VIDEO: Pindrop's CEO explains how phone fraud works, how it is now the domain of organized hacking groups and where technology can be applied to limit the risk.
Hacking isn't just about taking advantage of server vulnerabilities; attackers can also target phone systems and call center technology and staff. One of the vendors sitting on the front line of the phone fraud battle is Pindrop Security.
In a video interview with eWEEK, Vijay Balasubramaniyan, co-founder, CEO and CTO of Pindrop Security, explains what the current landscape is for phone fraud. His firm recently conducted its own audit of millions of calls and the associated fraudulent activities.
Pindrop found that attackers leveraged multiple techniques including social engineering in order to gain privileged information. Balasubramaniyan said that phone fraud attackers have been able to convince call center staff to give out information.
"We had access to 105 million calls, coming from 18 million phone numbers, accessing 12 million different accounts," Balasubramaniyan said.
Balasubramaniyan noted that the calls were made to Pindrop customers, and Pindrop got access to call information, including audio from the actual calls. Pindrop got access to call audio, only for a maximum of 21 days on-premises at the customer site.
In order to spot phone fraud, Pindrop's technology looks for anomalous behavior. For example, the Pindrop system will audit telephone numbers to identify location and typical usage. Audio characteristics of a call are also leveraged to help identify potential fraudulent calls.
Balasubramaniyan said that Pindrop extracts about 147 different audio characteristics from a call record that can be used to uniquely identify a phone device.
"So if we see the same device attempting to access 20 different accounts, that's an example of an anomaly," Balasubramaniyan said.
Looking across his data set of 105 million calls, Balasubramaniyan said that he was surprised to find how organized phone hackers currently are. There are multiple levels within phone hacking organizations for each stage of user exploitation, ranging from automated systems to social engineering of call center staff.
Talking specifically about one phone hacking gang operating out of West Africa, Balasubramaniyan said that the group had a consistent plan of attack. First, the attackers would call into a call center and attempt to change the email and physical address of a victim, as well as phone numbers associated with a given account. After that, they would call in asking for the account balance, and after that, the next call will be a request for a wire transfer of funds.
Balasubramaniyan was also surprised at the number of different tools used by phone hackers when they try and social-engineer call centers.
"They will actually change their voices, depending on the type of account they are trying to target," Balasubramaniyan said.
Watch the full video interview with Balasubramaniyan below:
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.