The criminals start by acquiring your account information, either by placing keystroke loggers on your desktop or by deploying sniffer programs on the network or by using traditional phishing campaigns, which entice you to volunteer personal data. The criminals then masquerade as the account holder in a call to the customer service representative (CSR) at the targeted financial service institution.
In the past fraud at the ATMs has been relatively out of reach; the criminal might get your account number but not the associated PIN. One call center scam involves calling the CSR to change the PIN on an ATM card. By providing the call center with a name, address, even the 9-digits of a social security number and the targeted account number, the criminal is able to reset a 4-to-6-digit ATM or Credit Card PIN. After burning the stolen account data onto a blank magnetic stripe card, the criminal is then able to use this new PIN at any ATM.
Another way cybercriminals are using the call center is to simply change the contact phone number on an existing account. Most of us may not be accustomed to having banks contact us over the phone, but when there’s a particularly large transaction pending that is atypical most institutions will call or text to confirm. Now the criminals are changing the contact number on record to their own. Then, when the bank calls to confirm, the criminals approve the transfer because the financial institution has called them and not you. But the financial institutions are aware of this scam and have now started calling both the new and the old phone numbers for confirmation.
The criminals, of course, are one step ahead.
In one case, documented by Kim Zetter over at Wired, a doctor’s home, office and cell numbers were jammed with repeated calls. Some were solicitations for sex websites, others pure silence. When customers complain to their telephone carrier , some telephone companies are now warned that there might be a financial crime associated with these calls.
All of these attacks expose weaknesses in the call center’s authentication of account holders. Financial institution call center customer service representatives often rely on the Automatic Number Identification (ANI), a phone number that appears with each incoming call. ANI is unrelated to CallerID, based on billing data, and thus can be captured by a CSR system even if the caller has blocked CallerID. Cybercriminals can and do manipulate ANI, making their call appear to be from anywhere, including the original registered contact phone number for a stolen account.
Challenge-response questions aren’t the answer either. Cybercrminals can search for and often find the answers to many common questions online. For example, the password to Sarah Palin’s Yahoo e-mail account was reset by someone guessing that she met her husband in high school.
Instead, institutions should use more than one type of call center authentication — ANI plus challenge-response questions where the questions are derived from past financial interactions with the customers (“Where was your last ATM transaction?”). Better yet, a mutually agreed upon password. Additionally institutions should automatically enroll account holders a package of security-based e-mail, text, and voice alerts including, but not limited to, changes to the physical address, the addition of a new person to an existing account, changes made to the contact phone number, and changes made to the PIN on an account.
In theory the average account holder should never see these alerts. But when they do hopefully they’ll realize that they’ll need to react and stop the fraud in real time.
Originally published in Forbes.com