Blog article
See all stories »

An article relating to this blog post on Finextra:

Consumers warned of 'man-in-the-phone' bank scam

Telephone banking customers are being warned about a new low-tech, man-in-the-phone (MitP), fraud technique being employed by criminals.

See article

Man in the middle fraud in call centres

Never one to post only on up to the minute stories, the blog was quite interested in the Finextra report a fortnight ago on "man in the middle" fraud in call centres.  I just haven't had a chance to write on it until now.

Traditionally, man in the middle fraud has been more associated more with the web channel than the telephone channel (see for example "Man-in-the-middle phishing kits circulating freely on the Web" or "ABN Amro compensates victims of 'man-in-the-middle' phishing attack" from Finextra), so it's interesting to see the attack take place in the telephone channel. It's also interesting that the attack described in Finextra is very low tech compared with the programing knowledge required for the phisihing attacks. The telephone version of man in the middle is described as,

 "....where a fraudster calls the victim claiming to work for their bank, warning that their account may have been breached or compromised. The criminal then puts the customer on hold and calls their bank, connecting the two while remaining on the line.

 The bank then requests authentication information, such as social security number, passwords and other personal information. Once the personal information is provided, the fraudster quickly ends the conference line and informs the customer that the issue has been resolved.

Meanwhile, with the personal information gathered during the call, the fraudster can take over the customer's phone banking relationship and transfer money out of their accounts."

The interesting thing for me is that for this type of attack to be successful, it highlights how weak the process side of some banks can be.  This attack depends on the banks authentication process revealing (a) all of the customer's authentication data each time and (b) not ensuring that customers have multiple levels of authentication.  Most banks I've worked with probably wouldn't be caught by this kind of fraud, so I'm interested to see that there are banks out there that still lag so far behind.

It's far less sophisticated than some of the the attack I've seen recently, where fraudsters have built fake IVRs to pretend to be the bank and used VoIP diversion to fool customers into thinking they are calling a local number (see posts like "Contact Centre impersonation arrives in the UK") and probably far less likely to succeed. Similarly, targeted social engineering attacks are also more likely to succeed as these tend to rely on bypassing security procedures rather than attacking them head on.

I would argue that deception based attacks around identity impersonation (such as the one on Barclays discussed in the post "Security, Call Centres and Fraud") seems to be where the real threat remains, but I'm not so sure that the man in the middle approach is where the real threat lies. My suspicion is that combinations of phishing and contact centre impersonation will remain the fastest growing threat for some years to come.


Comments: (1)

A Finextra member
A Finextra member 30 July, 2009, 11:14Be the first to give this comment the thumbs up 0 likes

The fact that this type of fraud still seems to exist is worrying but, since I have yet to come across a bank that asks for all of a customer's authentication details, I would agree with Alex's point that this is far from being the primary threat to customers. What is clear is that fraud can and does occur in instances where transactions are authenticated using customer information alone.

Banks have begun to take steps against this type of crime through the provision of CAP readers which allow for two-factor authentication. Under this system, consumers use their cards with the reader to generate a one-time password, without which a transaction cannot occur. Consequently information intercepted online or over the phone becomes redundant as it cannot be reused.

Equally, the impact of phishing attacks can be diminished through the use of a CAP reader. Savvy banks that ensure account details cannot be changed and transfers cannot be initiated without both a card and a one-time password generated by a CAP reader can minimise the impact of fraudsters' activity on the phished account.

While significant progress is being made by most of the UK banks, the Actimize report shows that lax security still exists. In order to protect against fraud, banks must employ a two pronged attack: firstly customer education is key to preventing authentication details from falling into the wrong hands - this is particularly the case with phishing. Secondly, banks must roll out two factor authentication capabilities to all their customers. It is essential that customers increase their understanding of the steps required to protect against fraud, but equally banks must provide the tools to allow them to do so successfully. 

Now hiring