Your Friends at “Account Services”
Having spent a significant amount of time developing fraud detection algorithms and security applications, I have become accustomed to envisioning the common would-be cyber attacker as an inanimate abstract entity completely devoid of human traits; a mere abstraction, a stick figure in my UML and Test Cases. This sterile view of mine however, changed recently when I actually got a chance to spend some time one-on-one with a flesh and blood fraudster.
It started with a seemingly innocuous automated call from “Account Services”. The message informed me that I qualified for a limited time offer to lower my monthly credit card payments. I ignored that first call but shortly afterwards I received a second one. This time I opted to accept the call and was routed to a live representative. I told her that I was not interested in their services and did not want to be contact by them again.
At the tail end of the conversation as I was about to hang up, I inquired about how they got my phone number (it’s both unlisted and on the DNC registry) and to my surprise, the representative said that it came from my bank. When I asked which one, she became evasive, telling me that her company serviced all major banks. That was the moment I realized that I was the target of Credit Card fraud actively in progress.
Suddenly, my stick figure cyber attacker was no longer virtual. Instead, it became a living and breathing human being, an arm’s reach away on the other side of the line. This, I realized, was a rare opportunity to interview an attacker. I asked the individual to call me back on another line and when the phone rang a few seconds later, I raised my foreign accent by a notch, plugged the phone into my MP3 player and hit the Record button.
The representative identified herself as “Michelle”. She sounded young, in her twenties. She spoke in a monotonous but confident voice, clearly a veteran of many exploits. The sales pitch was entirely script-based. She inquired about my current balance and asked if I had any interest in lowering my monthly payments. When I said, “I sure do,” she asked me for my bank and credit card information in order to “qualify” me. At that point we began a stubborn cat and mouse game where I was trying to get more information about her whereabouts and identity (real-phone number, e-mail, web address) while she was trying to get my bank and account information. This lasted for approximately 10 minutes all told.
It was only after I played back the recording and listened to it several times that I realized how sophisticated the operation was (you can hear the recording below).
The perpetrators of this scam had thought of the minutest details and prepared for every scenario. Some of the more interesting elements of the call included:
- Psychological Usage of Ambient Sound—During the duration of the call, I could hear incoming phone calls and chatter in the background. This recording simulating a response hotline was designed to create the illusion that I was talking to a busy call center. The objective of this subliminal messaging is similar to that used during TV fundraisers where operators are filmed sitting behind desks of ringing phones. All of it is meant to convince us that many others have already taken the plunge and that the water is "fine”.
- Call Traceability and Legitimacy—When I asked the rep where her call center was located she successfully identified the state that corresponded to the area code that appeared on my caller ID. I decided to test the number from my cell phone. The phone rang several times but when it was finally answered, I was routed to voicemail and encouraged to leave a message. The fact that the number yielded a response at all certainly made it appear legitimate.
- Well Scripted Dialogs—During the conversation, the rep responded in a consistent manner to my questions, reminding me (4 times) that I was being given the opportunity to lower my monthly interest payments. When I voiced my concern about the possibility that this call could be fraudulent, she responded calmly by stating (4 times) that even if this was the case, I would be covered for any losses by my credit card issuer as well as the Federal Consumer Protection Act.
- Plausibility—When I asked if I could call her back on another line to verify her number, she explained that hers was an outbound only call center. She also insisted that this was merely a screening call and that I was only a step away from being transferred to an account executive who would be happy to provide me with complete contact information.
- Professional Composure and Manners—Even though I asked her the same questions a number of times, she remained polite and composed, always maintaining a businesslike demeanor and projecting a image of a legitimate customer service representative.
- Effective Use of Higher Authority—When I insisted that not getting a manned phone number for the representative would be a deal breaker for me, she finally offered to transfer me to her manager. I was placed on hold (listening to Beethoven’s Für Elise) and was soon connected to another individual who identified herself as “LaFonda”, the floor supervisor. She sounded a bit older and more mature. She reiterated the previous sales pitch. When I finally told her that without being able to validate their authenticity I would not be able to give her my credit card number, she gave me the impression that they might deviate from their ‘account information first’ protocol. I was placed on hold again but shortly afterwards my original sales associate was back pitching the same story all over again. Finally, after one last failed sales attempt she quickly wrapped up the call and hung up.
Even though the call only lasted a relatively short time, I could not have wished for a better and more illuminating lesson. My mental image of the on-line fraudster has changed irrevocably. Whereas before I viewed fraud as an opportunistic low tech effort executed by crafty individuals, I now view it as a commercial enterprise, in many ways similar to a legitimate telemarketing niche industry. It employs a well trained workforce, cutting edge BI, telecom technology and a large database of would-be "customers".
In retrospect, the whole experience was both sobering and frustrating. It was sobering because I finally realized that at its core, fraud is propagated via subtle means and recognizing it requires the aggregation of many nuances which individually may appear inconsequential (note that until its collapse, each individual component of Bernard Madoff’s asset management operation appeared to be entirely legitimate). In my case, the red flag went up because of my experience in the financial industry. As a rule, the association between a specific “Credit Card Service” organization and all commercial banks is unlikely. For another individual however, this certainly could have been a plausible explanation and this applies to everything else that was said during the conversation.
The frustration, on the other hand, comes from the realization that my current toolbox of risk analysis and fraud detection routines (which are primarily based on triggers like transaction frequency, amount, location and history) cannot independently identify this type of fraud and will require for at least the foreseeable future some supplemental human supervision.
© Copyright 2009 Yaacov Apelbaum All Rights Reserved.