7/22/071 Avoiding Voice Fraud & Threats Are you Really Who You Claim to Be? Valene Skerpac, CISSP
7/22/072 Agenda Introduction Threats associated with fraud & voice Mitigating Risks Best Practices Voice Related Controls Summary
7/22/073 Introduction Key Questions Covered How do today’s threats of fraud effect voice applications? What voice related controls are used to mitigate risk associated with the identified threats? What best practices are used?
7/22/074 THREATS ASSOCIATED WITH FRAUD AND VOICE Profits Driving Fraud Toll call fraud Fraudulent account control (financial) Fraudulent purchases Identity theft New account creation (fraudulent loans and credit cards) Unauthorized transfer of funds, stocks and securities Obfuscation of criminal activities (money laundering) Fraudulent travel documents unauthorized receipt of government benefits.
7/22/075 THREATS ASSOCIATED WITH FRAUD AND VOICE Top Threats - unauthorized access & activity Phishing Attack Schemes ( ’Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity, financial or other confidential data ’ Vishing Attack Schemes ( ‘Vishing uses IP-based voice messaging technologies (primarily VoIP) …’ Automated attacks Easy worldwide connectivity, minimal cost of calls Mask or impersonation of Caller-ID Ease of automated calling (war dialing) Difficult to parse words from voice messages Can hide source of attack via traffic routing Use of botnets to proliferate messages Attacks today Initiated via , text messaging, voic or live phone call Directed to fraudulent IVR application which collects data or Primary Rate Service Many future attack variations possible
7/22/076 THREATS ASSOCIATED WITH FRAUD AND VOICE Top Threats - unauthorized access activity…continued Security Threats in a Converged Environment Network, Database and Application Vulnerabilities SANS TOP 20 ( VoIP server and phones Denial-of-Service (DoS), Eavesdropping, VoIP phishing scams and toll fraud VoIP Security Alliance ( Application security bugs AJAX SPIT Brute force hacks Eavesdropping on media streams (voice channel) Poor Access control, identity and authorization management
7/22/077 Mitigating the Risk of Threats Fraud Management Technology – people – policy – processes Real-time monitoring, Incident response program Multi-channel aggregation Predictive analysis, process structured and unstructured information Converged Security Development and maintenance of policies and procedures, regular training, security audits and assessments Multi-vendor - no one vendor can protect from device to data Defense in depth approach – layered security Security Development Life Cycle (SDLC) security integrated from the beginning can save 2 to 3 times the cost to add security later on value of the investment in security prevents a projected amount of loss and preserves the reputation of the organization
7/22/078 Mitigating the Risk of Threats Converged Security …..continued Access control, identity and authorization management Identity Subject and Claim Claims about subjects evaluated to negotiate access 7 Laws of Identity ( User control and consent Minimal disclosure for limited use Justifiable party Directed Id Plurality of operators and technologies Human Integration Consistent experience Continually re-assess new schemes looking for solutions OpenID using voice Application Development Life Cycle ( Scans/code review/security testing required Targeted open source tools for VoiceXML environment needed Potential Project – contact presenter -
7/22/079 Mitigating the Risk of Threats Voice Related Security Controls Authentication – Beyond ID and Password/PIN Voice Channel (In-band) self-service transactions additional authentication factor, speaker verification and/or other factor Multi-channel (out-of-band) transactions Call-back authentication, speaker verification and/or other factor Call Center Monitoring Background monitoring with speaker verification and/or recognition running Speaker Recognition A biometric modality that uses an individual’s speech. It uses both the physical structure of an individual’s vocal tract and the behavioral characteristics of the individual, for identification, verification or other related tasks
7/22/0710 Voice Biometrics Basics Security – Authentication Factor ‘Something the user is’ Biometric Reference Model (voiceprint) - Identity Factor Vendor specific, proprietary statistical representation (not raw data) Speaker Verification vs. Speaker Identification Text Dependent vs. Text Independent Imposter False Accept Rate (FAR)Imposter False Rejection Rate (FRR) Equal Error Rate (ERR) FAR% = FRR% High Convenience High SecurityAccuracy Subject to human and environmental factors 100% Accuracy Not Realistic Thresholds based on risk assessments Not the sole identifier
7/22/0711 Voice Biometrics... continued Risk Assessment Know your threats Consider potential biometric attacks & protection mechanisms Spoofing Loss of biometric data, Injection of biometric data False enrollment, System circumvention, etc. Understand biometrics capabilities and performance (FRR/FAA) Best Practices Include in Security & Privacy Processes Enrollment Procedures – Low to high risk ID criteria Appropriate biometric verification fallback procedures Policy, controls, audit and monitoring of biometrics data and performance ISO 19092, Biometric Security Management Biometric lifecycle Speaker Recognition Standards MRCP (Media Resource Control Protocol) ( VXML (Voice XML) ( Inclusion in future Voice XML Version 3 Speaker Identification and Verification (SIV) Requirements for VoiceXML Applications - Open for Comments Other ISO biometrics standards in progress
7/22/0712 Summary Threats Growing and Costly Risk Mitigation Deliberate and Integral Approach Required