Rebekah Johnson: Welcome to Tuesday Talks, a live discussion series where we shed light and bring truth to emerging topics in the communications industry. I'm Rebekah Johnson, Founder and CEO of Numeracle and I’ll be co-hosting today’s session with Sam Fadel, Florida Chapter President of the International Association of Financial Crimes Investigators (IAFCI). It is so great to have you join us today, Sam, welcome.
Sam Fadel: Great to be here, thank you, Rebekah.
Rebekah Johnson: Before we get started, I'm going to have to take some time to cover your background and experience. I don't know that I've ever met someone quite like you so it's quite fascinating. Sam’s prior life was in law enforcement and throughout that 25-year career, you've worked in many areas of robbery, homicide, fire arson, auto theft, burglary, financial crimes, insurance fraud, internal affairs, special projects... a lot of different experience that brought to you. You moved over into the External Investigation Manager role, which is really focused on credit card, bank loan fraud, you definitely cover cyber crimes, which includes data breaches, transnational cases, reshippers, and really focused on identity vulnerabilities. You help prepare cases for law enforcement for their training on many areas of financial fraud topics and various groups. Sam, with that incredible background, which honestly includes a lifetime of achievement already, today's topic on fraud investigations and the power of KYC, it makes sense why you are here.
I'm really excited about today's topic because you represent so much wisdom and experience in the value of KYC on the voice service provider side where this is really a new concept. I have many conversations with voice service providers on why they need a good KYC framework. There’s a lot of optimism in the value it brings to their business. Sadly, I think voice service providers are sitting in the position of not knowing what they don't know when it comes to KYC and the role it plays in combating fraud. To them, it looks like a futile effort forced upon them.
So back to you, Sam, and why you are today's guest. KYC has been in place for years to combat fraudulent activities in other industries. So the value of KYC is already well known in the financial industry and has been in place for many years. From your years of experience, please share your perspective on what KYC means to the financial industry and the critical role it plays in combating fraud.
Sam Fadel: Thanks, Rebekah, for that big introduction, thank you so much. KYC is crucial for both industries, the telecom industry needs it. The bad actors are calling and basically stealing your phone numbers, and SIM swapping, and social engineering… and I think some of the bigger companies started deploying some programs to combat them, whether it’s two-factor authentication, one-time password, or account passwords, they’re trying to deal with it but it's a slow road that they're taking.
On the financial side, KYC is crucial at every level, not only for new accounts where a customer signs into an account or the account center and creates a new account and one of the data points they provide is the phone number. The phone number plays a crucial role in identifying ‘is that really Rebekah Johnson applying for an account or is that somebody else?’
Today, studies have shown that folks realize they lost their phone way before they realize they misplaced their wallet or handbag. You see everyone with their phone in their hands, not their wallets in their hands or oftentimes not even a handbag, but just a phone. Our lives are centered around that and institutions know that. That’s how they verify your identity, through text messaging, through phone calls, through emails, and then they capture that data because it’s significant to authenticate the person. So, KYC is crucial in so many aspects but when you throw in the phone, it’s even more so if you know how to use it and deploy that.
The benefit behind it is the phone number attached to this new application. If a VoIP is tied to an IP somewhere else in the world and they’re claiming to live in New York City, but their IP comes back to a different country known for fraud, then why is this happening? Is the person traveling, perhaps? You have anomalies sometimes but usually, it’s outright fraud if you can see it.
So for existing customers, it’s also crucial. Customers call in on a regular basis. They call in to approve wires, to ask for wires, money transfers, make account changes, they call in to the center to perhaps change the phone number. Why is that so important? Well, if it’s a bad actor doing it when the bank calls you they can't get ahold of you anymore. They’re going to be directed to the bad actor’s phone or email, for that matter.
With technology, the banks have really amped up their game in identifying the devices and asking if this really is their phone that you own calling us or are you using the internet to contact us? They pick up device ID, they pick up your HTML files and cookies so they know it’s really you checking in on your account. But the phone line is not, it’s not as simple and there are fewer opportunities from the beginning. So it plays a big role in authenticating a customer and the bad guys know it so they use the phone instead because it’s easier than using the computer systems.
