22 April 2018

Alex Noble

Alex Noble - McAfee

54Posts 306,281Views 21Comments

Phishing at a new level with a fake bank contact centre

04 June 2009  |  4115 views  |  1

I normally focus the blog on Europe, but this story from Australia shows a very alarming new level of fraud. In this case fraudsters have targeted Commonwealth Bank of Australia customers with a fake IVR and call centre.

The story ( fully available at APCmag.com here ) is very worrying. It shows that fraudsters are graduating from e-mail phishing to a far more advanced form of fraud. While the e-mail is still the basic trigger for the fraud, a sophisticated use of VoIP (Voice over IP) and IVR systems is a new development. While most consumers are now knowledgeable enough of the risks of fraud to avoid clicking on e-mail links, phone numbers are much more trusted. This fraud relies on customers trusting local dial codes and the familiarity with entering information into the touchtone IVR system. APCmag describes the fraud as:

"An email sent out on 26th May included a phone number in Brisbane to call to unsuspend blocked Maestro cards, but as of today, the number is disconnected. However, another email received this morning has an 08 area code number that is still in operation. According to ACMA, the number is a GoTalk VoIP number, which anyone could have registered over the web using stolen credit card details. (We've tried contacting GoTalk to notify them of this problem but were not able to immediately reach our regular media contacts.)

We called it, and were alarmed that the computer on the other end recognised the fact that we were keying in bogus numbers — an indication that at a bare minimum, it is doing algorithmic validation of the numbers being entered, and in a worst case scenario is operating a live payment gateway system to immediately siphon funds from accounts."

At the moment, most consumers would see a local phone number and trust that to mean that their call was really going there. Few would understand the potential of Voice over IP to route the call anywhere in the world. Fewer consumers still would understand that an IVR system that answered a phone call and asked for identity verification and card details might not be what it seems.

Like most frauds, this is a clever exploitation of some basic technology, but an exploitation in a brand new way. It may be a one off, but I suspect it may represent a new development as the fight against e-mail based phishing becomes more successful. To date, security in call centre has been focused on internal threats and social engineering attacks (see my posts like "Security, Call Centres and Fraud" and "Call centre worker gaoled for data theft"), but no-one has yet impersonated a contact centre on this scale before.

In my view, it looks as if the ease with which IP protocol allowed websites to be impersonate will become a danger for voice.

TagsSecurityRetail banking

Comments: (1)

A Finextra member
A Finextra member | 05 June, 2009, 09:44

It shows that banks have failed to put the appropriate infrastructure in place with which to engage with their customers. Poor practices by bank call centers with regard to customer identity have compounded the opportunities for fraudsters. The fault sits squarely with the banks, Commbank in this case, but it is happenng to all the Australian financial institutions. Having trained their unsuspecting customers into revealing their personal details to mystery staff at the end of the telephone line with no authentication either way it comes as no surprise at all to see it coming back to bite them It isn't 1950 anymore...

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Alex

Securing the Blockchain

10 November 2017  |  13474 views  |  0 comments | recomends Recommends 0 TagsSecurityBlockchainGroupTrends in Financial Services

Identity, verification and blockchains

08 November 2016  |  9778 views  |  0 comments | recomends Recommends 1 TagsBlockchainInnovationGroupInnovation in Financial Services

Law, territory and the Blockchain in Financial Services

20 November 2015  |  3756 views  |  0 comments | recomends Recommends 0 TagsBlockchainInnovationGroupInnovation in Financial Services

Alex's profile

job title Account Director
location London
member since 2008
Summary profile See full profile »
I specialise in solutions for complex banking processes. Current areas I'm working on include Security, contact centre, improving compliance and digital transformation. Previously, I've worked...

Alex's expertise

Member since 2008
54 posts21 comments

Who's commenting on Alex's posts