In July, cyber security firm Symantec issued a critical report on the flood of Tinder spam bots, who use fake profiles to flirt with users and direct them to adult webcam sites.
In a response, Tinder released a technical update meant to cut down the number of spam profiles. However, recent research at Pindrop Security shows that the update only addresses one vector of the attack, and has not actually slowed the higher-level spam campaign.
As part of our Phone Reputation Service (PRS), Pindrop monitors online phone spam complaints, aggregating data on the phone numbers associated with spam. Researchers use topic modeling algorithms to analyze the complaint comments and identify new and popular phone scams.
In early August, Pindrop’s PRS Topic Modeler picked up signs of a new scam involving Tinder. The data clearly shows that Tinder related phone spam complaints began to appear immediately following Tinder’s technical update.
The graph above shows the percentage of total phone scam complaints related to Tinder. Pindrop’s Topic Modeler did not find any Tinder related complaints prior to August 2014. By September, Tinder scams made up .31% of total phone scams being tracked, making it the 14th most popular phone scam of the month.
The implication is that Tinder’s technical update did not eliminate the spam bot profiles, but rather only prevented them from sending the spam links through the app. Instead of shutting down the bots, the spammers simply changed their script, asking for victim’s phone numbers and then sending the spam links via text message.
This is a very common phenomenon observed by Pindrop. When the security of the online channel is improved, fraudsters switch to the phone channel, which has historically been under-protected. This lack of security innovation on the phone channel makes the phone a preferred vector for financial attacks.
The Tinder phone spam complaints are yet another example of the connection between cyber crime and phone fraud. Fraudsters today adapt quickly to changing technology and security measures, and are very capable of launching a multi-pronged spam attack – much like their cyber criminal counterparts.
-Raj Bandyopadhyay and Valerie Bradford
Yesterday, Brian Krebs, an investigative reporter/blogger focused on online crime, posted a detailed overview of the Home Depot breach and called out financial institutions for allowing PIN numbers to be changed over the phone when a caller is able to answer 3 out of 5 Knowledge-Based Authentication (KBA) questions:
“Countless banks in the United States let customers change their PINs with a simple telephone call, using an automated call-in system known as a Voice Response Unit (VRU). A large number of these VRU systems allow the caller to change their PIN provided they pass three out of five security checks.”
This is a problem, because it means that the Home Depot breach (and potentially other earlier breaches) provided enough information for fraudsters to launch account takeover attacks against banks that allow partial KBA. Krebs goes on to highlight that some institutions are looking to move beyond KBA and use technology such as voice biometrics and phoneprinting. Phoneprinting, of course, was developed by Pindrop and is at the core of our Fraud Detection System, which is already protecting some banks against attacks just like these:
“Voice biometric technologies create an index of voice fingerprints both for customers and various fraudsters who conduct VRU fraud, but [Gartner Analyst Avivah] Litan said fraudsters often will use voice synthesizers to defeat this layer of detection. Phone printing profiles good and bad callers alike, building fingerprints based on dozens of call characteristics, including packet loss, dropped frames, noise, call clarity, phone type and a host of other far more geeky concepts (e.g., “quantization,” and “taggers“).”
In addition, Pindrop is forging ahead on the problem of fraudsters in the VRU (also know as Interactive Voice Response or IVR). In fact, Pindrop presented at the Black Hat conference in August on “Exposing fraud activity from reconnaissance to takeover using graph analysis and acoustic anomalies.”
Incidents like the Home Depot breach demonstrate how intertwined phone and online fraud are for enterprises. As we discussed during our presentation at Black Hat last month, phone fraudsters are now deploying similar tactics to online hackers. Whether it be using software to automate their phone calls (similar to how computer programs can automate hacking), using social engineering tactics to manipulate call center employees into believing that they are someone who they are not (computer hackers are masters of this – think of the recent bruteforce iCloud attempts where passwords were easily guessed), or using distortion techniques to mask the sound of their voice (in a way similar to phishing attacks via email, where attackers pretend to be a trusted friend or business).
Perhaps most importantly, this incident shows how under protected the phone channel is compared to the online channel. Although phone fraudsters have found a way to exploit these weaknesses in the past, technology is now available to protect the phone channel.
I just finished a series of blog posts asserting that the telephony landscape has changed fundamentally. Unfortunately, evidence abounds.