Rebekah Johnson: It’s interesting when I parallel what KYC has meant in the financial industry for as long as it’s been used. This is a global framework, this is not just United States-based, this is globally asking, ‘How do we combat fraud?’ in the ways you just described. It always comes back to, at the end of the day, you have to know who your customer is so that we understand it’s not someone posing and being a bad actor.
In the telecom space for service providers, we’re facing the same challenge of not having done a Know Your Customer and some are just willing to take a credit card and that’s enough knowing of the customer: does the credit card process or not? And then they just give access to these networks to be able to deliver calls. Unfortunately, no doubt Sam, that process is some of the beginning places for these calls that are going into the financial institutions to then be able to spoof a customer’s number and present it as though a customer. This breaks down the processes internally that the financial institutions have in order to do a verification before they start to disclose information or make changes to the account.
I can imagine that there are massive ramifications of not having a KYC process in place. What have you seen happen specifically in the financial industry when Know Your Customer isn't a focus?
Sam Fadel: I've seen banks get penalized by the Fed (Federal Reserve System), because as we talk about with KYC, the biggest part of that is the EML, the anti-money laundering aspect of it, the counter-terrorism, the Patriot Act, various compliance issues that banks face for not knowing their customers like, ‘Is this person allowed to have an account?’ This is just the beginning of it, there are so many.
That happens on the front end when an account first opens up and through continuous monitoring after the account has been opened. So suppose I snuck in and opened an account with your name and I was able to successfully complete the opening part and now I have the account, how am I moving the money around? Often times that verification process involves a phone line, either the bad actor calls in before or during a transaction to make sure it goes through, they call in a safe word travel order as if they’re traveling when in reality, they stole your account when they know you’re traveling out of the region and know you live in location A going to location B. I’ve had many cases where the bad actors call and say, “Hi I’m Rebekah, I’m traveling this week so please don’t stop my authorizations.’ That is followed by fraud. So when they look at the account they see that Rebekah called in and she passed the verification so we’re not going to bother with this transaction any more.
I had one case that happened near my house, which is sad. A person left to have dinner and he went back again a month later. By that time, the first transaction was charged back so the restaurant knew who the guy was. Then they grabbed him, called the police, and got the phone number. When I looked into it I realized this wasn’t a one-off, they called in before, and then it blew up into several thousand accounts throughout the southeast. So it’s important when you get that phone call to bump up the phone number to identify the caller. It might be somebody with your PII (personal identifiable information) with the number tied to some other ring. Is it tied to 20 other calls? To other frauds?
So KYS is at many levels. At the onset, any person will tell you that they’re just regulations, but it’s more than that, it’s also against fraud. Folks are using these devices to beat the system on a regular basis. I think the phone channel is the weakest link to the banks. The more information the banks have on that phone call, besides what comes out of the caller's mouth, like the device, the number, where it’s coming from...the more suited they are to have a better robust program with the KYC program.
Rebekah Johnson: We’re always talking about STIR/SHAKEN and putting trust back into the framework for consumers. But until I had a conversation with you about these topics, I didn't understand, nor did I appreciate, the value that a verification program before calls get on a network would mean to the financial institutions just to protect consumers from fraud that may not have come through the traditional car warranty phone call. We are so tunnel-visioned on thinking that’s the only place they're going to get value.
What you've opened up is, this is a huge effort that will bring value on the financial industry side that has been combating this on your own. You’re over here siloed and if you could just get additional information through the voice channel at the time when a consumer or someone who's calling connects with an agent, we put them with more information so we can have some trust that the entity calling in cannot spoof the illegally. You should be able to have that. That will go a long way in helping reduce fraud at a much greater scale, that's probably not even being tracked on the FCC side. Because that’s not necessarily the consumer. The consumer is a victim in this case, but it’s fraud in the financial space.
