PHONE CHANNEL SECURITY & IDENTITY ASSESSMENT IN THE PUBLIC SECTOR WHITE PAPER

Transcription

1 PHONE CHANNEL SECURITY & IDENTITY ASSESSMENT IN THE PUBLIC SECTOR WHITE PAPER

2 TABLE OF CONTENTS Introduction... 3 Phone Channel Vulnerabilities The Phone Channel: What Is At Risk? 3 4 Phone Channel Attacks... 6 Social Engineering & Vishing in the Call Center IVR Reconnaissance Account Takeover Cross Industry Attacks Defending the Phone Channel... 8 Solution Requirements Available Technologies A Mutli-Layered Defense Pindrop Solutions What Does Pindrop Provide? How Government Agencies Can Use Pindrop Conclusion PINDROP.COM

3 INTRODUCTION Every day, hundreds of thousands of people call US government and other public sector agencies. While most private sector call centers deal with inquiries around shipping delays or billing statements, calls to a government agency tend to be centered around more important matters help with tax returns, filing for needed benefits, emergency services, etc. The agent on the other end of the phone line may seem like the caller s only lifeline; so having an agent who instills confidence and empathy is of primary importance. But those call center agents, who are focused on doing their best to help citizens, have another problem to deal with. Hidden among those legitimate callers are a group of callers with other motives: reconnaissance, identity theft, and more. In fact, new research in the private sector indicates that about 1 in every 2,200 calls to a call center is a skilled fraudster with experience in social engineering and data mining, and with special technology designed to abet an attack. 1 Phone Channel Vulnerabilities The phone system presents a perfect storm of characteristics, both new and old, that invite malicious abuse. Caller ID is Broken Caller ID (CID) and Automatic Number Identification (ANI) have no security built in or available. Phone companies originally created the systems for internal use. As a result, spoofing Caller ID data is easy. Phone apps allow users to change the phone number that appears on Caller ID with ease. Many even include voice-masking features. No Metadata Every phone call traverses multiple networks, no two of which is exactly alike. Since phone networks are very bad at sharing information with each other, the only data to get through every network is the actual call audio. No data is shared that provides caller verification or origination. Even that call audio suffers degradation. The recipient of a phone call cannot count on any identifying information about the caller coming through intact. Cross Channel Sophisticated fraudsters are increasingly working across and in-between communication channels, making it more difficult to track and understand fraud attacks. Many attacks that appear to be rooted in the online world actually originated over the phone channel, where criminals might steal identities or change the password for an online account. 1 Pindrop Security, PINDROP.COM

4 The Rise of VoIP With the rapid growth in VoIP networks beginning in the 1990 s, the world of telecommunications has changed significantly. The cost of long distance calls has fallen drastically, making it practical to call the US from anywhere in the world cheaply. VoIP allows use of PC applications to perform a wide range of activities, many beyond the scope or intent of the phone network. This includes automated dialing and easy-to-use spoofing technology. Device Type in Fraud vs. Non-Fraud Calls Non-Fraud Calls Cell Landline VoIP Fraud Calls Cell Landline VoIP 0% 20% 40% 60% 80% 100% Source: Pindrop Security, 2015 State of Phone Fraud Report The Phone Channel: What Is At Risk? Citizen Data Government agencies carry a significant amount of data about citizens, and much of that information is extremely valuable to criminals. Social Security Numbers, Tax IDs, Medicare IDs, and other government records are considered the most durable types of identity information. Unlike credit card numbers, which are easily replaced, citizens are not able to change their date of birth or mother s maiden name. Nor is it an easy task to change a Social Security Number or other government-issued ID number. This information, once lost to criminals and identity thieves, has a long-lasting effect on US citizens Government Data Data about the government itself is also at risk to phone channel exploits. Criminals and foreign agents also use the phone to socially engineer call center workers into divulging classified government data. This could be information on government employees, access to intelligence documents, or even classified statistics on labor. Recent data breaches at the US Office of Personnel Management (OPM), the Internal Revenue Service (IRS) and even the White House illustrate the wide range of government data available to sophisticated criminals and spies. 4 PINDROP.COM

