As consumers adopt new technologies to do “routine” tasks, and as companies roll out new ways to interact with business services centered on the web and mobile devices, provisions have to be made to support those customers who for whatever reason do not have access to the necessary tools and gadgets. A company needs to make decisions about how, and how long, to continue to support what are essentially obsolete processes, and when to begin to limit that support. One place where we continue to see this tension between new and old manifest itself is with the telephone. It is telling that in 2013, most automated telephone systems in use in corporate America still make allowances for customers who may still have rotary dial phones.
But this nexus between machine – intermediated service delivery and the older human – intermediated kind can result in unexpected security risks. This is, after all, the golden age of digital identity theft and technology based fraud, and any customer-facing solution that bypasses the security and fraud detection systems in use is vulnerable to exploitation by a criminal element that is both faster to adapt and more innovative than we like to think.
Financial services companies are finding that identity thieves are exploiting this ‘soft authentication’ vulnerability by calling their call centers with just enough information about a given user to phish for more info by claiming to have ‘forgotten’ specific properties of their account. By spoofing or blocking their Caller ID information and repeatedly calling to collect only small amounts of specific information at a time, they can build a complete user profile and use it to open other accounts, transfer funds, purchase goods and even apply for credit. Now obviously, from an information security standpoint, the easy solution to this kind of problem is a more effective authentication regime. A basic 2 factor system where the inquiry automatically sent an authentication code to the user’s smart phone via SMS would prevent the vast majority of this kind of fraud. But that’s the point – these systems are designed to support customers who are not users of any technology more complex than a telephone.
So is there a way to leverage technology to detect these kinds of phishing attacks and interdict them before they can successfully gather enough information to create a fraudulent identity? Behavioral profiling offers a solution. The beauty of modern security intelligence and analytics is it can be used to detect unusual or outlier behaviors anywhere within the network stack. So it becomes a relatively straightforward process to monitor for access outliers based on frequency of access anywhere from the call center application all the way back to the customer database.
The Securonix security intelligence platform offers the power and flexibility to connect to virtually any network resource, ingesting and analyzing user and transaction information from database logs, Database Access Management utilities, Identity management tools, Directory Services and even the application level logs themselves. So in the case of this kind of “old school” fraud, the weakness becomes the requirement that in order to reduce suspicion, the attacker must make multiple calls claiming to be the same user. It becomes a fairly simple matter to monitor access to customer records from the call center over time and flag those that exceed a specific threshold for more stringent authentication.
When you add intelligent security analytics to your existing network infrastructure, you gain a highly flexible capability to continuously monitor any network event or activity you can capture for risk and threat, providing a real-time intelligence on the millions of events as they occur, and feeding those unusual or suspicious events to a dashboard for immediate action or investigation. This gives the enterprise security team a tremendously flexible capacity for looking at users and activities anywhere on the network, detecting not just the most advanced attacks, but the most primitive ones too.