I think we’re going to start to really upset bad actors, which I'm already seeing. I had a conversation with a service provider the other day who is trying to implement their KYC. They're already getting customers who are not sharing information with them and thinking they shouldn't have to share information with them. Transparency is being blocked. Of course, if these bad actors are leveraging a particular service provider to get their traffic onto the network, to come after the financial institutions like the one that you represent. They're going to be really mad that they have to identify who they are and that gets into the hands of Mr. Sam Fadel. Then you’re going to have a lot of information for tracebacks.
Sam Fadel: When you mentioned spoofing, spoofing is one of the many ways of beating the systems. You have swapping, you have porting, which was a problem for a while, we had some carriers that perhaps didn’t pay enough attention to the porting issue. With SIM swapping, I noticed when I go to a phone store they ask me for more information like ID and they don’t just look at your driver’s license, they scan the barcode to make sure it’s consistent with your account.
But in the spoofing case, I’ll give an example of how serious this matter is. So the DIV comes in and a lot of the stores don’t accept the mag stripe, it has to be the fallback. So you have to dip your card three times before you swipe, and then it becomes more of a suspicious transaction because now the liability may be at the merchant level or it may be at the issuer level, we don’t know yet, it depends on the transactions and contracts. So what do you do? You go to a place that has a mag stripe. Who has a mag stripe? Fuel pumps, ATMs, or older ATMs like ones located in stores.
I had a case of somebody calling in and simply getting a debit card reset, a PIN reset. That’s it, that’s all they did. It’s not a terrible thing to do if you forgot it, or your wife did it and you can’t remember it. And they’re really good social engineers, they can call in and sweet talk. Well, I knew what they were doing, we were pulling video, we had pictures of them, we knew who they were and knew their faces but were trying to get a name. We got one who had an app that he was using to call in posing as the card member’s phone number so that when we received the call, the spoof showed the card number holder’s phone number. But yet they were able to successfully get a new PIN and using the counterfeit were able to go into ATMs and drain it.
They would stand there for quite a period of time, card after card, account after account. His app was based in the Pacific Islands and he was arrested. Unfortunately, I don’t know why, but it had a 185 number memory capacity. So when I asked the detective to take it to the secret service task force to analyze the phone, sure enough, we got a search warrant, and did that, he made185 phone calls to the same issuer. Every phone number posing as the caller belonged to a legitimate customer who was compromised. So that’s common and this happens. We think with the EMV there it’s going to be harder. But they think if they can’t duplicate one to get one on their own. So doing that really happens and these companies don’t know how it happened. How can spoofing happen with so many calls back-to-back to financial institutions?
Rebekah Johnson: This is where I don’t think that the analytics that we’ve deployed is going to identify these, while they may be somewhat small attacks, they are big with regards to the impact they have on consumers. Analytics are a great thing to have, we cannot be without them. But it's just so focused, everything seems so focused on the impact directly to the consumer that comes via the bad actor to the consumers’ device, and here’s another example. I guarantee you that the analytics did not catch that. We're not identifying the truly bad actors through that method and they're going to continue to exploit that as much as possible while the analytics gets better and better and successful at the consumer side of it.
So I’m just reiterating the value of the Know Your Customer. It ends up being a gate that the bad actor has to get through and we'll identify those whose gates are lifted up and have let anybody through versus those who require a bunch of steps to go through. So I want to just step back for a moment and start with where the requirement for KYC arrives. So KYC, for those who may not know, is Know Your Customer, and it is a framework, it is not a policy. It is not a one-time process, which you’ve heard Sam mention several times already. It is a living framework composed of various customer due diligence obligations under regulations such as the ones that you mentioned like anti-money laundering, counter financing of terrorism. It is also related to regulations associated with tax and conduct of business, such as common reporting standards. So it derives from these regulations.
I actually leveraged those regulations and years of implementation, enforcement, and monitoring experience that they've had to set a course for KYC as it related to the robocall issue. In preparation for our conversation today, I actually found my deck where I presented this concept to the major tier carriers as one of the missing elements required for trust in the network. It’s hard to believe that that was back in January of 2018 when I made this bold step to frame a possible future to combat fraud at the origination of calls through the adoption of KYC. Fast forward three-plus years and KYC is part of the FCC best practices, the standards, and the solutions.
