Vishing: To Have Your Identity Stolen, Press One
Of all the terms describing identity theft methods, “Vishing” (which stands for “Voice Phishing”) is perhaps the most ambiguous one. A simple Google query for the definition of the term shows just some of its multiple interpretations:
- “Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward.”
- “Vishing is a type of phishing attack that targets VoIP. It can be used by the attacker to steal the identities or money of the victim.”
- “Vishing attacks send text messages indicating that a person’s bank account information has been tampered with and asking mobile phone users to provide personally identifiable information either over the phone or by using the phones Internet browser.”
The term vishing was coined around the time that new types of phishing attacks started emerging, such as “spear phishing” and “whaling.” In vishing, instead of using fake websites to obtain victims’ credentials, fraudsters used telephone-based IVRs (Interactive Voice Response). Everyone is familiar with the technology, which enables a machine to identify a key press based on its tone. These are the annoying systems used by many organizations, designed to route calls to their correct locations and reduce load on human-based call centers. “For customer support – press one. For sales – press two.”
Over time, the term vishing was expanded to include any attacks where the phone channel was involved, such as in cases where a message is sent to the victim by E-mail or SMS to call a “customer support representative” for authentication. The fraudster responded to the victim’s call and proceeded to extract information from the victim. In some situations, vishing was used to describe scams done completely over the phone, basically describing a scam that pre-dated the internet and the original term “vishing” was coined from.
Looking into the IVRs (in whichever way the victim is lured into communicating with them), it is interesting to note that their numbers have not soared compared to regular phishing attacks. Naturally, they are a little bit more sophisticated to create – but considering the underground market has a knack for simplifying even relatively-complex fraud operations, it is not the probable reason why these methods haven’t caught on in popularity. The real reason is most likely much different. For IVRs to be relatively reliable as a credential-collection tool, the responses that the victim provides must be all keypad-based. Meaning, if an IVR would request the victim to say his name and send a recording of the voice to the fraudster, the rate of errors the fraudster would have to deal with when translating the voice to text would be relatively high. Unlike a call in real-time, the fraudster can’t communicate with the victim and verify the input. Therefore, such a system is extremely problematic (such attacks may exist, but their numbers would be small).
Keypad-based input (“Please enter your credit card number…”) is much more reliable as the IVR automatically translates the presses to digits. The question is, what kind of fraud can you conduct with information based solely on digits?
Several months ago, CTO of RSA Identity & Data Protection Sam Curry, wrote an article on how his fiance’ was a victim of a “vishing” attack. While Sam described the scenario in detail, he did not touch one subject – why was “Patriot Bank” (the fake name Sam used to refer to the bank) attacked in the first place? And why use vishing of all methods?
Since the fraudsters were using vishing, we can rule out that they were after anything that wasn’t comprised entirely of digits – and indeed Sam noted that his finace’ was requested to provide her credit card number, expiration date and PIN code. The bad guys were not after online banking credentials, they were gunning for the credit card details. “But Idan”, I hope you are saying at this point, “to make purchases online you need the card holder’s name. That’s not digit based!” – and you’d be right. Besides, credit card details for online carding purposes are in ample supply in the underground, offered for around $1.50. As a fraudster, would you go to all that trouble of setting up an IVR to get records that you can simply buy online for a ridiculously low sum? probably not. So, we can mark off credit card details for the purpose of online carding.
What are we left with? In-store carding and ATM. However, in such a scenario, there’s a pesky thing called “CVV” – three digits within the magnetic stripe data – that prevents any form of cloning the card and using it in the real world. That’s great in theory, however, as I’ve written about the issue before, not all banks check the CVV value. In such a case fraudsters can use the following information to clone a card and cash out money through an ATM: Credit Card Number, Expiration Date and PIN Code. Sound familiar?
Almost all banks today do check for CVVs, however there are still a few who don’t perform this crucial check. From time to time, based on trial and error, fraudsters would discover these banks and launch a phishing campaign to extract this type of data from the victims. It’s a high-reward/low-risk operation which would whet the appetite of every fraudster. Whether Sam’s bank did or did not check the CVV, the fraudsters at that time believed that it didn’t. Whenever IVRs are involved in vishing, and in any case where victims are requested to provide the credit card number, expiration date, and PIN code, the first thing to do is to check whether the targeted entity is checking the CVV value. The fact that most banks check the CVV is one of the main deterrents to the vishing attacks’ popularity… at least until fraudsters figure out new ways to utilize this tool.
