Mar 6 – The Week in Phone Fraud

TWIPF2This week in phone fraud, fraudsters exploit Apple Pay authentication and the IRS phone scammers leave threatening voicemails.

On Monday, the Guardian broke the story of how fraudsters are taking advantage of an authentication loophole in Apple Pay. Reporter Tracy Kitten of Bank Info Security explained that the problem is linked not to a compromise of the mobile device’s security, but to lax authentication practices used by the banking institutions to verify cards that are loaded to the iPhone. According to a report on American Banker, Apple does provide issuers with information to help them decide whether to validate a new user, but it is up to the bank to decide how to verify new users.

On Thursday, CBS Moneywatch and KGW News published reports citing Pindrop’s research into the IRS phone scam. Fraudsters are now leaving threatening voicemails, claiming they work for the IRS. This strategy means victims self-select. Only those who believe the message is real will call back, and the fraudsters only need to talk to the victims most likely to pay. Pindrop posted a recording of one of this voicemails on our blog earlier this week.


Full Breakdown of This Week’s Fraud News

FTC Blog: Consumers told it to the FTC: Top 10 complaints for 2014 – Imposter scams — where con artists impersonate government officials or others — moved into third place on the list of consumer complaints, entering the top three complaint categories for the first time. The increase was led by complaints about IRS.

Defense One: ‘Jihadi John’ and the Future of the Biometrics Terror Hunt – Voice recognition played a key role in the identification of Jihadi John. The FBI’s biometric center site lists voice recognition as one of its key modalities, but fingerprints and more traditional biometric signatures make up a bulk of the records it manages.

Fox 8: Scammers threaten to kill loved ones – Officials told WSOC that scammers are calling people and threatening to kill their loved ones if they don’t give up the money. They said a couple in Cleveland contacted deputies, claiming they’d received a disturbing phone call on their cell phone.

Daily Mail: Data thieves raid TalkTalk customers’ bank accounts: Thousands at mercy of fraudsters after phone numbers were stolen – The 61-year-old HR expert was fooled by ‘extremely slick and believable’ fraudsters who claimed to be from a TalkTalk fraud department probing computer hacking.

FTC Blog: The Grate Pretenders – Imposter scams play on your emotions. The scammers work hard to make you believe that you’ve won something or you have an unexpected problem. Here are the top ten imposter scams you told us about last year.

Pindrop Blog: Meet Pindrop at March Info Sec Events – At Pindrop, we’re working hard to get the word out about phone fraud in the call center and how we can help you fight back. We’ll be speaking and exhibiting at several upcoming events this spring. Drop by our booth, come talk to us at either presentation.

PYMNTS: Why B2B Startups Flourish in Atlanta – While the world’s eyes are often on Silicon Valley for the latest innovations and most groundbreaking startups, one unexpected city is emerging in the US as the new startup capital, with breeding grounds perfect for new B2B companies: Atlanta.

Aurora Sentinel: Colorado bill to address SWAT pranks rejected – Senate Democratic Leader Morgan Carroll argued that false reporting has been a problem as old as the telephone, and that any breach of Safe2Tell anonymity endangers the whole reporting system. “That it’s anonymous is the whole premise,” Carroll said.

InfoSecurity Magazine: TalkTalk Data Breach Exposes Customers to Phone Scams – Thousands of TalkTalk customers have been potentially exposed to telephone-based fraud scams after hackers managed to access personal details via one of the telco’s contracted third parties. The number of customers affected was in the “small thousands.”

The Guardian: Apple Pay: a new frontier for scammers – The crooks have not broken the secure encryption around Apple Pay’s wireless payment mechanism. Instead, they are setting up new iPhones with stolen personal information, and then calling banks to “provision” the victim’s card on the phone to use it to buy goods.

Bank Info Security: Apple Pay: Fraudsters Exploit Authentication – The industry is learning more about it, and Apple is learning, too. “Before, with a card-present transaction, you had to counterfeit the card on a mag-stripe; now with Apple Pay, this is different. You don’t need the mag-stripe to put a card on your iPhone.

Pindrop Blog: Cybersecurity Trends in Government at SINET ITSEF – Fraud in the call center is a significant problem for government agencies. The IRS itself estimates that it is losing $5 billion a year to fraudsters. The full cost of a single swatting attack can run into the tens of thousands of dollars.

Georgia Tech VentureLab: Pindrop Security raises $35M – The Pindrop story starts with Vijay Balasubramaniyan, a graduate student in the College of Computing. His thesis advisor was Mustaque Ahamad, then the director of the GT Information Security Center. He filed an invention disclosure with GTRC.

PYMNTS: Why Voice Biometrics Could Be the Next Game-Changer in Authentication – Billion dollar companies lose 3% or more a year to mobile fraud. Many have resorted to frequent creation of passwords to stop these losses – but that just isn’t cutting it. Biometrics introduce a new paradigm in user authentication.

Pindrop Blog: Did the IRS Leave you a Voicemail? – In this years version of the scam fraudsters are relying on auto-dialers, robocalling, and voice mail messages to hit as many taxpayers as possible. Pindrop has obtained a recording of one of these fraudulent voice mails.

Contact Solutions: Fraud Reality Check: Phone Fraud as a Service – Modern criminals are approaching phone fraud with a business framework, outsourcing technical work and reconnaissance, creating easy to manage tools and cloud services, and even creating fraudulent call centers for hire.

Pindrop Security: Pindrop Security Announces Collaboration with FTC on Robocall Contest to Combat Illegal Automated Calls – Pindrop today announced that it is providing data and analytics to the FTC on contests to combat phone fraud which challenge the public to develop a system for better tackling illegal automated phone calls.

Network World: FTC targets group that made billions of robocalls – The Federal Trade Commission today said they have settled charges against a Florida-based cruise line company and seven other companies that averaged 12 million to 15 million illegal sales calls a day between October 2011 through July 2012.

The Star: To buy a cellphone, Pakistan wants you fingerprints – In one of world’s largest efforts to collect biometric information, Pakistan has ordered cellphone users to verify their identities through fingerprints for a national database being compiled to curb terrorism. If they don’t, their service will be shut off.

Ars Technica: Tech support scammer threatened to kill man when scam call backfired – Dulisse found the threats “chilling, but hard to take seriously,” CBC reported. “He was still trying to get me to do what he was trying to do with my computer,” Dulisse told CBC. “He was actually threatening me as a tactic.”

Information Age: As the threat landscape changes, so too must approaches to security – Only through a collaborative approach, and ensuring that security measures are deployed across the business, will organisations be able to ensure their security policies accurately reflect the ever evolving and dynamic nature of cyber security.

Pindrop Blog: Are Anti-Fraud Measures Putting Taxpayers at Risk? – Ohio says these quizzes have helped the state intercept thousands of fraudulent returns seeking to steal more than $270 million in refunds last year. While those efforts are to be applauded, are these quizzes putting some taxpayers at an even higher fraud risk? IRS phone scams target thousands, including KGW reporter – They can hide their source phone number, making it look like anywhere in the world, said David Dewey, Director of Research at Pindrop Security. The Atlanta-based security firm has been tracking the IRS phone scam.

CBS Moneywatch: A message from the “IRS” you shouldn’t return – In the latest twist in this scam, the crooks leave voice mail messages. The anti-fraud firm Pindrop Security explained the move is an act of efficiency. Those messages do the work for them. If someone calls back it’s an indication that they believe the call could be real.

Opus Research: VC’s Make $35 Million Vote of Confidence in Pindrop Securities – Pindrop and its investors recognize the growing value of low risk/high value calls that are made possible by recognizing the value of taking both voiceprints and phoneprints as factors to identify the value of a call, as well as the probability of significant fraud.

Huffington Post: Do Not Robocall Me: The FTC Strikes Back – One reason that robocalls continue to proliferate (even though most robocalls have been illegal since 2009) is that technological advancements have made it easy for marketers to make massive numbers of calls cheaply, while keeping their identities hidden.

American Banker: Is Apple Pay a Fraud Magnet? Only if Banks Drop the Ball – Apple does provide issuers with information to help them decide whether to validate a new user, noted Avivah Litan of Gartner. It provides the device name, current location, and whether or not the customer has a long history of transactions within iTunes.

Pindrop Blog: Pindrop is a finalist in the 2015 CardNotPresent Awards – Pindrop is honored to be named as a finalist in the 2015 CardNotPresent (CNP) Awards! We are in good company. The CNP Awards recognize the very best service and technology providers offering the most exceptional solutions in the payments industry.