Before we jump into the topic of KYC to combat fraud as it relates to STIR/SHAKEN for voice service providers, there is no way I can skip past some of the fascinating and most unbelievable stories that you’ve already shared. I find one of these quite fascinating as a consumer and for those listening who need to be aware of this type of fraud that may occur where we are, unknowingly, participants in fraud. So, Sam, I would love for you to share the three-way attack that is done. I had no idea that this type of fraud was happening.
Sam Fadel: Well, the three-way attack is a trend that is not going away. The banks are trying, financial institutions include anyone who deals with money, FedTech companies, banks, credit unions...they’re trying to combat the fraudsters so they know they have your phone number. They know Rebekah’s phone number is 123-456-7890 and they receive login credentials, for example, that don’t quite match or they do match but the device isn't recognized so they send you a one-time passcode. They know it’s you, but they ask for a word. They know it’s you, they’re the bad actor calling you on the phone pretending to be with your bank and calling about “unusual activity on your account,” to gain your trust.
Once they’ve gained your trust, they simply click on the one-time passcode to your cell phone to make sure they were speaking with you by asking you to provide them with the number they just texted you on your phone. Your phone beeps, you give them the number, they type it in, and now they’re in your account and you have no idea you just helped me get into your account. The problem is a bad actor called you not your bank, and the bad actor may have spoofed the number so it shows your bank's name on there. How did they get that? The dark web and open web, unfortunately, and on social media where people give out your information and bad actors actually data mining for that. What does that mean? They actually compile the data on you from different sources. So they have an idea of where you bank, where you work, maybe your account numbers which were on the dark web and they’ve built up from there.
I’ve done presentations for the service before where we actually do that; we’ll buy your credit card number. We know which zip code you live in so we’ll run your name and that zip code in a database and identify you and get your social, your address, your phone number, and your email. Now that I have tracked it I have all your information. I do a credit bureau on you through a third party that has a weak verification process and then now I have your bank. So I’ll call posing as your bank, Tuesday Talks Bank, and you know you bank there and it must be them because it shows up on your caller ID because they spoofed the number. Then, when you give them that password, they’re in your bank and in your account and can conduct transactions out of your account. They’ll call and ask, “Did you go to Macy's today?” If you didn’t, they’ll want to close your account. Now you know not to expect any traffic from your account because your bank account is closed, so then they'll take over your account that way. This is happening quite a bit and they’ll send money out to make big purchases.
Verifying these calls and authenticating the calls being made is crucial. Whether it’s a robocaller calling not about the insurance on your car, but to offer you better interest rates on your account. That’s a scam that I worked on for many years because there are many groups doing it. The sad part is that they’re targeting the same people because they have a list of the same victims that fall for it. That’s why after you see calls you don’t acknowledge those calls from your “car insurance” or robocalls with a real number because you know they’re going to keep calling you. They know that those people are vulnerable so they’re going to keep selling that information. We have gang members in south Florida killing each other over those lists. They know who is a vulnerable victim and who is a vulnerable target.
So that authentication piece is so important and the phone companies who need to do something about it need to respect that and realize that they’re the backbone for the financial industry. That’s how they contact customers so if they could better secure that they can better secure their accounts. And it’s not the banks losing money at the end of the day, it’s the customers because everything gets pushed down to the customers.
Rebekah Johnson: Sam, I appreciate you giving that sentiment because a lot of the time I’m just preaching it and nobody wants to hear from me after a while. That’s why I’ve got people like you to come and speak to it. It's heartbreaking and I already know this is going to happen and I hate that I'm going to be right about this. Most things I actually don't want to be right about but this one I know I'm going to be right about. For service providers it’s just business, they don't want to shut down their traffic and they're going to sell A-Level attestations.
