New Attack Technique Against Banks Highlighted

Actimize, the provider of transactional risk management software for the financial services industry and a NICE Systems company, has warned banks and banking customers of a new attack vector – Man-in-the-Phone (MitP).

MitP blends new and old fraud techniques to trick banking customers into authorizing transactions via the phone channel. MitP builds on the successes realized from Man-in-the-Browser (MitB) attacks in which criminals use Trojans to infect a users’ Internet Browser to “modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application.” MitP also leverages ‘social engineering’, which in this case is the act of using trickery or deception during a phone conversation to convince an individual to divulge information.

In a typical MitP attack, a fraudster impersonates a bank representative and calls the banking customer to inform him/her that his/her savings, checking or card account may have been breached or compromised. The fraudster advises the customer that in order to remedy the situation he/she should remain on the line and verify a few account details. At the same time, the fraudster initiates a call to the customer’s bank and connects the customer with a real bank representative while the fraudster remains muted on the line. The bank requests authentication information, such as social security number, passwords and other personal information, which is then provided by the customer. Once the personal information is provided, the fraudster quickly ends the conference line and informs the customer that the issue has been resolved. Meanwhile, with the personal information gathered during the call, the fraudster can take over the customer’s phone banking relationship and transfer money out of the customer’s accounts.

Actimize recommends banks combine cross channel behaviour profiling and anomaly detection technologies with better call center processes and training. Call center employees should be trained to listen more closely and ask who originated the call. Attacks may be thwarted or losses minimized if bank employees ask simple (but random instead of static) security questions at various points in the phone conversation when confirming personal credentials. Fraudsters are less likely to trick customers into sharing answers to several security questions.

“We help many of the largest retail banks, investment banks and brokerage firms protect themselves and their clients from all types of cross-channel fraud attacks,” says Paul Henninger, director of fraud solutions at Actimize. “We’ve noticed an accelerating trend in Man-in-the-Phone attacks. We hope that by publicising this new trend, we can help reduce its impact on individuals and our banking clients.”


Related reading