Presentation is loading. Please wait.

Presentation is loading. Please wait.

7/22/071 Avoiding Voice Fraud & Threats Are you Really Who You Claim to Be? Valene Skerpac, CISSP

Published byLucinda Alexis Collins Modified over 9 years ago

Similar presentations

Presentation on theme: "7/22/071 Avoiding Voice Fraud & Threats Are you Really Who You Claim to Be? Valene Skerpac, CISSP"— Presentation transcript:

1 7/22/071 Avoiding Voice Fraud & Threats Are you Really Who You Claim to Be? Valene Skerpac, CISSP valene@ibiometrics.com

2 7/22/072 Agenda  Introduction  Threats associated with fraud & voice  Mitigating Risks  Best Practices  Voice Related Controls  Summary

3 7/22/073 Introduction  Key Questions Covered  How do today’s threats of fraud effect voice applications?  What voice related controls are used to mitigate risk associated with the identified threats?  What best practices are used?

4 7/22/074 THREATS ASSOCIATED WITH FRAUD AND VOICE Profits Driving Fraud  Toll call fraud  Fraudulent account control (financial)  Fraudulent purchases  Identity theft  New account creation (fraudulent loans and credit cards)  Unauthorized transfer of funds, stocks and securities  Obfuscation of criminal activities (money laundering)  Fraudulent travel documents  unauthorized receipt of government benefits.

5 7/22/075 THREATS ASSOCIATED WITH FRAUD AND VOICE Top Threats - unauthorized access & activity  Phishing Attack Schemes (http://www.antiphishing.org/) http://www.antiphishing.org/ ’Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity, financial or other confidential data ’  Vishing Attack Schemes (http://www.iss.net/documents/whitepapers/IBM_ISS_vishing_guide.pdf) ‘Vishing uses IP-based voice messaging technologies (primarily VoIP) …’ http://www.iss.net/documents/whitepapers/IBM_ISS_vishing_guide.pdf  Automated attacks  Easy worldwide connectivity, minimal cost of calls  Mask or impersonation of Caller-ID  Ease of automated calling (war dialing)  Difficult to parse words from voice messages  Can hide source of attack via traffic routing  Use of botnets to proliferate messages  Attacks today  Initiated via e-mail, text messaging, voicemail or live phone call  Directed to fraudulent IVR application which collects data or Primary Rate Service  Many future attack variations possible

6 7/22/076 THREATS ASSOCIATED WITH FRAUD AND VOICE Top Threats - unauthorized access activity…continued  Security Threats in a Converged Environment  Network, Database and Application Vulnerabilities  SANS TOP 20 (http://www.sans.org/top20/) http://www.sans.org/top20/  VoIP server and phones  Denial-of-Service (DoS), Eavesdropping, VoIP phishing scams and toll fraud  VoIP Security Alliance (http://www.voipsa.org/) http://www.voipsa.org/  Application security bugs  AJAX  SPIT  Brute force hacks  Eavesdropping on media streams (voice channel)  Poor Access control, identity and authorization management

7 7/22/077 Mitigating the Risk of Threats  Fraud Management  Technology – people – policy – processes  Real-time monitoring, Incident response program  Multi-channel aggregation  Predictive analysis, process structured and unstructured information  Converged Security  Development and maintenance of policies and procedures, regular training, security audits and assessments  Multi-vendor - no one vendor can protect from device to data  Defense in depth approach – layered security  Security Development Life Cycle (SDLC)  security integrated from the beginning can save 2 to 3 times the cost to add security later on  value of the investment in security prevents a projected amount of loss and preserves the reputation of the organization

8 7/22/078 Mitigating the Risk of Threats  Converged Security …..continued  Access control, identity and authorization management  Identity  Subject and Claim  Claims about subjects evaluated to negotiate access  7 Laws of Identity (http://www.identityblog.com)  User control and consent  Minimal disclosure for limited use  Justifiable party  Directed Id  Plurality of operators and technologies  Human Integration  Consistent experience  Continually re-assess new schemes looking for solutions  OpenID using voice  Application Development Life Cycle (http://www.owasp.org/) http://www.owasp.org/  Scans/code review/security testing required  Targeted open source tools for VoiceXML environment needed  Potential Project – contact presenter - valene@ibiometrics.com

9 7/22/079 Mitigating the Risk of Threats  Voice Related Security Controls  Authentication – Beyond ID and Password/PIN  Voice Channel (In-band) self-service transactions  additional authentication factor, speaker verification and/or other factor  Multi-channel (out-of-band) transactions  Call-back authentication, speaker verification and/or other factor  Call Center Monitoring  Background monitoring with speaker verification and/or recognition running   Speaker Recognition  A biometric modality that uses an individual’s speech. It uses both the physical structure of an individual’s vocal tract and the behavioral characteristics of the individual, for identification, verification or other related tasks

10 7/22/0710 Voice Biometrics Basics  Security – Authentication Factor  ‘Something the user is’  Biometric Reference Model (voiceprint) - Identity Factor  Vendor specific, proprietary statistical representation (not raw data)  Speaker Verification vs. Speaker Identification  Text Dependent vs. Text Independent Imposter False Accept Rate (FAR)Imposter False Rejection Rate (FRR) Equal Error Rate (ERR) FAR% = FRR% High Convenience High SecurityAccuracy  Subject to human and environmental factors  100% Accuracy Not Realistic  Thresholds based on risk assessments  Not the sole identifier

11 7/22/0711 Voice Biometrics... continued Risk Assessment  Know your threats  Consider potential biometric attacks & protection mechanisms  Spoofing  Loss of biometric data, Injection of biometric data  False enrollment, System circumvention, etc.  Understand biometrics capabilities and performance (FRR/FAA) Best Practices  Include in Security & Privacy Processes  Enrollment Procedures – Low to high risk ID criteria  Appropriate biometric verification fallback procedures  Policy, controls, audit and monitoring of biometrics data and performance  ISO 19092, Biometric Security Management  Biometric lifecycle  Speaker Recognition Standards  MRCP (Media Resource Control Protocol)  (http://tools.ietf.org/wg/speechsc/draft-ietf-speechsc-mrcpv2/)  VXML (Voice XML) (http://www.voicexml.org/resources/biometrics.html)  Inclusion in future Voice XML Version 3  Speaker Identification and Verification (SIV) Requirements for VoiceXML Applications - Open for Comments  Other ISO biometrics standards in progress

12 7/22/0712 Summary  Threats  Growing and Costly  Risk Mitigation  Deliberate and Integral Approach Required http://www.ibiometrics.com/resource_center.htm Questions/CommentsValene@ibiometrics.com

Download ppt "7/22/071 Avoiding Voice Fraud & Threats Are you Really Who You Claim to Be? Valene Skerpac, CISSP"

Similar presentations

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.

Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
Voice Biometric Overview for SfTelephony Meetup March 10, 2011 Dan Miller Opus Research.

Voice Biometric Overview for SfTelephony Meetup March 10, 2011 Dan Miller Opus Research.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.
Security Controls – What Works

Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Biometrics: Voice Recognition

Biometrics: Voice Recognition
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Bank Crime Investigation Techniques by means of Forensic IT

Bank Crime Investigation Techniques by means of Forensic IT
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Similar presentations

Ads by Google