You and I have talked about the verified green checkmark that shows up as a result of STIR/SHAKEN, it's pulling in data and the carrier will present “Verified.” We've chosen, as an industry, to use the word “Verified,” so guess what? We’ve either built an incredible infrastructure for more nefarious activity or actually shutting them down. I'm afraid we're going to go through a cycle of actually creating a better nefarious environment for these bad actors to be able to exploit consumers because I've already got my name on a pre-approved call list. I got a pre-approved call yesterday, my name is on a ridiculous amount of lists. So I was pre-approved and it showed up as “Verified” with the green checkmark. I answered the call, regrettably. After I answered it I thought, “Here we are.” We’re literally creating an environment where bad actors because service providers are not going to do as practices and we’re pretty weak or very weak right now in the United States on what we expect from service providers, but right now it’s a best practice.
So the best practice is Know Your Customer. You define what it is, if it's just a contract, fine, it's just the contract. You allow the traffic to go through, you sign an A-Level attestation that you know who they are and that they're authorized to use the number. It’s presented on the consumer’s device, it's going to be data that goes into your client’s call centers and they’re supposed to trust that data. I have a lot of concerns that because we've got some that are just meeting a compliance requirement and checking it off as having done it, they don't understand what their role is and why they're doing what they're doing and being asked to do. So I really appreciate you bringing that to light. We just want to stand on the soapbox and say “Yep.”
Sam Fadel: Yeah I agree because I see the results of that behavior. So it’s a business decision that they’re making, I’m pretty sure. It’s a balance issue of how much we want to spend on that? It's not a money-making issue for them, it's not the money, it's not revenue, it actually goes against it but it’s the right thing to do though.
Rebekah Johnson: So with STIR/SHAKEN and the ability to attach, we're going to assume we're all doing it right, everybody is on board to have a robust Know Your Customer process, nobody's getting any A-Level attestations until I know who the entity is behind the calls and your authorization to use a number. So I'm going to believe we live in that world and it’s wonderful, it's going great. It's going to make identifying the origination of calls a lot easier. That also means that we’re able to know who we have to hold accountable if it ends up being something that is harmful to the consumer. Let’s say we conclude with that.
Do you feel the additional traceback elements now made available via STIR/SHAKEN will improve the ability to trace and prosecute bad actors? Since you've been in that world of identifying the bad guy but then putting all those cases together to figure out how to make sure that they don't do this again. I’d love your feedback on that.
Sam Fadel: Absolutely, because now, it’s a long road to China. Let’s say we get that information, especially if it’s VoIP going through different networks. When I speak with investigators, and I’ve taught classes on this and someone in our department also does classes exactly on that, when you run a phone number and it comes back to a service provider or an internet company or ISP, it takes a lot of effort to send out subpoenas and get them back. By the time we get them back, it could be 30-90 days, it’s a long time. Because it’s not one person, it bounces off the other. So by the time we trace that call, it takes forever. I think this program makes it a lot faster because it doesn’t require the subpoenas that take you a long period of time. The longer it takes the longer the bad actors have to commit crimes and victimize people.
So it’s definitely going to be a big plus if the information is pushed out to our law enforcement partners on how to take advantage of this program.
Rebekah Johnson: So here at the end, I'm going to give you the opportunity to give us three key takeaways for this audience.
Sam Fadel: Well, KYC is one of the strongest forms of combating fraud in the financial industry. It combats fraud in many ways, like I mentioned at the beginning with accounts being opened through the life cycle of the account through transactions, and transaction monitoring, it’s huge. Banks benefit by being compliant with the government in being able to keep their business open because I’ve seen banks shut down or be prevented from opening new lines of business until they comply. We can take the same principles learned in our successful investigations in combating fraud in the financial industry and apply those to the emerging challenges to the voice and messaging networks. This works; this response to KYC, for the most part, works pretty well in the financial industry so we can reapply that to the voice and messaging networks.
