New AVR credit card attack?

I’ve experienced just about every email/phone/web fraud you can think of. Nigerian email scams, phishing, XSS, and phone calls from folks pretending to want to “verify” my credit card information. Today I experienced a new one that is more brute force than the others I’ve seen.

Warning sign #1 – unsolicited call
I was driving to an appointment and the OnStar line in my Tahoe rang. This is is unusual because I only use that line for the occasional outbound call when I’m stuck in traffic, and only a couple of people have it, none of whom bother to call it. I answered the call, and after a couple of seconds…

Warning Sign #2 – AVR
I got an automated voice response system (AVR), one that appeared to be very very old. It sounded, in fact, like the old Software Automatic Mouth. I didn’t have a recorder going, but the general message that came out of this was “Your credit card shows suspicious activity. Press one to verify this activity or two to leave”. Intrigued, I pressed one.

Warning Sign #3 –
After pressing 1, the AVR moved on. The AVR never told me anything to help me identify which account it might be talking about (e.g. by giving me the last 4 of an account number). What the AVR *did* do, however, was ask me to enter my credit card number. Since I was in the Tahoe, I didn’t have a keypad. Trying to use the OnStart AVR to enter a (bogus) credit card number was less than successful, so the call ultimately dropped.

I suspect that the system is driven by some public record data sources, or partially complete transaction data pilfered from a commercial database, and that the AVR is simply robo-dialing for the missing pieces. For instance, if the AVR had my name and address, it would need to acquire the CC#, expiration date and verification number. You can imagine other scenarios based on various data sources (an e-tailer transaction log with everything except the credit card number which was encrypted?)

This is an interesting attack model. Mildly more expensive than e-mail, less obvious as an attack as it used AVR (albeit a crappy one), and the ability to automate.

If anyone out there has experienced this ‘retro-phishing’, I’d sure like to know.

phone

Advertisement

~ by stevegoldsby on April 30, 2009.

Posted in Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.