bank fraud goes low-tech: social engineering, phone fraud, and financial institutions
TRANSCRIPT
2015 Pindrop Security™. Confidential.
BANK FRAUD GOES LOW TECHSOCIAL ENGINEERING, PHONE FRAUD, AND FINANCIAL INSTITUTIONS
David Dewey, Director of Research
Pindrop Security
July 22, 2015
2015 Pindrop Security™. Confidential.
NOTE
These slides are from a webinar held July 29,
2015.
You may view a recording of the webinar at
www.pindropsecurity.com/webcast-archive
2015 Pindrop Security™. Confidential.2015 Pindrop Security™. Confidential.
Physical
THREE WAYS TO ROB A BANK
1995 2010
2015 Pindrop Security™. Confidential.2015 Pindrop Security™. Confidential.
Physical Online
THREE WAYS TO ROB A BANK
1995 2010
2015 Pindrop Security™. Confidential.2015 Pindrop Security™. Confidential.
Physical PhoneOnline
THREE WAYS TO ROB A BANK
1995 2010
2015 Pindrop Security™. Confidential.
PHONE IS THE WEAKEST LINK
• Lack of innovation
2015 Pindrop Security™. Confidential.
PHONE IS THE WEAKEST LINK
• Lack of innovation• Spoofing technology
2015 Pindrop Security™. Confidential.
PHONE IS THE WEAKEST LINK
• Lack of innovation• Spoofing technology• Low barriers to entry
2015 Pindrop Security™. Confidential.
PHONE IS THE WEAKEST LINK
• Lack of innovation• Spoofing technology• Low barriers to entry• Knowledge Based
Authentication
2015 Pindrop Security™. Confidential.
PHONE IS THE WEAKEST LINK
• 4 out of 5 fraud calls are not money transactions
ReconWeapon-ization
Delivery Exploit Install C&C Action
Lockheed Martin Cyber Kill Chain
2015 Pindrop Security™. Confidential.2015 Pindrop Security™. Confidential.
THE THREAT IS GROWING
2015 Pindrop Security™. Confidential.2015 Pindrop Security™. Confidential.
THE THREAT IS GROWING
$0.57average
fraud lossper call
2015 Pindrop Security™. Confidential.2015 Pindrop Security™. Confidential.
THE THREAT IS GROWING
$7.6 millionfraud exposure
$0.57average
fraud lossper call
2015 Pindrop Security™. Confidential.
SOCIAL ENGINEERING
Any act that influences a person to take an action that may or may not be in their best interest
• Authority – Has enough customer information to pass KBA• Charm – “My father was married 3x, can I have extra guesses?”• Anger – “I am one of your biggest customers”
2015 Pindrop Security™. Confidential.
Impersonating legitimate customers to gain control of an account and eventually transfer money out of the account.
• Account Balance –Information later used to authenticate• Contact Information – Real customer doesn’t get notified• Travel Notification – Removes fraud triggers• Password / PIN Change – Access to ATM or online banking
ACCOUNT TAKEOVER
2015 Pindrop Security™. Confidential.2015 Pindrop Security™. Confidential.
METHODOLOGY
PhoneprintingTM
100m+ Enterprise CallsTopic Modeler
45m+ Consumer ComplaintsPhoneypotTM
500k+ Unlisted Numbers
2015 Pindrop Security™. Confidential.2015 Pindrop Security™. Confidential.
LOSS• Packet loss • Robotization • Dropped frames
SPECTRUM• Quantization • Frequency filters• Codec artifacts
NOISE• Clarity• Correlation • Signal-to-noise ratio
147 audio features
UniquePhone
Geo-Location Risk Factors
PHONEPRINTING™
Phoneprint™
Call AudioRequires 15 seconds
of call audio
Risk Score
Call Type
2015 Pindrop Security™. Confidential.
PINDROP SECURITYPhone Fraud Stops Here.
For more information contact [email protected]