Recently there have been reported through social media some cases of strange, seemingly fraudulent phone calls that have caught the attention of the cybersecurity community.
According to the testimonies, in these cases, unlike some popular phone scams, the perpetrators do not present themselves as bank employees or ask users for their card number and PIN, but merely ask some questions, apparently meaningless (are you Mr. NAME/LAST NAME?, are you a regular Internet user?, among others).
In case these calls are part of a fraud, it seems that the intention of the operators of this campaign is for target users to answer their questions with a simple ‘yes’ but why are those fraudsters interested in this?
Cybersecurity experts say that by doing this, threat actors are collecting biometric data, directly related to some banks. An example of this is Russia, where banks can provide some services without customers going to branches personally.
Examples of biometric records
In order to access these remote services, bank customers must enable voice authentication, which requires users to repeat a few phrases so that the bank can store their biometric record, which will then be used to verify your identity.
Alexander Dvoryansky, Russian cybersecurity expert, states that” hackers could access these biometric databases, extract them and sell them on dark web forums; although in most cases it would not be possible to access a victim’s account using only the word ‘yes’, hackers could access all of a user’s voice records, which must contain keywords or phrases needed to compromise the account banking,” the expert says.
On the other hand, Andrey Golovin of the Russian Department of Information Security mentions that “in addition to voice authentication, hackers would also require access to passwords or other biometric records (as facial recognition) to access a bank account, so the complexity of the attack increases considerably”.
“In addition, each conversation with a bank employee will be different, and it would be really difficult for employees not to distinguish between a recorded audio sample and a real conversation,” the cybersecurity expert said. Another point to note is that users of these remote banking services must pre-deliver a list of authorized payment cards to their bank, so a potential intruder would not be able to make a transfer to any other card.
Specialists from the International Institute of Cyber Security (IICS) mention that one of the main measures to protect against this potential fraud is to avoid answering phone calls from suspicious numbers and, should the user decide take the call, not mention the word ‘yes’ during the call. Users who do not use voice authentication are also encouraged to completely disable this service.