Editors' pick: Originally published Jan. 26.
Hackers are drawn to call centers because of the plethora of personal and financial information which is shared even in a few minutes of a conversation, which aids clever fraudsters on the hunt for more data.
Consumers make millions of calls daily for legitimate reasons such as changing their address or cell number. Fraudsters have not only caught onto this, but they are also one step ahead.
These hackers, with their savvy abilities, have learned the scripts banks and credit cards companies use, and armed with the knowledge, they are utilizing the information to penetrate the weaknesses in the system.
"As most companies have expanded and outsourced their call centers, they have relied on automation, specifically in the form of scripts for call takers to follow and respond to customer inquiries to help meet the needs of their customers at scale," said Nathan Wenzler, chief security strategist at AsTech Consulting, a San Francisco-based security consulting company. "But this type of scripting serves as an ideal attack point for a clever hacker or social engineer."
A social engineer can easily navigate his way through the responses to gain more proprietary information to determine what is provided through these scripted responses such as a customer's mother's maiden last name.
This also enables the fraudster to better understand the internal structure of the company or its network, names and locations of key staff in order to target them, he said.
"While there is much to be gained publicly from corporate websites and social media, this kind of reconnaissance can provide an attacker with much more specific information that would allow them to bypass other human controls and be given authorized access to areas of the network or company that only authorized employees would have," Wenzler said.
Call centers are emerging as "valuable targets" for social engineers and other hackers who are gaining additional information and access to conduct far more damaging and targeted attacks, he said.
The latest software can identify suspicious behavior with an account, such as the pattern of a person changing their address and then calling a few days later to request a new credit card, said Barak Eilam, CEO of NICE, a Ra'anana, Israel-based software solutions provider.
"Hackers can apply psychology in gathering information and interacting with agents who are human and trained to help callers," he said.
More firms need to be pro-active in order to combat hackers and find solutions that are targeted specifically for an industry such as the financial sector instead of generic ones, will likely improve the odds.
"These are clear examples of possible fraud that can be flagged by a customer service representative and software can capture the hacking attempt," Eilam said.
Hackers will always be one step ahead of companies because they are motivated by greed and success.
"There is no way to stop crime, but we look for ways to tackle them," he said. "The fraudsters are cease in their attempts."
Hackers committing financial crimes are broadening their targets from banks and financial service companies to payment providers and even to gaming companies such as casinos.
Voice biometrics is a solution that is increasing in use and popularity to fight against hackers. Once a consumer starts a dialogue with a customer service representative, it takes an average of six to eight seconds to authenticate the person by their voice and speech pattern compared to asking personal questions about their mother's maiden last name which takes an average of 40 seconds, he said.
"Using someone's voice to authenticate them is very natural," Eilam said. "The adoption rate by customers has been very high and way more than we expected. Customers experience a significant change in their experience. This also provides significant savings to a company and is a very secure way to authenticate someone."
Hackers love to abuse call centers because customer service representatives need to be not only concise, but also precise and move through call lists quickly. This means the "confused" caller is often handled with little regard for security, said Chris Roberts, chief security strategist at Acalvio, a Santa Clara, Calif.-based provider of advanced threat detection and defense solutions.
Since the goal of a call center is to process calls and a fraudster is "interfering with your metrics, you are going to want to get rid of me fast," he said.
"We are dealing with minimal wage workers who for the most part have absolutely no vested interest in maintaining security beyond the very basics," Roberts said. "Most of the companies give little to no attention to the ongoing awareness and security training of their employees."
Rough estimates show that companies lose $400 million annually that can be traced back to call center fraud, he said.
"This trend is not going to go down any time soon as the issues are quite complex," Roberts said.
Since the majority of a consumer's information is available on social media or sold on the Darknet, the "job is mostly done when it comes to impersonating a victim," he said. "From what I hear, around 60% of calls result in a 'hit' or a successful takeover of an account or system. Those are bloody good odds in the hackers favor."
More companies are utilizing tools and software for fraud detection and prevention, including a higher level of screening.
"A lot of this is done autonomously and some of the factors now are geolocation intelligence, consumer database information, analytics for voice modulators, voice spoofing/distortion techniques and other tools," Roberts said.
Other solutions implement data analytics, using intelligence from the Federal Trade Commission, complaint sites and other correlating databases to determine if a caller is legitimate.
"If you cross reference that with honeypots for phones, spam/phishing databases and then apply the metric on the call such as what equipment is calling or is being called, what voiceprint is present, what should be present and what other social engineering flags are present, then you actually have a semi-intelligence systems that can recognize fraud at a far higher rate than the normal human," he said.