Fraudsters are turning to VoIP systems to craft more convincing phishing attacks. The FBI's Internet Crime Complaint Centre (IC3) warned last week of an "alarming" rise in the volume of so-called vishing attacks targeting US financial institutions and consumers. Phishing attacks commonly take the form of forged emails that …
I blame the banks for this. They and other financial institutions (insurers etc) still ring up and then ask for security information to validate who they are speaking too. The operators then get very confused when you go off script and first request that they validate who they are.
Next attack vector: phony bank statements and forged telephone books.
How does this connect with VoIP at all? Really all this could be done over a regular phone. I guess the criminal could be using VoIP to be more mobile and less traceable but that is not outlined in the article.
Phone Number Validation
We're doomed, doomed I tell you. Given the general level of idiocy of the population (*any* population), no matter what warnings you sound or safeguards you set up, the idiots *will* fall for vishing calls, just as today they fall for phishing emails.
Trying to stop this inevitable stupidity is akin to King Canute telling the tide to turn back. (At least Canute knew he had no such power.)
Perhaps the law should be changed so chickens come home to roost: if you reveal your banking information to a third party, the resultant losses are strictly your business. Let the banks off the hook. There'll be a great weeping and wailing and gnashing of the teeth by the bleeding hearts, but good Lord! if your bank sends you a printed warning "DO NOT DO THIS" and you ignore it, surely you have to take some personal responsibility, no?
In fact, we might even encourage the 419 scammers: the more folks they take for a ride, the sooner word will get around that responding to such nonsense is Not A Good Idea.
I want to bear Paris's babies, but will settle for "Outlook not so good" as, indeed, the outlook is not good today.
Using standard PSTN telephony it's almost impossible to fake your CLI, so CallerID could previously be trusted. In fact at least one financial institution was known to use CallerID to automatically authenticate larger, frequent calling clients.
Using many VoIP providers it is still possible to (illegally) set your choice of CallerID, with no verification that you own the number in question. I'm pleased to report that Asterisk2Billing, a GPL VoIP routing & billing platform, already has the ability to limit customers to CallerIDs they're entitled to use.
For all our sakes let's hope the banks soon realise that authentication is a two-way street. My personal experience of trying to get my bank to tell me something a 3rd party wouldn't know before I divulged the password they sought involved the bank's operative becoming very uncooperative: "I'll just put a note you've refused to speak to us." "You misunderstand me. I'm quite happy to talk to you once you have proven you really are calling from my bank." "<click>"
almost good. The second (missing part) is to make ID fraud a crime. As it is now, there is nothing victim (at least the one in UK) can do put the thief where he belongs. So, if sheep are about to regret their stupidity, there must be some option for them to do next. Like call the authorities and provide all the help needed to catch the criminal. And, possibly in the future, try to recover money in civil case.
I hereby request that the word "vishing" be stricken from the record and never written again. It is a silly word.
It would help a bit if banks and other institutions included in any outgoing emails a couple of characters from a second password, and in any call they initiated, offered to validate their identity with a couple of characters of your choice.
I got one of those Paypal "account suspended" emails and as far as I could tell, it was a real one - the only difference between a fake one and a real one appears to be that Paypal never includes a URL in theirs so you have to go to the website under your own steam. Of course, they then screw up the revalidation process so that the account remains suspended because they never send out something they were supposed to.
Authentication is a two-way street
Steve Dommett said: My personal experience of trying to get my bank to tell me something a 3rd party wouldn't know before I divulged the password they sought involved the bank's operative becoming very uncooperative: "I'll just put a note you've refused to speak to us." "You misunderstand me. I'm quite happy to talk to you once you have proven you really are calling from my bank." "<click>"
You've hit the nail on the head! I could not agree with you more. I've had exactly the same response (almost verging on hostile) when seeking to verify the authenticity of UNSOLICITED business call that is being made to me.
One of the worst offenders used to be BT. They would call me up of an evening (uninvited, I might add) and then they'd promptly dive into a bunch of questions about my ID with barely a "Hello" to start the conversation. This would be bad enough were it not for the fact that their called ID would come up as "Number Withheld" (not even as "Number Unavailable"). I'd then get into a big barney with them about the fact that if BT themselves can't even be bothered to assign themselves a caller ID number, then I'm not going to take the risk of divulging any personal information (especially I had not asked them to contact me). Anyone can 141 their number and then start asking a bunch of questions for "verification purposes". Presumably BT could assign any number they wish, so they could even display numbers like "150" etc.
I found that BT would not even answer the most innocuous of questions - (e.g. the amount of pence stated on the balance of my last bill.)
BT have since fixed their caller ID (although they display 0800 numbers rather than special operator style numbers like 150 etc.) but on principle I will not engage with any business that calls me (unprompted) unless they are prepared to verify who they are. I just explain my reasons to them and then I hang up. If the call would be of any benefit to me then I'll just call them back on their main switchboard number (although in most cases, these unsolicited calls are just about bugging you into signing up for some new costly services).
its easy to do on an isdn line ?
would not work to well since carriers like ATT and southern bell refuse to accept caller ID info from VoiP companies
Not on any of the ISDN lines I've seen. You need to intruct BT before they will permit you to use even your inbound DDI numbers as outbound CLIs, as they are not enabled by default. Other carriers may differ in their default provisioning for PRI.
ISDN also carries two flags alongside each signaled number to indicate whether or not the supplied CLI is verified to be genuine, and something else closely related that I can't remember the details of currently.
My bank was entirely happy when...
... I asked them to prove who they were when they called me unexpectedly, on a couple of occasions. They said phone back on the usual number, they'll do the usual security game, you then ask to talk to department (whatever) and off we go, no problem.
So it can be done right (this bank has UK only call centres, which might or might not be relevant).
ISDN & Caller ID
This is for BT lines, other providers may vary ...
As far as I can recall, on ISDN you can use any of the numbers assigned TO THAT LINE as your outbound ID - as long as your equipment supports it. To use other numbers you have to go through a process which I assume validates the number is actually yours to use (it's not something I've done).
On incoming calls, on an ISDN line, there is a flag to indicate what part of the number is customer supplied. At my last place I was used to seeing caller IDs of the form 01234567x890 where the 890 was the customer supplied part of the number.
Unfortunately, the switch we had didn't support setting the outbound ID on DASSII trunks and we couldn't justify the cost of upgrading the system to I421. I know that at our warehouse, it worked fine on the I420 ISDN-2 lines they had.
I wouldn't be so confident. Sure, it can't be done via any well configured and administered carrier but you must realise it only takes one carrier (anywhere in the world) to not be so careful for you to be at risk.
...is useless in the face of people so hopelessly ignorant about security, they do not even know how to recognize the padlock icon indicating a secure connection in a Web browser.
Two-way authentication is only valuable to folks already cognizant enough about security that phishing and vishing attacks are unlikely to succeed against them anyway.
The bankers and the PC industry are at fault!
PC security is a mess! But we have known that for a while...
The Trusted Computing Group ( http://www.trustedcomputinggroup.org ) and its member companies have solved the problem of "strong authentication" with the use of the Trusted Platform Module (TPM) that today ships on virtually all enterprise class PCs (notebooks and destops). The solution to phishing and vishing exists today.
Where the blame comes in is that the OEMs have not yet implemented this technology into consumer platforms: It is a shame and it borders on corporate irresposibility.
I have made my bank aware of the Trusted Computing technology and have advised them that I will use all the legal possibilities should my data (identity) ever be compromised due to the lack of TC implementation.