Thursday, June 04, 2009

Phishing fraud steps up a new level with fake bank IVR & contact centre

I normally focus the blog on Europe, but this story from Australia shows a very alarming new level of fraud. In this case fraudsters have targeted Commonwealth Bank of Australia customers with a fake IVR and call centre.

The story ( fully available at here ) is very worrying. It shows that fraudsters are graduating from e-mail phishing to a far more advanced form of fraud. While the e-mail is still the basic trigger for the fraud, a sophisticated use of VoIP (Voice over IP) and IVR systems is a new development. While most consumers are now knowledgeable enough of the risks of fraud to avoid clicking on e-mail links, phone numbers are much more trusted. This fraud relies on customers trusting local dial codes and the familiarity with entering information into the touchtone IVR system. APCmag describes the fraud as:

"An email sent out on 26th May included a phone number in Brisbane to call to unsuspend blocked Maestro cards, but as of today, the number is disconnected. However, another email received this morning has an 08 area code number that is still in operation. According to ACMA, the number is a GoTalk VoIP number, which anyone could have registered over the web using stolen credit card details. (We've tried contacting GoTalk to notify them of this problem but were not able to immediately reach our regular media contacts.)

We called it, and were alarmed that the computer on the other end recognised the fact that we were keying in bogus numbers — an indication that at a bare minimum, it is doing algorithmic validation of the numbers being entered, and in a worst case scenario is operating a live payment gateway system to immediately siphon funds from accounts."

At the moment, most consumers would see a local phone number and trust that to mean that their call was really going there. Few would understand the potential of Voice over IP to route the call anywhere in the world. Fewer consumers still would understand that an IVR system that answered a phone call and asked for identity verification and card details might not be what it seems.

Like most frauds, this is a clever exploitation of some basic technology, but an exploitation in a brand new way. It may be a one off, but I suspect it may represent a new development as the fight against e-mail based phishing becomes more successful. To date, security in call centre has been focused on internal threats and social engineering attacks (see my posts like "Security, Call Centres and Fraud" and "Call centre worker gaoled for data theft"), but no-one has yet impersonated a contact centre on this scale before.

In my view, it looks as if the ease with which IP protocol allowed websites to be impersonate will become a danger for voice.

No comments: