When you think of phone fraudsters, what image comes to mind? For many, it’s a picture of a lone wolf, probably wearing a hoodie, and working out of his mother’s basement.
The reality of phone fraud is actually much different. Taking their cue from traditional business models, organized criminals have developed an entire underground economy of fraud. Today’s fraudsters are much more likely to look like this:
This is the new landscape of Phone Fraud as a Service (PFaaS). Modern criminals are approaching phone fraud with a business framework, outsourcing technical work and reconnaissance, creating easy to manage tools and cloud services, and even creating fraudulent call centers for hire. Consider some of these PFaaS techniques currently plaguing the industry:
- Reconnaissance as a Service – The majority of fraudsters today don’t need the technical expertise to hack into a bank or POS system to steal identities used in fraud attacks. Instead, marketplaces have developed where hackers can sell their stolen identities directly to potential fraudsters. Security reporter Brian Krebs writes often about the huge amount of card data for sale in underground “card shops” like Rescator, Lampeduza, and Cheapdumps. Would-be fraudsters simply buy stolen identity information on these sites, then call banks and financial institutions and use the information to pass Knowledge Based Authentication (KBA) questions. Once they are “authenticated,” they can change PIN numbers associated with cards and completely takeover an account.
- Fraud Software as a Service – Fraudsters no longer need to build their own technology infrastructure to get started. Rather, there are easy to find tools to help the less experienced fraudster along. Popular apps like SpoofCard and SpoofTel let users send fake ANIs and Caller ID information. Other apps facilitate Telephony Denial of Service (TDoS) attacks by allowing users to blast a phone number with traffic. In a 2013 white paper, EMC highlighted the iSPOOF Europe app, which allows users to blast SMS messages to potential victims, directing them to fraudulent phone numbers and concealing their true phone number.
- Call Centers as a Service – Now even small time fraudsters can make use of call centers, with “rent-a-fraudster” type companies operating overseas. Wired.com’s reporter Kim Zetter wrote a detailed piece describing these services when the con men behind Callservice.biz were indicted. According to Zetter, criminals who need to pose as a legitimate account holder on the phone can simply pass along stolen identifying information and indicate the gender and language the victim is supposed to speak. The call center will match the fraudster with an appropriate speaker to pose as the account holder in phone calls with the bank.
Phone Fraud as a Service lowers the barriers to entry for potential fraudsters, allowing just about anyone to launch a fraud attack at little to no cost, and without any technical training or expertise.
The lesson here is that fraudsters should not be underestimated. They are organized and innovative. Banks and financial institutions must continue to increase security measures in the call center. Robust technologies like phoneprinting and voice biometrics will help protect call centers from these new attacks.