Press 4 To Give Us All Your Money

I guess it had to happen: phishers are not only trying to snag you by setting up fake banking websites, now they’re trying to snag you by setting up fake switchboards too.

Tim McElligott writes in Telephony Online that scammers “posing as a financial institution and using a VoIP phone number e-mailed people asking them to dial the number and enter the personal information needed to gain access to their finances.” Simply put, the phishers in this case aren’t directing you to a fake website where you enter your password and other data sufficient for them to empty your account; they’re directing you to an automated phone service, where you’d give the same details.

The information comes from Cloudmark (“the proven leader in messaging security solutions for service providers, enterprises and consumers”), which claims in a press release that it has seen two separate such attacks this week:

In these attacks, the target receives an email, ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem. Callers are then connected over VoIP to a PBX (private branch exchange) running an IVR [an automated voice menu] system that sounds exactly like their own bank’s phone tree, directing them to specific extensions. In a VoIP phishing attack, the phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN.

As Telephony Online points out, setting up this kind of phone network is easy. “Acquiring a VoIP phone number is about as hard as acquiring an IP address or a domain name,” it quotes Adam O’Donnell, senior research scientist at Cloudmark, as saying. “Phishers figured out how to quickly and fraudulently get that information a long time ago.” An old PC with a voice modem card and with a little PBX software and you’ve got a company’s phone tree which can sound exactly like your bank, O’Donnell says.

This all makes sense. Indeed, we should have seen it coming. It’ll be interesting to see how banks cope with this. Right now their argument has been that if in doubt, a customer should phone them. That no longer is as watertight an option. They could argue that customers should not respond to any email they receive, but that’s also not always true. Banks and other financial institutions need to communicate with customers.

One solution to this is the signature: Postbank last month launched a service where all its emails to customers come with an electronic signature. The only problem with this is that most email clients don’t support the service — only Microsoft Outlook. This is a bit like giving customers a lock that only works on certain kinds of door.

Perhaps banks are just going to have to pick up the phone. If customers are now under threat from automated phone trees maybe the solution is not more technology, but less? A cost the phishers are unlikely to be able to bear would be an actual voice on the other end of the line that sounded familiar and authentic. The only question then would be for the customer to establish the authenticity of the banking assistant.

Phishing Pushes Banking To Impose Transfer Limits

Internet banking takes another knock with news from AP that Germany’s biggest retail bank Postbank has imposed an online transaction limit .

Germany’s biggest retail bank, Postbank, said Monday it was imposing a euro3,000 (US$3,860) limit on online transfers in an effort to protect customers against e-mail “phishing” scams.

The bank, which has 11.5 million depositors and is majority-owned by postal company Deutsche Post, said the move was meant as a precautionary measure and none of its clients had suffered harm from the high-tech form of identity theft.

Postbank said the limit, which will not apply to standing orders, was a response to the “heightened security needs of customers” and should make online fraud less attractive.

I don’t think Postbank is the first to do this, but it’s probably the first to draw a direct line between the fact that customers are now more at risk than they’ve ever been. Most banks, I suspect, introduce these measures without really announcing them to the public.

I don’t, for the record, think this is the best way of tackling the problem. All this means is that accounts can’t be emptied in one go — in most cases this wouldn’t have been possible anyway, because of other limits on bank transfers. But what I think will happen is that phishers will concentrate on accessing accounts surreptitiously and maintain their access to those accounts without the knowledge of the users, setting up standing orders themselves that gradually empty accounts.

Of course, some customers will notice this kind of thing, but we’re likely to see phishing combine with more sophisticated efforts — such as those illustrated by Fabrice Marie in March — to gain access to accounts for more complex purposes than merely emptying them.

What I would like to see is some sort of dual- or triple-layered authorisation process for any kind of transaction or alteration of settings/standing orders/notifcation within accounts. Before making any such transaction or configuration change, the user would be required to enter data from a separate device, or else confirm via email or SMS or phone before the change/transfer was made. I think we have to stop assuming that entry/logging in is the main security fence. Phishers, scammers and social engineers have shown that is not the real issue. There are other ways to get in, so the security has to be at the transactional level, however much it upsets the user.

Bottom line: Don’t remove services from online banking to deter fraud because all you do is undermine its usefulness, and likely dissuade users from using it. Better to add multiple layers of security that may inconvenience the user but which help them to feel safer. In the end, they’ll still figure it saves them going to the bank, or spending hours diving through voice-driven menu options via phone-banking.