||Tweet this page|
Cybercriminals are now brazen enough to phone you up before hacking your bank accounts. Gordon Holmes investigates the worrying phenomenon of voice fishing, or vishing
During the 1930s one of the USA's most prolific bank robbers, Willie Sutton, was eventually captured by the FBI. The arresting agent asked him, "Why do you rob banks, Willie?" Willie replied, "Because that's where the money is." Some eighty years later today's cybercriminals still follow this reasoning. My internet banking contacts continue to be involved in combating attacks on their systems launched primarily through infected customer machines. The use of social engineering via telephone to obtain banking credentials, known as voice phishing or "vishing", is also causing headaches.
There would appear to be a spike in vishing attacks at the moment, so let me lead you through just how these latest attacks are being perpetrated. First, the customer is contacted on their registered telephone, and the fraudster states that they are from the bank and are investigating suspicious, usually foreign, transactions on their account.
Fraudsters then lead the customer through some made-up security questions, and ask for details of the last three legitimate transactions. The customer is then told that all cards associated with the account will be replaced, and that online accounts will need to be reset. The fraudster continues to tell the customer that, as a result, one-time passwords will be sent by text and that they will call back to test if these passwords are working.
The customer is asked for their online login details (I'm sad to report that these have been surrendered in quite a lot of cases), and as the phone call continues the fraudster logs in to the customer account and new beneficiary accounts belonging to criminal money mules are created. The creation of new beneficiary accounts leads to one-time passwords being sent by text to the registered phone as part of the two-factor authentication system employed by the bank, but as the customer has been primed by the fraudster to expect such a text, there is no suspicion that the account has been compromised.
The fraudster then calls the customer back and asks them to read out the one-time password that has been sent by text. This password is used by the bad guys to authenticate the new beneficiary and money is stolen from the account.
This method of theft is currently enjoying a large amount of success, but it can be defeated as long as you are thinking straight. If you receive a call from someone claiming to be from your bank, first get their name, telephone number and department and then put the phone down.
Next, call your bank from a different telephone, if possible, and check the information the original caller gave you. You should call from a different phone as there have been instances where fraudsters have stayed on the line, only to answer, once the victim has finished dialling, with the name of their bank.
Two-factor authentication can be an effective security control, but not if you deliver the password into the hands of the bad guys. I'm not going to labour the point, but never give any details to anyone over the phone. This might sound like obvious advice, but the authentic-sounding script the fraudsters use can be surprisingly effective.
So where are the bad guys getting all this juicy information, such as your phone number and the bank you use? It's more than likely that this is coming from a compromised and malware-infected computer, so run your regular scans and download the security software that many banks supply. You are less likely to run into problems reclaiming your stolen cash if you have a bank's security software installed, and can always say that you took all reasonable steps to prevent a computer compromise.
Many banks can tell if your machine is infected with malware as soon as you connect to their internet banking services, thanks to some pretty sophisticated fraud engines sitting in the online banking infrastructure. The question is, should the banks let you know if you are using a compromised machine?
I would argue that yes, they should. In my view the banks have a duty of care to their customers and, let's face it, if they know your machine is compromised with malicious software and merely place you on a hotlist that subjects all your transactions to greater scrutiny, this still leaves you open to a multitude of other potential criminal actions.
This debate has been taking place for a number of years, with the banks stating that the cost of taking customers through a machine clean-up procedure would be prohibitive. I'm not so sure that to leave you to carry on oblivious to the infections running on your machine is particularly responsible behaviour, especially at a time when the banking sector's reputation is at an all-time low.
I'm aware that this subject has come to the notice of a couple of regulators in this sector, and I wait with interest to see what they make of the current state of affairs. I'm guessing that the outcome won't be in the banks' favour, and in my opinion a change is long overdue.
For more, and to stay abreast of everything that's going on in the world of technology, Subscribe to Computer Shopper magazine today, and get your first 3 issues for just £1 »