The story appears in the September issue of Cards&Payments.
The Payment Card Industry Data Security Standard, Red Flag rules and privacy provisions of the Health Insurance Portability and Accountability Act of 1996 are just a sampling of mandates to help–or force–a variety of businesses to protect consumer data from thieves who might use the information to commit
identity theft and financial fraud.
But the best security technology and processes cannot fully protect financial institutions, payments businesses and merchants from the naïve or careless acts of company employees, security experts say.
Plenty of well-meaning employees enable hackers or provide sensitive data to fraudsters simply because they are undertrained, overworked or both. Smart payments-system security managers take full advantage of both available technology and the human element of security to curtail such activity, experts say.
"There are a couple of myths floating around about PCI and security in general," says Tom Wills, senior analyst of risk, security and fraud at Pleasanton, Calif.-based Javelin Strategy & Research Inc. "There's a mentality of 'Just fill in the PCI checklist and we're OK until next year, or at least we won't get fined until next year,'" Wills says. "The big breaches have shown that strict interpretation of PCI does not provide complete security."
Even maintaining full compliance with the standards does not keep a company secure, Wills asserts. "You can't solve security problems with technology alone," he says. "You have to have human security. You have to educate your employees on how to identify an intruder in your building, on how to recognize social-engineering attempts."
Social engineering involves consumers unwittingly volunteering passwords, Social Security and payment card numbers, and other data to fraudsters via e-mail or by telephone. But training payments-industry employees to spot and stop fraud attempts is equally important, observers say.
Thieves often acquire Social Security numbers, street addresses, mothers' maiden names and other basic personal information through e-mail phishing excursions, network breaches of nonfinancial institutions such as hospitals and universities, simple Internet searches, or old-fashioned theft of key paper documents, according to George Tubin, a TowerGroup analyst and author of a recent report on the subject.
And malware increasingly is infecting millions of personal computers around the world, collecting passwords and personal data even from security-savvy consumers, warns Dan Larkin, unit chief for the Cyber Division of the FBI. "This still seems to be a money-making endeavor, to get key-loggers and other malicious software onto people's computers," Larkin says.
"There's a whole lot of information fraudsters can use to defraud financial institutions," Tubin adds. Yet many financial institutions require little more than such basic information to enable access to a variety of personal accounts via telephone or branch-banking channels, he says.
Tubin says he gained full access to his own account at a large financial institution (which he would not name) through its interactive voice-response system using only his Social Security number, home address and date of birth.
Tubin would not describe in detail what he considers troubling financial-institution vulnerabilities to fraud perpetrated through social engineering with call-center staff and automated customer service systems. But a general example of what he calls "cross-channel" fraud involves thieves gaining useful pieces of consumers' data from phishing or by installing malware on their computers.
Operation 'Plastic Pipeline'
"Most of these schemes include a lot of different methods. ... It could be getting into an online account, finding a routing number, or finding a debit or credit card number," Tubin says. The fraudster then presents that information to a call-center employee to establish credibility or uses it to gain access to an online account.
Recent arrests and indictments illustrate such multichannel trickery.
Between at least April 18, 2008, and April 23, 2009, fraudsters used a combination of technology and social engineering to outwit call-center staff at several financial institutions in the United States and Canada. In May, Richard Brown, district attorney of Queens County, N.Y., announced "Operation Plastic Pipeline," which resulted in the indictments of 45 alleged participants in a card-fraud and identity-theft ring that cost those institutions–and retailers and consumers–more than $12 million in losses last year alone.
Some of the alleged fraudsters had used products called SpoofCards that enable users to change the phone numbers that appear on a receiver's caller ID, according to a statement by the attorney general's office. SpoofCard technology, which is legal in the U.S., can even change a caller's voice by accent, tone and apparent gender, the statement says.
Those arrested allegedly used the tools to convince call-center staff to increase credit limits and change PINs, mailing addresses, and secondary users on credit and debit card accounts. Some participants maintained accounts by paying off balances to avoid fraud detection and to enable credit line increases. Others then withdrew cash from ATMs and made large purchases using cloned cards tied to the compromised accounts, according to the statement.
Tubin points to the case as a prime example of "pretexting," or using a piece of information and a prefabricated scenario to convince branch or call-center staff to divulge more information about an account or to hand over funds to a thief.
"Training has to be in place for staff on how to identify this kind of fraud," Tubin says. Technology and strict business processes also can help block branch and call-center employees from being too helpful to the wrong "customers," he adds.
Know Thy Customer
Branch staff can require even walk-in branch visitors to answer questions only the true accountholder is likely to know, for example. If the visitor cannot answer those questions correctly, "we have to deny them access, or it gets elevated to a supervisor," Tubin says.
Javelin's Wills agrees that technology and employee training must be paired, especially because technology can enable altered voices and counterfeit caller IDs, as in the Operation Plastic Pipeline frauds.
"The combination of techniques used in this fraud made it extremely difficult to detect, even by the most-competent service reps," Wills says of the use of caller-ID and voice-altering technology. "I'm not sure additional training would have helped in this case. What would have helped are some technology and business-process controls that are available and in use by many banks."
For starters, financial institutions should not rely on caller ID to authenticate customers, Wills says. Instead, they should use multiple layers of technology and practices to fend off account-takeover attempts: require callers or customers using Web sites, for example, to answer secret questions only true accountholders would know, he recommends.
Tools such as device authentication can detect red flags such as Internet protocol addresses and physical locations of computers that do not match customer records. And customer alerts, especially those sent to mobile phones, can help true accountholders react quickly to questionable transactions, according to Wills.
"These techniques aren't perfect. They won't work for a (new) account that was opened fraudulently," Wills says. "But if used together in combination with a strong security policy and awareness programs directed at both employees and customers, they do add layers of strong security against account-takeover attacks."
Tubin agrees, adding that financial institutions should go beyond challenge questions consumers choose and answer themselves when setting up their accounts, information such as first pet names, mother's maiden names, city of birth or a parent's name.
A better challenge of customer knowledge is knowledge-based authentication, according to Tubin. This authentication uses a variety of credit-bureau data to challenge consumers with questions–sometimes trick questions–that they have not chosen themselves.
"It will ask questions such as 'In 1998, you owned a Honda. What color was it?'" Tubin says. "It's that kind of approach that is vastly more secure than the challenge-question approach."
Many institutions also use technology to check callers' area codes and the Internet protocol addresses of computers through which purported accountholders access their financial information. But card issuers and other financial institutions should add even more security layers, Tubin adds.
And if accountholders change contact information, such as phone numbers or mailing and e-mail addresses, issuers may want to call the old phone number on file for the accountholder to confirm those changes were by the legitimate account owners, Tubin says. If the legitimate accountholder did not request a telephone or address change, the original contact information will still work.
Criminals will seek new and time-tested methods for stealing data and funds from financial institutions and other businesses. Proper training and updates on the latest fraud schemes can help employees avoid handing over the goods. CP