As anyone who has called into a bank or utility provider lately knows, security for customer service routines – the prescribed ways in which support reps verify the identity of customers that call in – are being continually upgraded. Two-factor authentication, voice passwords, various security questions (“what was the name of your first pet,” for instance) and even verifying that a person is at the account address by calling a landline are all well-known features of the authentication process when making account changes.
Well, usually, anyway.
At the Security Analyst Summit 2019 in Singapore last month, David Jacoby, a Swedish member of Kaspersky Lab’s global research and analysis team (GReAT), presented a short, five-minute presentation called “Exploiting Telco Support Teams for Fun and Profit.” He explained how Swedish telcos ask only for a bare minimum of information from callers – and publicly available information at that – before agreeing to make account changes to specific numbers. This has led to real-world attacks where victims have found their mobile phone calls hijacked and redirected to a rogue number.