Monday, July 27, 2009

Man in the middle fraud in call centres

Never one to post only on up to the minute stories, the blog was quite interested in the Finextra report a fortnight ago on "man in the middle" fraud in call centres. I just haven't had a chance to write on it until now.

Traditionally, man in the middle fraud has been more associated more with the web channel than the telephone channel (see for example "Man-in-the-middle phishing kits circulating freely on the Web" or "ABN Amro compensates victims of 'man-in-the-middle' phishing attack" from Finextra), so it's interesting to see the attack take place in the telephone channel. It's also interesting that the attack described in Finextra is very low tech compared with the programing knowledge required for the phisihing attacks. The telephone version of man in the middle is described as,

"....where a fraudster calls the victim claiming to work for their bank, warning that their account may have been breached or compromised. The criminal then puts the customer on hold and calls their bank, connecting the two while remaining on the line.

The bank then requests authentication information, such as social security number, passwords and other personal information. Once the personal information is provided, the fraudster quickly ends the conference line and informs the customer that the issue has been resolved.

Meanwhile, with the personal information gathered during the call, the fraudster can take over the customer's phone banking relationship and transfer money out of their accounts."

The interesting thing for me is that for this type of attack to be successful, it highlights how weak the process side of some banks can be. This attack depends on the banks authentication process revealing (a) all of the customer's authentication data each time and (b) not ensuring that customers have multiple levels of authentication. Most banks I've worked with probably wouldn't be caught by this kind of fraud, so I'm interested to see that there are banks out there that still lag so far behind.

It's far less sophisticated than some of the the attack I've seen recently, where fraudsters have built fake IVRs to pretend to be the bank and used VoIP diversion to fool customers into thinking they are calling a local number (see posts like "Contact Centre impersonation arrives in the UK") and probably far less likely to succeed. Similarly, targeted social engineering attacks are also more likely to succeed as these tend to rely on bypassing security procedures rather than attacking them head on.

I would argue that deception based attacks around identity impersonation (such as the one on Barclays discussed in the post "Security, Call Centres and Fraud") seems to be where the real threat remains, but I'm not so sure that the man in the middle approach is where the real threat lies. My suspicion is that combinations of phishing and contact centre impersonation will remain the fastest growing threat for some years to come.

No comments: