Speed Read: How to Hack Biometrics

Hot off the presses, two quick articles to start your week. Both on the subject of hacking biometrics, voice or otherwise. 

  • The Register breaks down how scientists are trying to identify and stop the methods that hackers and fraudsters circumvent voice biometric authentication systems. SPOILER ALERT: spoof plays a major role. 

 

  • A lively debate focusing on the "hackability" of biometrics. It looks like the question isn't if biometrics can be hacked, but how easy it is to do. 

 

Click to learn more about Next Caller's unique approach to real-time caller authentication and fraud prevention.

6 Takeaways from the RoboCall StrikeForce

Yesterday, the FCC RoboCall StrikeForce presented their final report, actions, and recommendations. Next Caller Account Executive Tim Prugar sat in on the webcast, and here are his takeaways.

There are few greater pleasures in life than taking a seat in a cozy chair, slipping on some headphones, and watching an hour-long livestream of a government hearing. Yesterday, at 1:00 PM EST, that’s precisely what I got to do. Believe in yourself kids…dreams really do come true.

Before getting to the meat of the presentation, a solid recognition, admiration, and appreciation of the work that the StrikeForce members put in is in order. The StrikeForce was assembled in Late July, and over the course of 60 days the committee engaged in over 100 meetings, produced a 47 page report, and rolled out an aggressive timeline for continued action steps. From my estimation, this committee worked at blazing speed, and should be commended for that.

Now, onto my key takeaways:

 

1.     The FCC Has Fantastic Taste in Music

The waiting music the FCC plays on its website before the livestream kicks in? A soft jazz version of Michael Jackson’s “Man in the Mirror”, inarguably one of the greatest songs ever recorded.

 

 

2.     Both the FCC and Carriers Will Focus on Increasing Consumer Information

 One of the largest tangible outputs of the StrikeForce was the launch of a brand new FCC website:

https://www.fcc.gov/stop-unwanted-calls

The site approaches RoboCalls from a perspective of lessening their impact. The site gives consumers information on what RoboCalls are, the legal regulations surrounding telemarketing, remedies that customers can take to protect themselves from RoboCalls, as well as a clearly identified place for lodging complaints.

As technical solutions are much more difficult and costly to build, look for both carriers and government actors to create better-educated consumers, particularly those consumers that fit demographics that are at-risk for phone fraud.

 

3.     VOIP Throws a Wrench in the System

 One of the trends that came up multiple times during the report is that any technical solution to be launched by Carriers to stop RoboCalls and Call Spoofing needs to be able to detect both calls that originate from traditional landlines as well as internet-based VOIP calls. AT&T stated explicitly that the majority of call spoofing originates through VOIP, so being able to analyze and detect these type of calls is of primary importance. Look for Carriers to heavily invest in R&D or vendor solutions that can analyze landline, mobile, and VOIP to detect spoofing…preferably real-time.

 

4.     Info-Sharing and Cooperation Among Carriers is a Must

One of the most celebrated outputs of the StrikeForce was the “Do Not Originate” (DNO) List. The DNO list, as documented here, allows organizations who do not make outbound calls displaying their inbound number (IRS, 911) to petition to have their number blocked by carriers when it displays as the outbound number. The IRS made written DNO Requests for a series of numbers, and reported a 90% reduction in reports of IRS scam calls following the deployment of a DNO.

To be fair, it’s unclear how much of that reduction was due to these raids in India, but it is still an impressive result.

A successful adoption of a national DNO Registry requires cooperation across Carriers. In addition, the StrikeForce made recommendations to increase sharing of information on “bad actors” across networks, effectively creating a “telecommunications profile” of a phone scammer. The committee also suggested creating “Call Categories” as an industry that will limit false positives when blocking spoofed or potentially fraudulent calls.

 

5.     The Government Has a Tolerance For False Positives

One of the largest concerns for Carriers when cracking down on RoboCalls and Call Spoofing is pretty straightforward: what are the legal and business ramifications for blocking flagged calls that are actually legitimate?

The FCC made it clear that, if Carriers are doing their due diligence and making a good faith effort when blocking calls, the FCC will push for “safe harbor” to protect Carriers from litigation, either criminal or civil.

As Commissioner Rosenworcel stated, “If you need to break things to get this done, just ask.” This was my second favorite quote of hers on the day, finishing slightly behind “I DON’T BELIEVE IN PARTICIPATION TROPHIES.” The FCC should hire Mike Gundy.

