20 September 2014

Alex Noble

Alex Noble - Cisco

41 | posts 189,798 | views 14 | comments

Phishing at a new level with a fake bank contact centre

04 June 2009  |  3502 views  |  1

I normally focus the blog on Europe, but this story from Australia shows a very alarming new level of fraud. In this case fraudsters have targeted Commonwealth Bank of Australia customers with a fake IVR and call centre.

The story ( fully available at APCmag.com here ) is very worrying. It shows that fraudsters are graduating from e-mail phishing to a far more advanced form of fraud. While the e-mail is still the basic trigger for the fraud, a sophisticated use of VoIP (Voice over IP) and IVR systems is a new development. While most consumers are now knowledgeable enough of the risks of fraud to avoid clicking on e-mail links, phone numbers are much more trusted. This fraud relies on customers trusting local dial codes and the familiarity with entering information into the touchtone IVR system. APCmag describes the fraud as:

"An email sent out on 26th May included a phone number in Brisbane to call to unsuspend blocked Maestro cards, but as of today, the number is disconnected. However, another email received this morning has an 08 area code number that is still in operation. According to ACMA, the number is a GoTalk VoIP number, which anyone could have registered over the web using stolen credit card details. (We've tried contacting GoTalk to notify them of this problem but were not able to immediately reach our regular media contacts.)

We called it, and were alarmed that the computer on the other end recognised the fact that we were keying in bogus numbers — an indication that at a bare minimum, it is doing algorithmic validation of the numbers being entered, and in a worst case scenario is operating a live payment gateway system to immediately siphon funds from accounts."

At the moment, most consumers would see a local phone number and trust that to mean that their call was really going there. Few would understand the potential of Voice over IP to route the call anywhere in the world. Fewer consumers still would understand that an IVR system that answered a phone call and asked for identity verification and card details might not be what it seems.

Like most frauds, this is a clever exploitation of some basic technology, but an exploitation in a brand new way. It may be a one off, but I suspect it may represent a new development as the fight against e-mail based phishing becomes more successful. To date, security in call centre has been focused on internal threats and social engineering attacks (see my posts like "Security, Call Centres and Fraud" and "Call centre worker gaoled for data theft"), but no-one has yet impersonated a contact centre on this scale before.

In my view, it looks as if the ease with which IP protocol allowed websites to be impersonate will become a danger for voice.

TagsSecurityRetail banking

Comments: (1)

Dean Procter - Transinteract - Sydney | 05 June, 2009, 09:44

It shows that banks have failed to put the appropriate infrastructure in place with which to engage with their customers. Poor practices by bank call centers with regard to customer identity have compounded the opportunities for fraudsters. The fault sits squarely with the banks, Commbank in this case, but it is happenng to all the Australian financial institutions. Having trained their unsuspecting customers into revealing their personal details to mystery staff at the end of the telephone line with no authentication either way it comes as no surprise at all to see it coming back to bite them It isn't 1950 anymore...

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Alex

The Growth in Voice Biometrics for Banking

19 February 2014  |  2282 views  |  1  |  Recommends 0 TagsMobile & onlineRetail bankingGroupInnovation in Financial Services

Multi-channel or good channels?

25 September 2013  |  2758 views  |  1  |  Recommends 1 TagsRetail bankingInnovationGroupInnovation in Financial Services

Just how much change is coming to UK branch banking?

25 October 2012  |  3898 views  |  0  |  Recommends 0 TagsRetail bankingGroupInnovation in Financial Services
name

Alex Noble

job title

Contact Centre Specialist

company name

Cisco

member since

2008

location

London

Summary profile See full profile »
I specialise in complex contact centres, especially in the banking industry.

Alex's expertise

Who is commenting on Alex's posts

Mark Pavan
Ketharaman Swaminathan