In the “Demise of POTS: An Internet Engineer’s Perspective” article, which appeared this week in the Internet Engineering Task Force Journal, Henning Schulzrinne, Columbia University Professor and current Chief Technology Officer of the U.S Federal Communications Commission, talks about the challenges the Internet community must address as telephony becomes IP-based like the Internet. In particular, he talks about the need for security and reliability for VoIP technology because of the high level of trust people expect from telephony.
Telephony is going the Internet way but are we seeing many attacks that target this channel? Unfortunately, the answer is yes. A recent Los Angeles Times story talks about telephony attacks that sound very familiar to people in the Internet security area. It talks about criminals demanding extortion money after denial-of-service attacks that targeted the telephone service of a hospital emergency room. Tactics include Caller ID spoofing. Sounds familiar? Stories like this provide evidence that the benefits of telephony and Internet convergence will come with serious security challenges.
Telephony going the Internet way is the title of this series of blog posts. In this concluding post on this topic, let us revisit the reasons for this title. First, it is about the changing underlying technology. With technologies like VoIP, we are increasingly using IP networks for transporting voice the same way the Internet uses these networks for moving data. More importantly, we see the same kind of security threats emerging for telephony that have been around for a while on the Internet/web channel (impersonation, social engineering etc.).
We have had more experience with securing the web channel and one thing experts will tell you is that it is an arms race. We come up with certain defenses and cyber criminals find a way around them. A multi-layered approach, that relies on multiple complementary defensive techniques has become the mainstay of Internet security. For example, you deploy your firewall and intrusion detection system and still have your anti-virus. It is quite likely that we will see the same kind of strategy evolve for protecting the phone channel in the coming year.
Phone fingerprints and voice biometrics can offer a multi-layered solutions because they can reinforce each other. Phone fingerprint relies on source and channel features that are more difficult to manipulate by an adversary. On the other hand, voice biometrics can provide improved accuracy when good quality audio from the call source is available. As the threat landscape shifts, we need to focus on combining features both techniques have to offer to get an effective authentication solution for the phone channel.
Also, there will be other kinds of evidence that will be helpful in raising the security bar. For example phone number reputation (like IP address and DNS reputation in the web world) could provide additional intelligence to determine the phone fingerprint or speaker features that would be most effective. As sophistication of attacks on the telephony channel increases in the future, organizations that opt for multi-layered solutions will be in a better position to securely authenticate requests coming into their call centers.
There is little debate in the community that we will need stronger authentication for requests coming into a call center. Speech research has yielded results and can be put to work to authenticate the caller at the other end of a conversation. We need to combine them with a variety of other techniques, including phone fingerprints, to plug the vulnerabilities that can be exploited to reduce the effectiveness of voice biometrics. Furthermore, the solutions we will develop will need to integrate easily with complex infrastructure that already exists in the call center environment.
And beyond the call center, some of these techniques will be useful to improve security for end-users. This is currently a need and, as the call center becomes better protected and attackers shift to even more attacks against consumers, it will be a requirement. Fortunately, this will contribute to a “virtuous circle”, with all participants in the phone channel sharing information and protection.
In summary, it is critical that we start with a security mindset as we work to deal with the challenge of securing the telephony channel. Solutions providers who ignore the fact that threats over the phone channel will continue to grow in sophistication the same way as the web channel, will find their products fare poorly in real world settings. At Pindrop, we started with a security mindset and we are building our phone fingerprint based solutions to work alongside voice biometrics to proactively address the threats that will come over this channel.
Last week we discussed a number of requirements for phone authentication solutions. Ideally, we want both high accuracy and strong security. This means low false negatives and false positives even in the presence of threats that will likely target voice biometric solutions. For example, we do not want an adversary to be able to impersonate us either by capturing our voice from an answering machine or other recording and then automatically generating similar voice using a voice conversion technique. Phone fingerprinting, the focus of this week, has emerged as a solution to such threats.
The Georgia Tech Information Security Center is a top academic research center in the information security field and one of its goal is to launch forward looking research projects that will help address new and emerging security threats. In this context, we launched a project to explore security of VoIP technology with initial support from Tom Noonan, the CEO of then Internet Security Systems (now part of IBM), and Fran Dramis, CIO of BellSouth (which soon was acquired by AT&T). Vijay Balasubramaniyan was the first PhD student to work on this project, and he soon realized that call meta-data such as caller-id can easily be spoofed in VoIP calls. He set out to explore how one could determine the source or provenance of a telephone call more securely.
