The fraud schemes that consumers and businesses face every day are the end result of a lot of research, work, and planning on the part of the criminals who perpetrate them. There are a lot of moving pieces in the background that victims never see, and often the schemes involve many intermediate steps before a fraudster ever achieves his goal.
In the case of fraud aimed at financial institutions, the goal is to gather enough knowledge and skills to gain access to a target account by whatever means necessary. That can include an account takeover operation, some social engineering tactics, and other techniques, many of which focus on the call center. The customer service group often is seen as a prime target for fraudsters because of the variety of ways that it can be attacked. In many cases, fraudsters will call financial institutions to try and order duplicate debit or credit cards or checks for a target account, a scheme that is enabled by the weak authentication regimes in place in call centers.
Much of what passes for authentication right now in this setting involves identifying the phone number the caller is using. Fraudsters can spoof numbers as easily as they can Google the answers to the knowledge-based authentication questions that often are the second level of authentication. Once past those low hurdles, an attacker may have the ability to request new cards or other access devices for a victim’s account. This kind of fraud is a major concern for 44 percent of executives at financial institutions, and a critical issue for another 28 percent of those executives, according to data from a report by the Aite Group.
Failing to authenticate a real customer can be a real problem, leading to annoyed customers and potential loss of business if a customer decides to leave. But not identifying fraudsters when they call is a far bigger issue. Once a fraudster gets into a bank’s system, it can have disastrous consequences for the organization. Some fraudsters will gain access to an account–especially a high value one–and then take no actions for weeks or months, waiting to see how the institution reacts and whether he’s been detected. Others will move immediately to take advantage of the access and transfer funds to other accounts they control. Either way, the presence of a fraudster in a bank’s infrastructure is a potential nightmare.
The common thread in so many of these fraud operations is their use of the call center as an entry point. It’s the bank door with the weakest defenses, a fact that fraudsters and cybercrime groups know very well. Shoring up the security in the call center could make a major difference in the fraud rate for many of these institutions.
Image: Ann Oro, CC By license.