 

6.     The Carriers are Expected to Foot the Bill

check-splitting-etiquette_600x390-600x390.jpeg

So it’s easy to agree in theory that RoboCalls and Call Spoofing are bad. It’s even somewhat easy to agree on the technology that’s most effective for stopping said calls. Where things get tricky is identifying how, and who, exactly, will be paying for the R&D, technology, training, and deployment. Luckily, FCC Chairman Tom Wheeler laid out the government’s position pretty clearly:

The Carriers will be expected to foot the bill, as stopping RoboCalls is “the cost of doing business” and falls under the umbrella of supplying a high-quality service.

It will be interesting to see what impact that stance will have on timelines, innovation, and deployment. 

The FCC vs. The Proliferation of Robocalling

 

By: ShirWan Little

 

Lets face it, few things are as annoying as answering the phone and being immediately greeted by a recording trying to lure you into handing over your credit card information. This increasingly common situation is a result of robocalling.  Currently, robocalling scams account for over $350 million in financial losses every year in the United States.  Moreover, the robocalling scourge has become the most common complaint that the FCC receives from the public. The “Do Not Call List” was created over ten years ago to resolve this very problem.  Unfortunately, the Do Not Call list has failed miserably at this goal. Let’s dive into why the DNC List fails to stop these fraudsters, why robocalling has become so popular and what the FCC is doing to try to stop it.

 

Do Not Call

At the creation of the “Do Not Call List,” the majority of robocalls were legitimate telemarketers selling real products.  Against those calls, the “Do Not Call List” has remained largely effective.  However, a lot has changed since the “Do Not Call List” went into effect in the early 2000s. In particular, the widespread availability of commercial Voice over Internet Protocol(VoIP) services.  The advancement of VoiP technology made international calling, and phone spoofing (falsifying caller ID information) very cheap.  Consequently, the majority of modern day robocalls blatantly ignore the “Do Not Call List” in attempts to commit fraud.

 

Tricking the Caller ID

Today, anyone with a laptop and an Internet connection can flood millions of phones with robocalls from any location in the world. Spoofing is perhaps the most nefarious aspect of this type of fraud; people are more likely to answer phone calls when seemingly legitimate organizations appear on caller ID. Furthermore, caller ID is often used to verify one's identity when gaining access to banks.  For that reason, robocalling scams rely heavily on phone spoofing. For instance, one of the more notable scams entails fraudsters masquerading as IRS officials and demanding immediate payment for overdue taxes.  Over the past two years this scam alone has cost taxpayers $31 million.

 

"Do Not Originate" vs. Do Not Call

In spite of these findings, many in the telecom industry have been hesitant to adopt solutions to stop robocalling, citing concerns that existing alternatives will inadvertently block a portion of legitimate calls. Nonetheless, the FCC has continued to urge these companies to take action.  FCC Chairman Tom Wheeler even wrote letters to the chief executives of the largest companies in the telecom industry asking them to produce solutions to reduce robocalls. Currently, all of the notable alternative solutions fall into 3 distinct methods; "Do Not Originate" list, Authentication/ Identity validation and filtering.

 

The “Do Not Originate” list, basically the opposite of the Do Not Call list, would stop robocalls at the VoIP gateways that connect VoIP calls to the traditional phone system.  While VoIP robocalls can be placed from anywhere in the world, all such calls pass through these gateways to enter the traditional circuit-switched phone lines.3 This list would allow commonly spoofed entities such as the IRS, FBI and banks to register their outbound numbers in a database. Calls from those numbers that originate from certain gateways would then raise red flags and most likely be blocked. Additionally, this approach can be implemented without any changes in telephony protocols and does not require cooperation of other phone carriers. Yet it still is no substitute for authentication.

 

Authentication and Filtering

Authentication is the most effective way to prevent spoofing. There are a few different ways to implement this methods, one of the more promising is through the use of third party APIs to analyze the meta data of callers.  Authentication is crucial to stopping robocallers from impersonating others and to facilitate effective filtration. The main drawback of this method is that it would most likely require the difficult task of gaining the cooperation of the major telecom companies to be successful.

 

Filtering works by checking each incoming call against a white list of trustworthy phone numbers or a black list of numbers you should reject. Although filtering can be very helpful in reducing robocalling it still has several drawbacks. Most notably, if there is nothing in place to stop spoofing, filtering can be easily circumvented by spoofing a new number.

 

A Cocktail Approach

In total, the three methods complement each other very well. Each of the methods does its part to reduce robocalling in a different way; if used in combination with one another, these methods could eliminate the current robocalling epidemic. The “Do Not Originate List” eliminates the ability to spoof high-profile numbers like the IRS.  Authentication makes fraudulent calls less likely to pay off by stopping robocallers from impersonating others. Filtering can help block all confirmed fraudsters.

