Posts

Top 5 Vishing Techniques

“Vishing” occurs when criminals call victims on the phone and attempt to lure them into divulging personal information that can be used to commit identity theft.

The name comes from “voice,” and “phishing,” which is, of course, the use of spoofed emails designed to trick targets into clicking malicious links. Instead of email, vishing generally relies on automated phone calls, which instruct targets to provide account numbers.

Vishing techniques include:

Wardialing: This is when the visher uses an automated system to call specific area codes with a message involving local or regional banks or credit unions. Once someone answers the phone, a generic or targeted recording begins, requesting that the listener enter bank account, credit, or debit card numbers, along with PIN codes.

VoIP: Voice over Internet Protocol, or VoIP, is an Internet-based phone system that can facilitate vishing by allowing multiple technologies to work in tandem. Vishers are known to use VoIP to make calls, as well as to exploit databases connected to VoIP systems.

Caller ID Spoofing: This is the practice of causing the telephone network to display a false number on the recipient’s caller ID. A number of companies provide tools that facilitate caller ID spoofing. VoIP has known flaws that allow for caller ID spoofing. These tools are typically used to populate the caller ID with a specific bank or credit union, or just with the words “Bank” or “Credit Union.”

Social Engineering: Social engineering is a fancier, more technical form of lying. Social engineering (or social penetration) techniques are used to bypass sophisticated security hardware and software. The automated recordings used by vishers tend to be relatively professional and convincing.

Dumpster Diving: One time and tested “hack” is simply digging through a bank’s dumpster and salvaging any lists of client phone numbers. Once the visher has the list, he can program the numbers into his system for a more targeted attack.

To protect yourself from these scams, educate yourself. Knowledge is the key to defending yourself from vishing. The more you understand it, the better off you’ll be, so read up on vishing incidents, and if your bank provides information about vishing online or in the mail, sit up and pay attention. As this crime becomes more sophisticated, you’ll want to be up to date.

If you receive a phone call from a person or a recording requesting personal information, hang up. If the call purports to be coming from a trusted organization, call that entity directly to confirm their request.

Don’t trust caller ID, which can be tampered with and offers a false sense of security.

Call your bank and report any fraud attempts immediately. The sooner you do, the more quickly the scam will be squashed.

Document the call, noting what was said, what information was requested, and, if possible, the phone number or area code of the caller, and report this to your bank.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

How Much Longer Does the Magstripe Have?

Every U.S.-based credit card has a magnetic stripe on the back. This stripe can be read and rewritten like a rewritable burnable CD, using card burners that are easily available online.

The simplicity of the magstripe’s design, coupled with the availability of card reading and writing technology, results in billions of dollars in theft and fraud.

EAST, the European ATM Security Team, recently released European ATM crime statistics for January through June of 2010. Apparently, skimming at European ATMs increased by 24%, with 5,743 attacks reported in the first six months of 2010, compared with 4,629 during the same period in 2009. There haven’t been so many skimming attacks since EAST began measuring these statistics in 2004.

During this same time frame, however, while incidents of skimming have risen, the associated financial losses have dropped. This is because the cards being skimmed have an additional layer of security known as chip and PIN technology, or EMV, which stands for Europay MasterCard Visa.

But because these cards still have magnetic stripes, they are still being skimmed. The stripe is there for the convenience of cardholders who travel to the United States or the handful of other countries that still rely on the magstripe technology. Chip and PIN cards without magstripes are standard in Europe.  As skimming continues, the issue of whether to discontinue the magstripe is bound to come to a head. The European Central Bank’s most recent progress report states:

“In line with Europol’s stance on the future of the magnetic stripe and in support of the industry’s efforts to enhance the security of cards transactions by migrating from the “magnetic stripe” to “EMV chip” cards, the Eurosystem considers that, to ensure a gradual migration, from 2012 onwards, all newly issued SEPA cards should be issued, by default, as “chip-only” cards.”

In the United States the United Nations Federal Credit Union has adopted  chip and PIN technology and Walmart is demanding it. Further, Travelex, the world’s largest non-bank foreign exchange currency provider, introduced America’s first prepaid foreign “currency cards” available in Euros and British Pounds that utilizes chip & PIN technology.  And based on what is happening in Europe, change is in the air.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit card fraud on NBC Boston. (Disclosures)