Home Depot attack leads to phone channel exploits

Yesterday, Brian Krebs, an investigative reporter/blogger focused on online crime, posted a detailed overview of the Home Depot breach and called out financial institutions for allowing PIN numbers to be changed over the phone when a caller is able to answer 3 out of 5 Knowledge-Based Authentication (KBA) questions:

“Countless banks in the United States let customers change their PINs with a simple telephone call, using an automated call-in system known as a Voice Response Unit (VRU). A large number of these VRU systems allow the caller to change their PIN provided they pass three out of five security checks.”

This is a problem, because it means that the Home Depot breach (and potentially other earlier breaches) provided enough information for fraudsters to launch account takeover attacks against banks that allow partial KBA. Krebs goes on to highlight that some institutions are looking to move beyond KBA and use technology such as voice biometrics and phoneprinting. Phoneprinting, of course, was developed by Pindrop and is at the core of our Fraud Detection System, which is already protecting some banks against attacks just like these:

“Voice biometric technologies create an index of voice fingerprints both for customers and various fraudsters who conduct VRU fraud, but [Gartner Analyst Avivah] Litan said fraudsters often will use voice synthesizers to defeat this layer of detection. Phone printing profiles good and bad callers alike, building fingerprints based on dozens of call characteristics, including packet loss, dropped frames, noise, call clarity, phone type and a host of other far more geeky concepts (e.g., “quantization,” and “taggers“).”

In addition, Pindrop is forging ahead on the problem of fraudsters in the VRU (also know as Interactive Voice Response or IVR). In fact, Pindrop presented at the Black Hat conference in August on “Exposing fraud activity from reconnaissance to takeover using graph analysis and acoustic anomalies.

Incidents like the Home Depot breach demonstrate how intertwined phone and online fraud are for enterprises. As we discussed during our presentation at Black Hat last month, phone fraudsters are now deploying similar tactics to online hackers. Whether it be using software to automate their phone calls (similar to how computer programs can automate hacking), using social engineering tactics to manipulate call center employees into believing that they are someone who they are not (computer hackers are masters of this – think of the recent bruteforce iCloud attempts where passwords were easily guessed), or using distortion techniques to mask the sound of their voice (in a way similar to phishing attacks via email, where attackers pretend to be a trusted friend or business).

Perhaps most importantly, this incident shows how under protected the phone channel is compared to the online channel. Although phone fraudsters have found a way to exploit these weaknesses in the past, technology is now available to protect the phone channel.