Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


10:30 AM
Patrick Cox
Patrick Cox
Connect Directly
E-Mail vvv

How to Hang Up on Fraud

Three reasons why the phone channel is uniquely vulnerable to spoofing and what call centers are doing about it.

With cybercrime skyrocketing over the past two decades, companies that do business online — whether retailers, banks, or insurance companies — have devoted increasing resources to improving security and combatting Internet fraud. But sophisticated fraudsters do not limit themselves to the online channel, and many organizations have been slow to adopt effective measures to mitigate the risk of fraud carried out through other channels, such as customer contact centers. In many ways, the phone channel has become the weak link.

Most contact centers have continued to rely heavily on knowledge-based authentication to grant callers access to their accounts. However, the ready availability of personal information, either stolen in data breaches or gleaned from social media, makes it increasingly easy for criminals to impersonate customers. Add in some Caller ID or automatic number identification (ANI) spoofing, and fraudsters are well on their way to deceiving call center staff and taking over customer accounts.

The phone channel is uniquely vulnerable to spoofing for a number of reasons:

1. Easy creation and manipulation of call signaling data. An incoming phone call contains signaling data with billing and routing information. However, it is simple for a hacker to alter legitimate call signal data, which is why spoofing has become an epidemic. Spoofing is simply changing or falsifying call-signaling data. It's easy to do using any of dozens of software tools such as FreeSWITCH or Asterisk. When a criminal originates a call, he or she can create all the signaling data needed to mimic a legitimate calling number.

2. Lack of encryption. Most websites today can encrypt a communication system end-to-end, from the browser to the web server. In contrast, very few telephone calls are encrypted end-to-end. This is because the security infrastructure that is mature in web communications is still in its infancy within the telephone network. Getting encryption in place is a slow process because it requires compatible and reliable networking capabilities for telephone communications among all the carriers in the world. That is a long process. In the meantime, this means that the vast majority of telephone calls and their call signaling data are sent in plain text and can be manipulated.

3. Many opportunities to launch attacks. There are thousands of telephone carriers in North America alone, and tens of thousands of global partners that offer access to place calls. Fraudsters exploit carriers and partners with lax security practices or no enrollment requirements. This enables criminals to remain anonymous and leaves them free to launch attacks without any repercussions.

By iterating attacks with multiple signatures on different access points, criminals will find a combination that can perfectly mimic calls from major carriers. Once successful, they can mimic calls from all the customers of that carrier.

Knowledge-based authentication, or KBA, is just as vulnerable because of fraudsters' relatively easy access to the personal information needed to correctly respond to call center agents' identity interrogation. This information can be purchased on the Dark Web or unearthed by simply scouring the social media sites of an account takeover target.  

So, how do we forge a more secure path forward? The basic answer, no matter the particular security solutions involved, is multifactor authentication. Multifactor authentication is a strategy in which inherence and/or ownership factors (that is, something known by a person and/or something in their physical possession) are used to verify a caller's identity, thus reducing or eliminating reliance on KBA and spoof detection. A bank would never allow ATM use without knowledge of a PIN and ownership of a physical debit card, and it's time for companies to adopt this same approach to secure their phone channels.

Multifactor authentication has long been recognized as more secure, and the available tools are becoming increasingly sophisticated. For example, to incorporate an inherence factor, which uses a physical attribute of a caller, contact centers can deploy voice recognition systems. These systems obtain a voice print from a caller and compare it to a reference voice print to make an authentication determination. (Note: TRUSTID offers pre-answer caller authentication as an alternative to KBA and as part of a multifactor authentication solution. Many companies in the industry provide additional caller authentication solutions for multifactor authentication.)  

A complementary technology uses a caller's phone as an ownership-based authentication token. This approach audits all phone calls, devices, and line types from within the global telephone network to ensure that the phone call and device are real and unique and can thus provide a deterministic authentication outcome in the form of an ownership authentication token.

In transitioning to an optimally secure authentication solution, voice biometrics or phone ownership authentication can be paired with KBA to create a quick-fix two-factor authentication approach. Our recent survey of contact center professionals showed that the majority of organizations planning to move to multifactor authentication expect to do so by adding a new factor to their existing KBA process.

Companies that want to gain their customers' trust must show that they take information security seriously. This means not only employing robust measures to prevent data breaches but also implementing multifactor authentication systems to ensure that personally identifying information stolen from other companies or gleaned from social media profiles will no longer empower fraudsters to access customer accounts.

Related Content:

Patrick Cox is chairman and CEO of TRUSTID, which enables companies to increase the efficiency of their fraud-fighting efforts through pre-answer caller authentication and the creation of trusted caller flows that avoid identity interrogation, allowing resources to be focused ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...