Sunday, February 19, 2012

Does IT make it too easy for fraudsters?

I was just reading an interesting article by Steven Cotton of the TM Forum entitled Fraudsters Will Be Fraudsters, But How Does Provider Indifference Help? In it he explains about a recent phishing attempt that came to his in-box and how the service provider’s support group did not know if they had a security or fraud department and could not be bothered to care.

Now if you look at most of the recent stories labeled as telecom fraud they are frequently about people being defrauded using the phone rather than fraud hitting the PBX. In these cases it us usually someone tricked by phone or email into going down to Western Union an sending money to someone that they know who is in some sort of “trouble.”  Now the cases and cause of the trouble is varied (bail, hospital charges, fees to get car fixed, etc.) but the common item is that they always want the money sent via Western Union – who has no verification, tracking or roll-back options once the cash is taken.

Now Steve ended his blog entry with this line
I'd suggest that the industry should at least set a basic goal of making the fraudsters at least break a sweat as they perpetrate their nasty business.
I suspect that this is exactly the case, and if there was a way to force Western Union to verify the identity of the person claiming the money, say the way that a person-to-person call works, would cut down more than half of this kind of fraud.

The same is true in PBX related fraud, keeping default passwords, leaving the system ports open, not watching your phone bill, and not proactively protecting your system makes it just as easy to defraud you as those who are praying on phone scam victims.