Vishing Attackers Seek Cardholders' Personal Details
Warning: Fraudsters are targeting high-end London eateries and requesting that they call a supplied number to have every customer verify their payment-card details before any transaction gets authorized.
"The scam involves fraudsters posing as bank staff, phoning restaurants claiming there is a problem with their card payments system," warns an alert released Aug. 13 by Financial Fraud Action UK, an industry group that coordinates U.K. financial services firms' response to card and retail banking fraud.
"When the restaurant calls the phone number, the fraudster asks to speak with the paying customer and then goes through their security questions," it adds. "Once sufficient security details have been obtained from the customer, the fraudster will instruct the restaurant to put the transaction through."
To date, this attack campaign has focused on London. "The examples where we've seen it are mainly in the London areas, in the West End, and Twickenham and Canary Wharf, and it's primarily been aimed at high-end restaurants," Giles Mason, a spokesman for Financial Fraud Action UK, tells Information Security Media Group. The campaign also hasn't been targeting restaurants which are clients of just one bank. "We've had reports from a few different banks that have come through," he says.
Combatting Vishing Attacks
This type of social-engineering campaign is known as voice phishing, or vishing, which refers simply to criminals phoning people and pretending to be someone they're not. Fraudsters may pretend that fraud has been spotted on a consumer's account, or that a restaurant's card payment system having a problem, as in the case of the recent London restaurant scam attacks.
Regardless, attackers' goal is to elicit useful personal information from victims. "They're panicking someone into reacting, but the 'security questions' they're asking allow them to commit fraud," says Mason.
Such attacks are relatively low-tech, but when it come to evading security controls, that's the point. "What we're seeing on the card side, for example, is that chip and PIN, and the security systems at the banks, are much more robust now, so the fraudsters can't attack that," says Mason. "What they try to attack is another point of weakness that they perceive."
Targeting Cardholders
That the restaurant attackers must also trick cardholders into divulging details - instead of just trying to convince restaurant employees to phone in card details themselves - is thanks to the United Kingdom's chip and PIN system, which is its implementation of EMV. Notably, all cards issued by U.K. banks are now EMV-compliant, and payment card users have become conditioned to expect that their cards should never leave their sight.
In restaurants, that's accomplished by the use of Bluetooth chip-and-PIN machines, which a waiter brings to a table, and into which they insert a customer's payment card, before handing the machine back to the customer. After the customer verifies the payment amount, they enter their four-digit PIN code, after which the machine can phone home and authorize the transaction. After that, the waiter removes their card and hands it back, again without it ever having left the customer's view.
Landline Phones Pose Risks
Fraud experts say the best way to combat this type of vishing scam is to call a known number for the bank and verify that any information request is genuine. One wrinkle, however, is that if restaurant employees hang up and immediately dial their bank, the scammers may not yet have hung up. "Always wait five minutes to ensure the line is clear, as fraudsters will sometimes try to stay on the phone line and pretend to be your bank," says Katy Worobec, director of Financial Fraud Action UK, in a statement.
The risk from calls not terminating in a rapid manner after one party hangs up the phone is a known problem; telecommunications providers have been making related changes to their telephone exchanges, and hope to have the problem fixed in the next year or so. "We've been working closely with the network operators to try and reduce that time - from 2 minutes down to about 10 seconds," Mason says. "But there are a lot of phone exchanges, so it can take a lot of time to make those changes."