Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

With ‘phishing’ attacks on the increase, the instances of trying to get personal information via the telephone or text is on the rise, according to 41st Parameter

With ‘phishing’ attacks on the increase, the instances of trying to get personal information via the telephone or text is on the rise, according to 41st Parameter

 

Phishing attacks are on the rise with 51,000 incidents recorded last year – a 16% increase on the amount seen in 2008. Now we have 'Vishing,’ phishing via the telephone, and 'SMiShing,’ the use of text messaging as a hook to obtain sensitive information.

 

David Britton, vice president of industry solutions at security specialist, 41st Parameter, explained how this works and points out that regardless of how the personal credentials are stolen, the only way to prevent the fraudster from using the stolen details is to identify the rogue device he is using to commit the fraud.

 

As the world continues to accelerate its move further into the online channel for all manner of communication – goods, services, networking and information, it is of no surprise that the fraudster community is following suit, exploiting this growing online estate to commit crime.

 

Online exploitation matures

 

The manner in which the fraudsters are exploiting the online channel can generally be broken into two phases: (i) a process for tricking people to divulge their secret credentials, and (ii) the fraud act itself, where the data is used for illegal monetary gain.

 

SMiShing and vishing are two of the recent methods that the fraudsters are using to gain access to unwitting victims in order to convince them to divulge their credentials and information.

 

The attacks are simply a way for fraudsters to present ‘bait’ to consumers, in the form of some compelling message: "We have observed fraudulent activity on your credit card... Please contact us immediately…" or "As a loyal customer, we are offering you a £1,500 credit... Contact us to receive your gift!" so that consumers will willingly divulge personal financial information, which can be used to commit financial crimes.

 

Targeting text messaging

 

SMiShing uses SMS text messages via the mobile channel, as the method for delivering the bait, and vishing uses the traditional landline phone channel (often leveraging voice-over internet protocol or VoIP) to deliver the bait.

 

In the case of SMiShing, the fraudster will typically provide a phone number for the victim to call, where an automated Voice Response (or interactive voice response or IVR) system will ask for their card number, PIN, address and other financial details. These phone systems are typically set up to mimic the legitimate bank phone system, making it difficult for the victim to differentiate.

 

In the case of vishing, the fraudsters are actually exploiting the very mechanism that is intended to protect the victim (Caller ID) to gain a level of credibility and trust. The fraudster will typically use the existing phone infrastructure and will spoof the caller ID to make it appear as if a phone call is coming from the organisation they are impersonating. They will then prompt the victim to call back at the same number that appears on the caller ID, and then have them enter their personal financial information via an automated response system.

 

Security tools in retail arsenal

 

Fraudsters can now commit the financial crime using the harvested credentials. It is at this point that fraud solutions, such as 41st Parameter's, take the battle to the fraudster. Because the fraudsters have to go to a bank or to a merchant to use the credentials to steal money, goods or services, and will typically do so in the online channel rather than in person, our solutions are designed to give visibility to the banks and merchants so that they can deny the fraudsters from using these credentials.

 

Britton said they are able to detect fraud regardless of the method that is used to steal the credentials. This requires an ability to look beyond what the fraudster is presenting to the bank or merchant as an active credential, in order to observe the information that their device is disclosing about them.

 

This process involves identifying a computer impersonating multiple identities, by detecting where the fraudsters are located, despite what they claim. We do this by leveraging subtle inconsistencies between how the fraudster's device is configured and where they claim to come from, and recognising when a rogue device is attempting to gain access to an account.

 

Knowing the tricks of the trade

 

In many cases, fraudsters using these stolen identities typically have a list of credentials that they are working through, attempting to make transactions look as if they are multiple legitimate users transacting on their site. Based on the specialist’s DeviceInsight capabilities, Britton said they can observe that all of these transactions or login attempts are originating from the same device, or a group of devices (in the case of a ring fraud attack). To the 41st solution, these are easily identified as originating from the same fraudster, regardless of how many identities are being impersonated.

 

“In this way, we have the technology to continue to successfully thwart would-be fraudsters from using the identities they have stolen via SMiShing, Vishing, Phishing, SpearPhishing (targeted attacks), or Malware and Trojan infection, by collecting the appropriate data from the transacting device, and by understanding that data, and incorporating the deep knowledge of how that data should be used in our fraud detection capabilities,” concluded Britton.