Vijay focused on artifacts in the call audio, using them to form a “fingerprint”. Because of his strong security background, he was clearly interested in features for the fingerprint that are robust and not easy to manipulate for an adversary. He was surprised to find he could achieve a level of precision well beyond what he expected. He was able to determine a location to the precision of an area the size of France. He was able to determine the originating calling device type, either landline, cell phone or a specific VoIP provider (Google Voice, Skype, etc.). And he was able to form a precise enough signature to use it for authentication. This fingerprint formed the core of Pindrop Security’s technology. More technically inclined readers can find details in a research paper that Vijay published in ACM CCS, one of the top security conferences.
So what makes a Pindrop phone fingerprint robust against various threats? First, it relies on analysis of the call audio to create a fingerprint that includes over 140 features. These include features which depend on the source of the call and the path that the call audio takes from the source to the call center. The fact that the method of delivering the call creates the artifacts is critical to why Pindrop technology is extremely hard to spoof. You can manipulate the input by altering the call audio. You can even try to manipulate the path which is lot harder. But the signal will still contain artifacts of the origin and the originating device.
As opposed to voice printing, phone fingerprinting contains inherent anomaly detection capabilities. By determining location and type, you can identify malicious activity such as Caller ID spoofing as well as merely suspicious activity such as a high risk call origination location or a high risk service provider (other wise known as bad phone neighborhoods). Any of these things can tip your off to a suspicious caller the very first time they call, as opposed to a system that only matches a “bad” signature to a caller after they have been identified as “bad” by some other process, usually a detected fraud. This can eliminate months of unfettered access by a bad guy.
The phone fingerprint also provides lots of information on the adversary and opens up doors to fight back. Phone fingerprints can reveal that multiple callers are calling from the same source and location. In a recent initial customer evaluation, we immediately identified 27 fraud rings preying on the customer by using different caller id but using the same facility to make calls. The bank had previously identified some of the attackers but many were unknown and none had been linked. This becomes even more powerful when information is shared across our customer network.
In the security business, we need to use every tool we have in our arsenal to deal with what the adversary will send our way. Next week we will discuss how voice biometric and phone fingerprint technologies can even work synergistically to better secure the phone channel.
Voice biometrics, where characteristics of a speaker’s voice are used to authenticate him or her, is a recent development from the long history of speech research. Although researchers have worked on areas ranging from speech recognition to speech synthesis, the aspects most relevant to authentication are speaker identification and speaker verification (see a 2009 paper by Campbell et. al. for details).
Speaker identification (SI) deals with the problem of identifying the speaker from a given set based on an audio sample of the speaker. This becomes very difficult very quickly when the number of records increases above several hundred.
In contrast, speaker verification (SV) has the simpler task of verifying the claimed identity of a speaker from his or her voice. Thus, voice authentication is really focused on the SV problem. Since several companies are now offering voice based authentication solutions (see Voice Biometrics Conference in San Francisco in early May 2013), let us dig deeper into the issues surrounding voice biometrics.
Voice authentication is attractive for several reasons. The voice signal can be captured naturally, transported over a long distance and presented as a remote service where authentication needs to be done. We make a call and talk to a call center agent anyway when we need to complete a transaction over the telephone, making our voice available to the call center without having to do anything other than talking.
Of course, as with any authentication method, we have to ask two questions. The first is how often will it reject a legitimate voice? For instance, will the method falsely reject me because my voice is hoarse or because I am calling from a noisy public place? This is the false rejection (FR) or false negative problem. Equally important is how often will it accept the wrong voice. For instance, can someone else mimic my voice or use a recording? This is the false acceptance (FA) or false positive problem. FR leads to user annoyance and either rejects a legitimate customer outright or falls back to knowledge-based authentication questions, adding cost and customer dissatisfaction. FA is more serious because it leads to incorrect authentication and a security compromise.
How likely is it that this will occur? While we are pretty comfortable believing that no one else can produce our fingerprint (another common biometric), criminals can easily get hold of our voice print. For example, check out this video to see how a caller was able to talk someone into providing a voiceprint that could be used to access his account.
