New Phone Hacking Fraud Attack at British Retail Bank

10 July 2009

Actimize today warns banks and banking customers of a new attack vector – Man-in-the-Phone (MitP).

MitP blends new and old fraud techniques to trick banking customers into authorizing transactions via the phone channel. MitP builds on the successes realized from Man-in-the-Browser (MitB) attacks in which criminals use Trojans to infect a users’ Internet Browser to “modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application.” [i] MitP also leverages ‘social engineering’, which in this case is the act of using trickery or deception during a phone conversation to convince an individual to divulge information.

In a typical MitP attack, a fraudster impersonates a bank representative and calls the banking customer to inform him/her that his/her savings, checking or card account may have been breached or compromised. The fraudster advises the customer that in order to remedy the situation he/she should remain on the line and verify a few account details. At the same time, the fraudster initiates a call to the customer’s bank and connects the customer with a real bank representative while the fraudster remains muted on the line. The bank requests authentication information, such as social security number, passwords and other personal information, which is then provided by the customer. Once the personal information is provided, the fraudster quickly ends the conference line and informs the customer that the issue has been resolved. Meanwhile, with the personal information gathered during the call, the fraudster can take over the customer’s phone banking relationship and transfer money out of the customer’s accounts.

For consumers - Actimize recommends that banking customers never share account or personal information with anyone that calls and requests to ‘verify’ banking credentials. Customers should always tell such callers that they will call the bank to provide such information using the bank’s phone number listed on the back of an ATM, debit or credit card. While this sounds obvious, many consumers do not take this simple precaution.

For Banks – Actimize recommends banks combine cross channel behaviour profiling and anomaly detection technologies with better call center processes and training. Call center employees should be trained to listen more closely and ask who originated the call. Attacks may be thwarted or losses minimized if bank employees ask simple (but random instead of static) security questions at various points in the phone conversation when confirming personal credentials. Fraudsters are less likely to trick customers into sharing answers to several security questions.

“As consumers shift more financial transactions to secure online arenas, fraudsters have become more creative in utilizing traditional telephones,” said James Van Dyke, president and founder of Javelin Strategy & Research. “Access through mail and telephone transactions grew from 3 percent of ID theft in 2006 to 40 percent in 2007 [ii] and fraudsters are getting creative and leveraging new techniques to commit fraud, so consumers need to be as diligent as ever in protecting their personal information.”

“We help many of the largest retail banks, investment banks and brokerage firms protect themselves and their clients from all types of cross-channel fraud attacks,” says Paul Henninger, director of fraud solutions at Actimize. “With our unique perspective into the operations of financial institutions around the world, we can spot trends as they occur. We’ve noticed an accelerating trend in Man-in-the-Phone attacks. We hope that by publicizing this new trend, we can help reduce its impact on individuals and our banking clients.”

Actimize is uniquely positioned to detect contact center fraud attacks. The company provides real-time cross-channel fraud prevention for many of the world’s banks across phone, IVR, Web, mobile, ATM, Debit and other channels. Its parent company, NICE Systems is the industry-leading provider of recording, monitoring and analytics solutions for managing interactions, security and compliance at enterprises, contact centres, trading floors, branches and back offices.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development