Icon September 19, 2023

Countering Remote Access Fraud Attacks with Trusted Identity Assurance™

Banking
Fraud
Remote Access
Social Engineering
voice biometrics

3 minutes min read

There is no limit to the ingenuity of fraudsters when it comes to conducting fraud, as they constantly seek new ways around digital banking security measures. Recently, HSBC has been warning its banking customers to stay vigilant and watch out for unsolicited requests to gain remote access to their computers. This new warning comes on the back of the bank observing new fraud cases affecting their customers whereby remote desktop sharing software is the method used to carry out the attack. Such remote desktop-sharing software is freely available in the market and whilst the software itself is legitimate, the fraudsters are using its functionality to access the victim’s bank account and create fraudulent payments. They do this under the guise of being bank employees and typically use a reason designed to alarm the customer, such as preventing fraudulent payments or fraudulent access.

How Remote Access Scammers Operate: The Role of Social Engineering

It’s important to note that the scammers employing this method are often highly skilled in social engineering techniques. They may initiate the scam by sending phishing emails that appear to come from the bank or by making phone calls pretending to be bank representatives. Once they gain the customer’s trust, they proceed to instruct the customer to download the remote desktop-sharing software, further disguising their malicious intentions under the cloak of seemingly urgent security concerns.

The Problem with Traditional Security Methods

Banks that use two-factor authentication based on one-time passcodes sent to the customer via SMS or a push message to a mobile banking app are not immune from this type of scam. Since the customer is duped into believing they are speaking with their bank, the customer follows any instructions given including downloading software, and are not concerned they are being defrauded. Similarly, they will have no qualms about providing the “bank” with any codes requested.

And herein lies the problem with one-time passcodes or any other form of code, secret, PIN, or password credentials. It is possible to intercept, is transferable, and is susceptible to scams such as described above. Whoever has possession of that credential, is in effect assumed to be the genuine customer and will be granted whatever privilege is assigned to that credential. In the case of this particular scam that privilege is the authorization of fraudulent payments.

The Flaws in Behavioral Analytics

Some banks have turned to behavioral analytics that monitor the typical activity patterns of customers as a means of trying to counter such attacks. If an unusual pattern is detected, such as logging in from a different location or making higher-than-average transactions, the system can flag it for additional scrutiny or even block the transaction until it is manually reviewed. However, we have written previously about the problems of such an approach which include low accuracy, potential data protection and data privacy issues, potential exposure to AI deepfake technologies, and above all, inability to guarantee identity assurance.

Identity Assurance through Voice Biometrics

The only true form of actual identity assurance is through biometrics, and Voice biometrics is the most versatile and secure of all biometric modalities. Voice biometrics transforms the usage of one-time passcodes by taking them from a code that anybody in possession of can use, to a code that is only valid when spoken by the legitimate intended recipient. Simply by speaking the code rather than keying it authenticates both the code and the speaker, rendering these forms of scams unusable.

Sadly, some banking customers will always fall for scams, especially given their sophistication, so whilst education is essential and may help, prevention in the first instance will always be the most effective approach.

Want to learn even more?
Get access to a file with all the information
Download PDF