1 / 12

Avoiding Voice Fraud & Threats

Avoiding Voice Fraud & Threats. Are you Really Who You Claim to Be?. Valene Skerpac, CISSP valene@ibiometrics.com. Agenda. Introduction Threats associated with fraud & voice Mitigating Risks Best Practices Voice Related Controls Summary. Introduction. Key Questions Covered

verdi
Download Presentation

Avoiding Voice Fraud & Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Avoiding Voice Fraud & Threats Are you Really Who You Claim to Be? Valene Skerpac, CISSP valene@ibiometrics.com

  2. Agenda • Introduction • Threats associated with fraud & voice • Mitigating Risks • Best Practices • Voice Related Controls • Summary

  3. Introduction • Key Questions Covered • How do today’s threats of fraud effect voice applications? • What voice related controls are used to mitigate risk associated with the identified threats? • What best practices are used?

  4. THREATS ASSOCIATED WITH FRAUD AND VOICE Profits Driving Fraud • Toll call fraud • Fraudulent account control (financial) • Fraudulent purchases • Identity theft • New account creation (fraudulent loans and credit cards) • Unauthorized transfer of funds, stocks and securities • Obfuscation of criminal activities (money laundering) • Fraudulent travel documents • unauthorized receipt of government benefits.

  5. THREATS ASSOCIATED WITH FRAUD AND VOICE Top Threats - unauthorized access & activity • Phishing Attack Schemes(http://www.antiphishing.org/) ’Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity, financial or other confidential data’ • Vishing Attack Schemes(http://www.iss.net/documents/whitepapers/IBM_ISS_vishing_guide.pdf) ‘Vishing uses IP-based voice messaging technologies (primarily VoIP) …’ • Automated attacks • Easy worldwide connectivity, minimal cost of calls • Mask or impersonation of Caller-ID • Ease of automated calling (war dialing) • Difficult to parse words from voice messages • Can hide source of attack via traffic routing • Use of botnets to proliferate messages • Attacks today • Initiated via e-mail, text messaging, voicemail or live phone call • Directed to fraudulent IVR application which collects data or Primary Rate Service • Many future attack variations possible

  6. THREATS ASSOCIATED WITH FRAUD AND VOICE Top Threats - unauthorized access activity…continued • Security Threats in a Converged Environment • Network, Database and Application Vulnerabilities • SANS TOP 20 (http://www.sans.org/top20/) • VoIP server and phones • Denial-of-Service (DoS), Eavesdropping, VoIP phishing scams and toll fraud • VoIP Security Alliance (http://www.voipsa.org/) • Application security bugs • AJAX • SPIT • Brute force hacks • Eavesdropping on media streams (voice channel) • Poor Access control, identity and authorization management

  7. Mitigating the Risk of Threats • Fraud Management • Technology – people – policy – processes • Real-time monitoring, Incident response program • Multi-channel aggregation • Predictive analysis, process structured and unstructured information • Converged Security • Development and maintenance of policies and procedures, regular training, security audits and assessments • Multi-vendor - no one vendor can protect from device to data • Defense in depth approach – layered security • Security Development Life Cycle (SDLC) • security integrated from the beginning can save 2 to 3 times the cost to add security later on • value of the investment in security prevents a projected amount of loss and preserves the reputation of the organization

  8. Mitigating the Risk of Threats • Converged Security…..continued • Access control, identity and authorization management • Identity • Subject and Claim • Claims about subjects evaluated to negotiate access • 7 Laws of Identity (http://www.identityblog.com) • User control and consent • Minimal disclosure for limited use • Justifiable party • Directed Id • Plurality of operators and technologies • Human Integration • Consistent experience • Continually re-assess new schemes looking for solutions • OpenID using voice • Application Development Life Cycle (http://www.owasp.org/) • Scans/code review/security testing required • Targeted open source tools for VoiceXML environment needed • Potential Project – contact presenter - valene@ibiometrics.com

  9. Mitigating the Risk of Threats • Voice Related Security Controls • Authentication – Beyond ID and Password/PIN • Voice Channel (In-band) self-service transactions • additional authentication factor, speaker verification and/or other factor • Multi-channel (out-of-band) transactions • Call-back authentication, speaker verification and/or other factor • Call Center Monitoring • Background monitoring with speaker verification and/or recognition running • Speaker Recognition • A biometric modality that uses an individual’s speech. It uses both the physical structure of an individual’s vocal tract and the behavioral characteristics of the individual, for identification, verification or other related tasks

  10. Voice Biometrics Basics • Security – Authentication Factor • ‘Something the user is’ • Biometric Reference Model (voiceprint) - Identity Factor • Vendor specific, proprietary statistical representation (not raw data) • Speaker Verification vs. Speaker Identification • Text Dependent vs. Text Independent High Security Accuracy • Subject to human and environmental factors • 100% Accuracy Not Realistic • Thresholds based on risk assessments • Not the sole identifier Equal Error Rate (ERR) FAR% = FRR% Imposter False Rejection Rate (FRR) High Convenience Imposter False Accept Rate (FAR)

  11. Voice Biometrics...continued Risk Assessment • Know your threats • Consider potential biometric attacks & protection mechanisms • Spoofing • Loss of biometric data, Injection of biometric data • False enrollment, System circumvention, etc. • Understand biometrics capabilities and performance (FRR/FAA) Best Practices • Include in Security & Privacy Processes • Enrollment Procedures – Low to high risk ID criteria • Appropriate biometric verification fallback procedures • Policy, controls, audit and monitoring of biometrics data and performance • ISO 19092, Biometric Security Management • Biometric lifecycle • Speaker Recognition Standards • MRCP (Media Resource Control Protocol) • (http://tools.ietf.org/wg/speechsc/draft-ietf-speechsc-mrcpv2/) • VXML (Voice XML) (http://www.voicexml.org/resources/biometrics.html) • Inclusion in future Voice XML Version 3 • Speaker Identification and Verification (SIV) Requirements for VoiceXML Applications - Open for Comments • Other ISO biometrics standards in progress

  12. Summary • Threats • Growing and Costly • Risk Mitigation • Deliberate and Integral Approach Required http://www.ibiometrics.com/resource_center.htm Questions/Comments Valene@ibiometrics.com

More Related