5 Public Safety Phone channel vulnerabilities can create a direct risk to public safety. For example, criminals and foreign agents can use the phone channel to get information on national defenses or from the armed forces. Others might use the phone channel to steal PII used to create false identities for illegal immigration. In early 2015, UK police were able to identify a criminal ring running phone scams on elderly pensioners. They found that the scammers were funneling the profits from these phone scams to groups supporting ISIS in Syria. 2 It is very likely that similar crime rings are targeting US citizens. The Black Market for Identities To gain a better understanding of the value of the data government agencies hold on their citizens, we can consider the black market. Researchers have long been aware of the existence of online black markets, where criminals resell personally identifiable information (PII). In 2014, Dell SecureWorks investigated how much money particular pieces of information can fetch on the black market: Abuse of Resources Phone channel attacks are abusing limited government resources. Many agencies have very limited budgets dedicated to their call centers. Time and training spent on assessing caller identities, investigating fraudulent transactions, and mitigating the results of identity theft can be significant. In 2015, the IRS, which receives nearly 110 million calls each year, actually warned consumers that they could expect excessive call wait times and suggested they visit the website instead. 3 SOCIAL SECURITY XXX-XX-XXXX - Driver License - Credit Card # <$1 Social Security # $10 Drivers License $100 More concerning might be phone based attacks on emergency services. An increasingly popular prank known as swatting has criminals calling 911 to report a serious crime in the hopes of unleashing a SWAT team on an unsuspecting person. Police estimate that a single swatting incident can cost taxpayers up to $15,000 in wasted resources. 4 2 The Independent, Internal Revenue Service, NPR Marketplace Tech, 2015 MEDICARE INSURANCE US Passport $200 Medicare ID # $470 Sources: Dell SecureWorks, 2014 NPR, PINDROP.COM

6 Fraud Loss Agencies should not underestimate the financial costs of phone fraud. Researchers from Pindrop Labs have reported that the average private sector call center loses $0.57 to fraud per call. This adds up to an overall fraud exposure of more than $7.6 million per private call center. Public sector call centers can expect to see similar losses. 5 Fraud Exposure By Industry 20M 15M 10M 5M Banks PHONE CHANNEL ATTACKS Social Engineering and Vishing in the Call Center Brokerages Credit Cards Source: Pindrop Security, 2015 In September 2015, Department of Homeland Security CISO Paul Beckman discussed the problems of social engineering with a cybersecurity group in Washington. Beckman ran phishing tests on his employees. While the test s were clearly coming from outside of DHS, and to any security practitioner, they re blatant, Beckman said that there were many employees, including senior officials, who continually fall for them. 6 Likewise, government agents, especially call center agents, are susceptible to phishing attempts over the phone. Known as voice-phishing or vishing, criminals impersonate legitimate callers in an attempt to steal information on citizens and government agencies. Phone channel attackers are typically very skilled social engineers. They are experts at manipulating people to get information they should not have access to. An attacker may seem unassuming and respectable, possibly claiming to be a new employee or a researcher, and even offering credentials to support that identity. However, by asking questions, he may be able to piece together enough information to infiltrate an agency s network. If an attacker is not able to gather enough information from one call, he can simply call again and try with another agent. Spear-Vishing When a criminal targets an individual employee rather than a random call center agent, we call the attack spear-vishing. Attackers go after high-level employees who have access to special information, or can authorize significant transactions. 7 5 Pindrop Security, Ars Technica, Bloomberg Business, PINDROP.COM

7 IVR Reconnaissance In many cases, the attacker does not even need to speak with a call center agent to launch a phone-based attack. Automated systems or IVRs (interactive voice response) systems facilitate a wide range of activities that allow a criminal to make substantial inroads to taking over an identity. For example, criminals can use the IVR to test Social Security Numbers or other government ID numbers. They might use it to check the balance on a prepaid benefits debit card to learn whether the account is worth hacking. Most call centers have extremely limited visibility into how callers are using the IVR, and there are few protections available. Account Takeover The Dark Economy Though some phone channel attackers are lone wolves, it is more common to find these criminals working as part of a group, or within an economy of fraud. One member may be skilled in technology and will create programs to test Social Security Numbers in IVRs. Another might be a great social engineer, and focus his energy on manipulating call center agents. Criminals buy and sell PII and other tools on the black market, so the social engineer can easily buy complete identities without having to do the reconnaissance himself. One of the primary goals of phone fraud is commonly called Account Takeover or ATO. Once a fraudster has used reconnaissance to complete a profile of a target account, he will begin a process of disassociating an account from its true owner. This often means making changes to the account s physical and addresses, changing the account password, and resetting or setting up an online account. In the public sector, account takeover can take many forms. Criminals could take over an IRS account in order to file for fraudulent tax refunds. They might take over a benefits account to redirect the benefits payments. They might also file fraudulent claims for Medicare or disaster relief as a way to monetize stolen identities. Cross Industry Attacks Government and public sector agencies need to be aware of the part that they play in the greater chain of fraud. Any information that is leaked through the phone channel has the potential to be used not only against that agency, but also against any other agency, any private sector business, and even private citizens directly. For example, an attacker might use an IVR to mine for SSNs, and then use those SSNs to download previous year s tax returns. The criminal might use that information to target high-income individuals by calling their financial institutions and taking over banking or brokerage accounts. On the other hand, if the criminal found that a target owed money to the IRS, he could easily call the individual and impersonate a government official demanding that the debt be paid immediately. 7 PINDROP.COM