And again, KYC isn’t a one-time initiative. It's constantly evolving, it’s constantly changing with risk management, the threat mitigation strategies and as the bad actors evolve and change their tactics, technology has to evolve and meet them. So it’s a cat and mouse sort of thing. In the past you’d get a letter in the mail from Nigeria or from anywhere in the world, now you get an email or a text message. So it’s evolving and it’s a constant challenge because we make a living working hard every day, and so do they, but unfortunately, it’s from a criminal nature.
Rebekah Johnson: Thank you, Sam, and I’m going to wrap that all up. Simply stated, and you’ve said this, it is crucial in complying and staying out of the feds yourself. So thank you, Sam, for that summary.
Let's move to questions from the audience with the couple of minutes that we have left.
Molly Weis: Let's start with this one that came in through the chat window: How is a call displayed as “Verified” it's the number that was verified is spoofed?
Rebekah Johnson: I’ll answer that one since it’s more on the standards side. What we expect is that the green checkmark will be the result of the A-Level Attestation. I’m going to try and keep this to simple terms. A-Level Attestation means that the service provider who is attaching their identity, along with the customer’s information to the call, has attested to knowing who the entity is behind the number and they are authorized to use that telephone number. Spoofing in and of itself is not illegal, this is a very common practice. It creates efficiencies not only for the call originator but also for consumers such as a pharmacy. The number that you're presenting needs to be a number that you can call back to regarding your prescription or to talk to your pharmacist. It’s going to be on the service provider to make sure that the number that they are spoofing is also a number they are authorized to use. They should have evidence of that.
Molly Weis: What advice would you give to contact center leaders within the financial industry to train their agents to monitor for incoming fraud attempts into the call center?
Sam Fadel: This one is more up my alley. We can write a book on this, there are actually manuals on what is fake and what to look for. Unfortunately, because our biggest enemy, in this case, is not looked at as much because customer service is king. With connectivity issues, I’ve heard countless calls where bad actors are playing with their phones. If you have canned responses from the callers, they’re trying the same things over and over again. What does that mean? “I had a house fire,” “I'm not home,” “I can't read my phone,” “I cracked my screen,”...If you can make a call you can read your phone. I'm going to send them a one-time password but they don’t have that and are calling in.
I’ve had cases where you hear papers shuffling when you’re asking questions like “What’s your mother’s maiden name?” and they’re shuffling paper. “Have you owned this car before?” and they’re shuffling paper. I had one call where the caller called in as a female, as a middle-aged female. Three minutes into the call, he changed his voice to a man's voice all of a sudden. When referred to as “Sir,” he acknowledged Sir when it’s really a female on the account. A lot of it is common sense, a lot of it is listening to the calls to see if they make sense. Listen to the end responses if you have the same call coming in over and over again. Look at the phone number, has it called in three or four or five times before on the same account? When there’s something wrong and they keep trying different answers that don’t work so they call back again. I’ve seen that happen countless times.
The really bad ones are the static ones or the broken screens. These things don’t make any sense. If I can call you I can read my screen to read the password that you’re sending me for my account. Or if the reception is bad because they’re changing their voices. We had one group hit us with a voice app that changes your voice, so they’re foreign bad actors that almost sound like robots talking. And we started picking those up ourselves and determining those are robocalls with a voice app they’re using. There are countless ways. As I said, it’s a thick book when teaching call centers how to respond to these fraudulent calls.
Rebekah Johnson: Is that information that they can find through the association that you represent? Can we direct them to the organization site for additional resources?
Sam Fadel: We have a lot of resources on our website where it’s a paid membership. And I’ll give a shameless plug: we have a conference coming up in August in Chicago. It involves 30% law enforcement, 30% financials, 30% folks like you, Rebekah, you provide services for the financial industry, and our training topics are of a wide range. We have a lot of training topics on financial fraud and it’s worth your while.
Rebekah Johnson: Well perhaps I’ll be there and we can continue our talks. We'd like to thank all of you for joining us for another episode of Tuesday Talks. We hope to see you all again on Tuesday, July, 13th where we will be joined by Gerry Christensen of YouMail to discuss call spoofing and brand monitoring as STIR/SHAKEN is rolled out. Thank you, everyone.
