The News of the World phone-hacking scandal has some banks doubting the methods they use to verify that callers are who they claim to be.
Many banks vet callers by looking at the number that shows up on caller ID. After it came to light that News of the World reporters had accessed people's voicemail to get scoops, several possible methods for doing so were explored in media reports. One approach is to spoof the caller ID, since many carriers do not require a PIN or password for voicemail.
The media attention "has really opened a lot of eyes for people" at banks, says Patrick Cox, chief executive of TrustID Inc. Beforehand, many bankers assumed that "phone hacking" meant writing malicious code that runs on a smartphone, and that the practice was thus more a threat to online account access than to the call center.
TrustID, of Portland, Ore., sells a system that lets banks know whether the phone number appearing on a caller ID display is legitimate. As the News of the World's phone-hacking scandal played out, TrustID has received "at least a fourfold increase … in inquiries" from prospective customers, Cox said. He would not name any of the banks that use or have inquired about using TrustID's technology.
Arthur Barger, a senior vice president at TrustID and a former HSBC Holdings PLC executive, said it is common for banks to use the incoming phone number as a factor in determining whether a caller is a fraudster.
"There are a lot of banks today that are still relying on … caller ID, quite a few," Barger said. Barger, who headed HSBC's fraud operations in North America, would not say whether HSBC is a current or prospective user of TrustID's system.
Cox says that although a caller's phone number may seem like a flimsy piece of information to hang fraud decisions on, it is potentially more secure than much of the personal information that consumers have scattered across the Web.
"Your mother's maiden name, I can get from Ancestry.com," Cox says.
TrustID's technology works by testing to see if the phone associated with a caller's number is actually active when the call is being placed. The bank can use this knowledge in deciding whether to route the call to a customer service rep or a fraud prevention rep.
If a call is legitimate, it's obvious to TrustID, which operates as a carrier to gain visibility into the phone networks. If the call is potentially fraudulent, TrustID tests the line to be sure. This sometimes leads the legitimate customer's phone to ring for a few seconds, particularly if it is a mobile phone.
The phantom ringing might present a customer service issue, particularly if customers are awakened by these test calls in the middle of the night, but Cox says that is unlikely.
"Criminals try to emulate you … criminals know what time zone you're in," he says. If a phantom phone call is necessary, it would most likely happen when the consumer is awake, he says.
There are different ways to spoof a phone number, but even the more complex ones would require just an hour of work for a fraudster with the proper technical expertise, he says.
Cox concedes that this system might be thwarted by a call from someone with access to the customer's phone, but that this is a weakness of many of the systems in use today. For example, security questions are only strong if the caller does not have the answers on hand.
"Your roommate would know them probably, because they live with you," Cox says.
However, these security tools are strengthened when they are used as part of a layered approach.
"The most important thing, frankly, is the notion of multifactor authentication," Cox says.
Philip J. Blank, managing director for security, risk and fraud at Javelin Strategy and Research, says that even if caller ID spoofing is not widespread, it is a tool that many banks might have some exposure to.
"Most [financial institutions] do rely on caller ID for a variety of services," such as activating credit cards, he said by email. "Large FIs have extensive analytics that operate behind the scenes and certainly caller ID … is just one of the tools."
The type of access granted by spoofing a caller ID may not be worth the effort for many fraudsters, Blank says.
"In our extensive surveys of identity theft and fraud, this issue has not come up. Doesn't mean that it is not a factor," he says, "just that we haven't seen it."
The example of spoofing a phone number to activate a stolen credit card requires the fraudster to steal the necessary personal information for each victim and then intercept the mailed card.
"I guess it would be possible for someone to steal a new credit card that is mailed to you and then spoof your caller ID to activate the card and then go out and use it," Blank says, "but there are probably easier ways to make a living as a fraudster."