As Credit Cards Migrate to EMV Chips, Expect an Increase in Phone Fraud

EMV Chip.jpg

This article originally appeared in the March 2016 issue of the CFCA Communicator.

by: Jeffrey Kirchick (jeff@nextcaller.com) and Tim Prugar (tim@nextcaller.com)

In Steven Kerr’s On the folly of rewarding A, while hoping for B, Kerr points out that change agents often unwittingly undermine their own efforts to solve a problem by rewarding behaviors that run counter to the agents’ ultimate goal. To make his point, Kerr references basketball coaches who espouse the value of teamwork but readily hand out MVP awards and Universities who desire professors who are strong teachers but only hire or promote according to research and publication. The current EMV migration project being undertaken by American credit card companies follows a similar challenge – hoping to eliminate credit card fraud while only addressing the type of fraud that involves the physical card (“Card Present” fraud). In this article we will discuss the specifics of the EMV migration, the lessons we can learn from Europe’s experience with this migration, and the extreme likelihood that the United States will experience a significant surge in “Card Not Present” fraud during and after the migration – specifically, an increase in phone fraud.

 

The credit card industry is no stranger to the law of unintended consequences. Outside of de-railing theft, credit cards offered customers the ability to not have to carry one’s money around or risk having it lost or stolen. However, with the rise of the credit card also came new challenges: merchants memorizing customers’ credit card numbers, fraudsters sifting through the mail to find newly-issued cards, and even criminals sending applications using other peoples’ information to obtain credit in their name. Criminals have even mastered the art of cloning the magnetic strip from the back of a card or wholesale counterfeiting strips in order to make fraudulent purchases. As all of the members of CFCA know intimately – where there is money to be made, there will be fraud.

 

These are the exact challenges that the credit card industry is seeking to address through the introduction of EMV chips to cards in the United States. To put it in its simplest terms, the EMV chip is computer chip that replaces the traditional magnetic stripes used to make a credit card transaction. The main difference, however, is that traditional magnetic stripes never change, while the EMV chip “changes” with every transaction – every time an EMV chip is used it creates a new transaction code, unique to that transaction. This development (hopefully) makes it exceedingly difficult for fraudsters to commit “Card Present” fraud. In fact, it already has. So difficult, in fact, that fraudsters have reverted to more historically profitable techniques of financial fraud. Specifically, phone fraud.

 

European credit card companies began large-scale introduction of EMV chips during the 1990s. While this may appear as a technological acceleration on behalf of Europe, it was actually a response to significant legal, cultural, and technological differences between Europe and the United States. At the time of the European introduction, American credit card companies were significantly more advanced and effective in detecting and stopping fraudulent attempts at the point of sale. Furthermore, European companies were expected to take responsibility for covering the cost of credit card fraud in a way that their American counterparts were not – as they say, necessity is the mother of invention. Lastly, the sheer volume of card users in the United States was significantly larger than the population of cardholders in Europe, making for a much more expensive and time-intensive roll-out process.

 

While the European EMV roll-out led to an immediate and massive reduction in “Card Present” fraud, it also universally led to an increase in phone fraud and other “Card Not Present” techniques. After the roll-out, France, England, and Australia all experienced statistically significant increases in CNP fraud, and Cifas (a European fraud prevention agency) estimated that 36% of internal fraud was taking place through call centers. The image of a balloon works well: by squeezing the “Card Present” fraud side of the balloon, the “Card Not Present” side swelled with fraudsters and criminals looking to commit financial crimes and identity theft via phone fraud.

 

We have every reason to believe that the United States will experience a similar increase in phone fraud and other “Card Not Present” scams – and financial institutions, telecommunication providers, and health professionals should all be prepared. With the rise of VOIP, it has grown significantly easier to execute telephonic scams through spoof tactics. These scams include, but are not limited to: commercial phishing, swatting, consumer phishing, and outright impersonation/identity theft. Businesses, merchants, and providers can all expect to see a significant increase in non-spoof scams as well, including cramming, subscriber fraud, and PBX hacking.

 

So where does this bleak picture of the next five years in phone fraud leave us? Namely, that it is never too early to start preparing for what inevitably lies before us. Securing phone systems should be a top priority for Chief Security Officers or any individuals involved in IT Security Infrastructure. The response to these attacks that are growing increasingly technologically-enhanced and automated in nature will not be single-channel. A strong omni-channel approach to preventing phone fraud that includes a combination of state-of-the-art spoof detection technology, biometrics, agent training in social engineering tactics, and predictive analytics to identify irregularities in billing or network usage will all be necessary to combat this coming threat. An ounce of prevention is worth a pound of cure, and well-prepared firms will be equipped to address the challenges that will accompany the EMV migration.

image courtesy of pymnts.com