8 DEFENDING THE PHONE CHANNEL Solution Requirements In order to justify the time and cost of deployment, a solution to defend the phone channel would need to be able to do the following: Identify new attackers before they can do damage or collect sensitive information. Identify attackers in all parts of the phone infrastructure: live calls, recorded calls, automated answering systems and outbound calling systems. Use both phone number and call audio to identify and quantify fraud risk. Available Technologies Knowledge Based Authentication We re all familiar with the leading deterrent to phone fraud, knowledge based authentication (KBA), where call center agents grill customers with questions. Examples include asking for your mother s maiden name, high school mascot, or pet s name. It s not very sophisticated, it s very expensive, and it s not very effective. Many of the answers are easy to guess or bluff. Call center agents who are focused first on providing excellent service actively help callers answer the questions correctly. Worst of all, after the major data breaches of the past few years (OPM, Target, etc.) most of the answers are being sold on the black market. Even the companies who supply KBA questions and answers have been hacked. 8 On the same token, knowledge based authentication is difficult and frustrating for legitimate callers. Gartner senior analyst Avivah Litan estimates that the failure rate on KBA for legitimate callers averages between 10 and 15 percent. For some of the most vulnerable populations, such as immigrants, students, and the elderly, failure rates can run as high as 30 percent. 9 8 Krebs on Security, Gartner, 2012 KBA Failure Rates 10% Average Citizens 30% Vulnerable Populations Source: Gartner PINDROP.COM

9 Voice Biometrics Voice biometrics is focused on speaker verification, which means confirming the claimed identity of a speaker from his or her voice. In other words, a caller claims to be someone, and the technology then matches the voice to an existing voiceprint. (This is as opposed to speaker identification where a voice print database is searched for a match this is a much more difficult task.). Voice authentication is attractive for several reasons. A positive voiceprint can verify a customer, saving time and providing a higher level of security than KBA. A negative voiceprint can be used to blacklist callers, sending an alert or blocking then when they call. Voice biometrics on its own, however, is ineffective as a fraud deterrent. Gartner analysts have observed that many customers opt out of voice biometric authentication for privacy reasons. More are not able to enroll either due to poor call quality or because they do not interact with the call center at all. This can leave up to 75% of accounts unprotected or vulnerable to a criminal calling in and authenticating their own voice on another person s account. 10 Voice Biometric Enrollment 27% Opted-in, enrolled No call center contact Opted out for privacy Poor quality, noise First time caller Source: Gartner, 2013 Phoneprinting TM Phoneprinting solves many of the problems associated with voiceprinting by analyzing the complete audio content of the call, rather than just the voice. Phoneprinting isolates and analyzes 147 characteristics of each call and, from this, can determine the unique phone device, the type of call (VoIP, Mobile, Landline), and the approximate geographic region fro which the call is originating. By comparing the geo-location, phone device, and call type with the call information being reporting by the Caller ID and phone network, Phoneprinting can actually detect Caller ID or ANI spoofing attempts. For example, if a call appears to be coming from a landline in Atlanta, GA, but the call audio reveals the call to be coming from a VoIP phone in Nigeria, the caller is likely to be a fraud. In addition, Phoneprinting technology creates a unique audio fingerprint tied to the call. This fingerprint will identify a fraudster (or legitimate customer) regardless of whether the voice has been manipulated, the number is changed or spoofed, or even if the caller is changed (as in a fraud ring or fraud call center). No other technology can do this. 10 Gartner, PINDROP.COM

10 How Phoneprinting Works 147 factors analyzed on every call Geo-Location Call Type 86 Initial Call Pindrop s Patented Phoneprint TM Unique Phone Risk Score Every call, every time Risk Factors Spectrum Quantization, Frequency filters, Codec artifacts Noise Clarity, Correlation, Signal-to-noise ratio Loss Packet loss, Robotization, Dropped frames What Does a Phoneprint Tell You? Phoneprinting Accuracy Spoofed Call - The caller is hiding their true number or impersonating another person True Location - Where the call is really coming from? True Device Type - Whether the caller is using a Cell, Landline or VoIP to place the call? If VoIP, which network? Phoneprinting technology is highly accurate. It is able to determine the location of the caller and the type of device being used to originate the call (VoIP, Cell, Land) even the network type for VoIP calls (Skype, etc.) with over 80% accuracy. Recognized Caller - Has the caller been seen before? Identity Assessment How likely is this caller to be who they say they are? 10 PINDROP.COM

