18 April 2009

Automation of Bank Card Fraud

I was interested to read about an old scam resurfacing with modern technology, as reported in the Police blotter of the Denton, Texas Police Department.

The scam is as follows. An automated calling system is programmed with an "Interactive Voice Response (IVR)" (set of audio menus, to which the callee must respond by pressing digits on their phone.) Such calling systems are cheap and easy to set up, e.g. using the great open source software Asterisk.

The initial call is made using a message that identifies itself as coming from a local Bank (which is of course a lie.) The message tells the callee that there is a problem with their credit card, and that it has been blocked. (More lies.)

In order to solve the problem, the callee is invited to enter their credit card number, expiration date, CVE code and other confidential details, and to record their name and address. This might be done using the touch-tone system (for the numbers), and with simple audio recording for the name and address.

The scammers will often use a phone link which is able to block caller ID (typically by routing using SIP through a VOIP provider over an anonymous relay,) or they will spoof the Automated Number Identification to pretend that they are originating from the genuine business.

As soon as the hapless victim falls for the scam, their credit card details will usually be sold on via an aggregator, to the next stage in the criminal chain who will then use the stolen information to order goods over the Internet. These goods are then usually laundered through yet more victims, who think they are working at home for a real business.

The insidious aspect of these crimes is that the originator is very hard to track down (and may be operating off-shore.) Furthermore, because the process is automated, they can program the system to call tens of thousands of targets without any additional effort -- and if even 1% of the victims fall for the scam, then the criminals are making money.

What can be done? In the absence of good technical solutions that can make it easier for law enforcement to track down such criminals, and the lack of strong international Policing cooperation, such criminals can operate with relative impunity. Therefore, our only option is to get the word out, and educate the intended victims to never give confidential information over the phone, especially to automated calling systems.

If someone calls you claiming to be from a Bank with whom you do business, then ask for a number and call them back -- but even this might not be enough, so check on the Internet whether that number is listed for your bank.


Philippe Hieronimus said...

Thanks Paul for this reactualized description of the IVR scam.
In any matter, the 1st line of defence is education. This is why banks should have active communication programs wrt to fraud

ses said...

nice article