agents. 

Savvy fraudsters also exploit authentication processes and weak agents. Because many legitimate customers fail authentication, contact centers often view this as a standard transaction. By targeting overly helpful agents who aren’t experienced or sharp enough to spot fraud, fraudsters can use traditional knowledge-based authentication questions to reset the customer’s PIN, create a new one, and take over the customer’s account to complete fraudulent transactions.

Often, fraudsters use social media or other websites to compile enough information to impersonate the customer. By gathering data such as date of birth, social security number, phone number, or other publicly available personal details, the fraudster uses it to complete knowledge-based authentication questions and gain access to the customer’s account. If a customer, for example, publicly posts their date of birth, previous cities lived in, phone number, family member names and a photo / name of their dog across various social media sites, the fraudster can eventually gather enough information to successfully answer knowledge-based questions (i.e., pet’s name)  to authenticate as the customer.

Pretty slick.

In response to these increasingly clever techniques, many technologies to thwart contact center fraud have cropped up in recent years.

Anti-spoofing technology sniffs out spoofing attempts by verifying the caller’s geo-location and device type against caller ID and automatic number identification (ANI) information to determine if a fraudster is concealing their identity. The technology can detect if the caller is using a landline, cell phone (including untraceable prepaid phones) or VoIP (Voice over IP) technology such as Skype. Some anti-spoofing technologies also allow customers to place their name, phone number, address and other sensitive information on file across multiple companies using the technology for easier authentication and enhanced anti-spoofing.

If, for example, a fraudster calls from California using a prepaid phone to impersonate a Chicago-based landline customer, anti-spoofing technology will indicate that the caller is not in a Chicago-area geo-location or using a device type consistent with their landline phone number. If the customer’s personal information is on file with the anti-spoofing company, the technology will also determine if the caller’s information does not match.

Voice biometrics is another fast-growing technology in the call center world. Instead of using conventional authentication methods (i.e., PIN, password, SSN or knowledge-based authentication questions), the customer simply authenticates with their voice once the company captures their unique voice sample (either passively during a regular customer interaction or actively by providing a specific voice sample). The customer’s voiceprint may include over 40 voice, speech and language characteristics. Some voice biometrics programs can even determine if the caller’s voice is pre-recorded instead of live – a trick fraudsters often use to bypass the technology.

Analytics also play a key role in contact center fraud prevention. Interaction and speech analytics, for example, identify caller speech and language patterns, phrasing and emotion combined with agent desktop events to detect potentially fraudulent interactions. Context analytics use information also gathered in anti-spoofing technology (caller location, ANI, etc.) and Interactive Voice Response (IVR) events to determine the customer’s overall fraud risk.

Additional tools used to assess fraud risk include case management and real-time agent decision tools. Case management solutions may open investigation tickets after an identified fraud attempt and/or flag suspicious interactions for review/playback to proactively manage suspected or confirmed fraud. Real-time agent decision tools identify suspicious transactions and prompt additional knowledge-based authentication based on the assessed level of fraud risk. The agent might also receive instructions to ask the caller other additional questions, notify a supervisor, and/or transfer the call to a fraud department to complete the interaction.

Individually, the above technologies provide significant fraud and risk reduction; used together, they become a powerful anti-fraud strategy to protect contact centers from many common fraud techniques.

Adoption of fraud technology varies by industry. Banks require stringent anti-fraud measures to protect customers’ financial assets, while a utility company or retailer may employ less protection due to reduced risk. 

But regardless of risk, all companies share one common goal when it comes to fraud: Protect both customer and internal company resources.

The following statistics make a startlingly clear case for advanced fraud prevention across industries:

  • Once they become fraud victims, 40% of customers churn (leave a company)
  • Another 40% reduce their overall dollars spent with the company
  • 85% of customers are dissatisfied with traditional authentication processes

 

Once a customer’s account is compromised, they won’t stick around and risk allowing it to happen a second time. They’ll take their compromised funds or identity to other companies until they find one who protects them. The company’s customer service reputation may falter until their revenue is also seriously compromised. 

As fraud techniques become increasingly sophisticated, so must fraud prevention to stay one step ahead of fraudsters. More safeguards in place equal safer customers and companies.

Bottom line: Anti-fraud technology is a win-win solution for everyone…except fraudsters.

Makes quite the case for prevention, doesn’t it?