11 A Multi-Layered Defense The best security is always layered security, and this principle holds true when securing the telephony channel, wrote Avivah Litan, Vice President and Distinguished Analyst for Gartner. 11 No single layer of fraud prevention or authentication is enough to keep determined fraudsters out of enterprise systems. For this reason, government and public sector agencies should look for solutions that combine multiple technologies to detect fraud in the call center. PINDROP SOLUTIONS At Pindrop Security, our mission is to restore trust in the phone channel by providing a set of solutions that deliver the protections we ve outlined above. Pindrop solutions are designed to analyze all aspects of the call to assess the true identity of the caller and detect indicators of fraud. Built around our patented Phoneprinting technology, we are able to identify tactics such as Caller ID spoofing, voice distortion and autodialers. But Phoneprints are not the only tool in the Pindrop solution. In addition, Pindrop utilizes the following technologies: Voice Biometrics are used to track unique individuals for both blacklisting and whitelisting purposes. IVR Analysis examines caller behavior, DTMF tones, and key presses as callers navigate the IVR with customized alerts and routing for suspicious callers. Reputation provides real-time updates on the behavior of the phone number and the caller, including call volume, past fraud or suspicious activity, complaints and association with risky networks, devices, callers and locales. Intelligence Network data gathered from participating Pindrop customers and partners allows organizations to share attack data across industries. 11 Gartner, PINDROP.COM

12 What Does Pindrop Provide? Call analysis technology that can determine the actual location and device type used by a caller and compare it to Caller ID or ANI information to determine spoofing and fraud. Patented Phoneprinting technology that allows you to match the caller to other fraud attempts and examine their fraud history. Non-intrusive validation of customers through transparent location and device type verification. Risk score based on IVR activity or 30 seconds of audio in the call center to assess whether a caller is likely to be who they say they are. How Government Agencies Can Use Pindrop Avoid Data Breaches & Protect Citizen Identities Government and public sector call centers can use our solution to alert call center agents to suspicious callers using the Pindrop Risk Score. This score helps agents determine what kind of PII information they can provide over the phone, and can be used to route high risk calls to fraud our security teams. After the call, investigators, prosecutors, or other government authorities can access the Pindrop case manager to listen to recordings of suspicious calls, analyze and create Phoneprints, and track known criminals. Many Pindrop customers in the private sector also use this risk score to reduce authentication processes for low-risk callers, reducing average call times, and improving customer satisfaction. Forensic Investigation & Analytics When fraud has occurred or is suspected, fraud teams go into action. Phone number records are often inconsistent, and search engines provide mostly anecdotal evidence. Analysts may need to call the number or contact the telecommunications provider. The results of these efforts tend to be unsatisfying and the process is time-consuming, expensive, and frustrating. Pindrop Phoneprinting provides a way to track and investigate crime and reconnaissance attempts over the phone. In our work in the private sectors, Pindrop researchers have found that a small number of attackers perpetrate a high number of attacks. Our current customers use Pindrop solutions as a tool for forensic investigation, matching known fraudulent Phoneprints to other recorded calls stored in a database to quickly identify other compromised accounts. Pindrop analytics reduce case resolution times, as well as overall fraud agent caseloads. 12 PINDROP.COM

13 Regulation Finally, government agencies have a unique power to influence the way in which change happens across many US industries. By encouraging standards for call center and phone channel protections, agencies can help assure that all citizens and consumers are protected from phone fraud. CONCLUSION Fraud in the phone channel poses a significant risk to government agencies, public sector enterprises, and US citizens. Criminals and foreign agents are launching sophisticated, cross-industry attacks using the phone as a key tool. Government data is highly valued on the black market, and agencies must take make sure they are equally secure across the physical, online, and phone channels. Pindrop recommends that agencies implement fraud detection solutions that maximize their return on investment by selecting technology that is versatile and widely effective. The technology should be usable on every call, regardless of call quality, previous enrollment or lack of voice content. It should be highly accurate, regardless of obfuscation such as voice distortion, background noise, packet loss, or other common issues. Fraud detection technology should leverage multiple data sources, both other enterprises as well as third parties and law enforcement. This combination of requirements presents the best solution available. ABOUT PINDROP Pindrop Security provides enterprise solutions to secure phone and voice communications. Pindrop solutions reduce fraud losses and authentication expense for some of the largest call centers in the world. Pindrop s patented Phoneprinting technology can identify, locate and authenticate phone devices uniquely just from the call audio thereby detecting fraudulent calls as well as verifying legitimate callers. Pindrop has been selected by the world s largest banks, insurers, brokerages and retailers, detecting over 80% of fraud, even for attackers never seen before. Pindrop solutions are allowing enterprise call centers to reduce call time and improve their customers experience even while reducing fraud losses. Pindrop is restoring confidence in the security of phone-based transactions. 13 PINDROP.COM