More concerning is recent research that has explored voice conversion attacks where we can automatically convert the voice of one speaker to make it appear like someone else to a speaker verification system. Also, speaker verification research has only explored the problem at a much smaller scale with hundreds or thousands of users. In the context of call centers, we are potentially dealing with millions of callers. Do we have enough “entropy” (measure of hardness of guessing someone else’s voiceprint) in human voice at this scale? This is a question that still needs to be answered.
Since voice based authentication is a security function, we need to carefully examine the threat model for it and its robustness to various kinds of attacks. We will talk next week about how to address the robustness challenge.
In Caller-ID Spoofing we discussed how difficult it is to verify a caller. Why does that matter? Because banks are losing millions of dollars in fraudulent telephony transactions every day from callers impersonating legitimate callers.
Fraudsters are routinely spoofing caller-id and other call metadata. The problem is so common that when you make a call to transfer funds from your account, the call agent at the other end does not even rely on the Caller-ID to authenticate you. Instead, the agent is going to ask you several questions to establish it is really you on the call. This is called knowledge-based authentication or KBA.
This can work several ways. For some organizations, the questions are answers you have previously provided. In other words, you have previously supplied your mother’s maiden name and you are asked to repeat it. Unfortunately, such questions are not very effective for secure authentication. Researchers published the results of a study almost five years ago demonstrating the problems with such security questions. Cyber criminals can either guess answers to questions easily or worse, they know what we know anyway.
More recently, third parties known as data aggregators are selling information about you (old address, year an account was opened, mortgage amount etc.) back to the banks. Such information is used to craft questions for which answers are hard to guess or know if you are not the correct user. Unfortunately, this has created a new set of problems. First, you are more likely to be unable to recall the information required to answer the questions– in fact Avivah Litan at Gartner reported that Gartner clients estimated failure rates for this type of KBA at 10%-15% for legitimate customers. Worse, the data aggregators, which comprise a very tempting target, have been compromised, allowing attackers to gain even more information to use to social engineer their way into your accounts.
Even when KBA works and bad guys are caught not knowing the answer, they frequently are allowed to proceed. Why? Because they skillfully argue that they are legitimate and the contact center representative, with customer service being the top concern, allows the transaction to complete. Clearly, we need a better solution than KBA to secure transactions over the telephony channel.
Next we’ll discuss how we address the weaknesses of KBA.
All of us need to be vigilant and safeguard our financial lives against social engineering and other attacks that have grown in frequency and sophistication over time. One key part of staying safe is that we guard our account-related identities. Authentication is the process of proving to our bank, credit card provider or other holder of our accounts, who we are. Obviously, only you should be able to do this to access your account and no one else should be able to convince the bank that they are you. That’s the theory. Butler Lampson, a well-known computer scientist and security expert, includes authentication as one of the three pillars of the gold standard of computer security (other ones being authorization and audit). Clearly, we need to get authentication right to secure our online lives.
The reality is not so neat. Since authentication has received much attention in the context of the web channel (did you choose hard-to-guess passwords?), we now face attacks on the less-protected telephony channel. In the past, the telephony system was trusted. People assumed that a Caller-ID did really tell who was calling you. Banks even allowed you to activate your credit card just by calling from your registered phone. A top executive at a major telecommunications company once told me that the major difference between telephony and web channels was that the former is trusted while the latter will never be. Unfortunately, this is no longer true. In fact, cyber criminals are exploiting the past trustworthiness of the telephony channel to their advantage. They are using it as an entry point for compromising online services by requesting password resets for accounts over the phone to undermine web authentication.
The rapid change in the telephony ecosystem, driven by technological advances and deregulation, has led to a point where it has become extremely hard to figure out who really is calling us on the phone. There are readily available tools for spoofing Caller-ID (and the related ANI). New technologies like VoIP have made it possible to craft Internet style attacks over the telephone. Robocalling can deliver fraudulent messages to your voice mail like email spam in your inbox at almost no cost. With Caller-ID spoofing, you do not know if it really is your bank at the other end of the call. Also, when someone calls your bank’s customer contact center, the agent handling the call can no longer assume that it is you because the Caller-Id is your phone number. Because of the rapidly growing problem of telephony fraud, the FTC even hosted a summit in October 2012 to discuss the threats that can come over the traditionally trusted telephony channel. In addition, the FTC organized an innovation challenge with a $50K award to develop novel solutions to protect citizens against fraud coming over the telephony channel.
So what can we do about authentication over the telephony channel to combat phone fraud? Stay tuned.