ClickCease

3 Key Takeaways from Prove's Q1 Fraud & Identity Roundtable

2023Q1 - 🕵️Fraud Roundtable

April 3, 2023
Prove
Learn More about the author: 3 Key Takeaways from Prove's Q1 Fraud & Identity Roundtable
Tags:
No items found.
Share:

Every quarter, Prove gathers industry executives in identity, fraud, and risk to discuss hot topics, key trends in the industry. This is a summary of what we discussed in Q1:

1. Prove Identity™ Prevents Tax Fraud Attack

By establishing a connection between the user attempting to onboard and their phone, Prove protected its clients and consumers from tax and identity fraud.

Bad actors used social engineering and online SMS services to perform an OTP authentication and attempt to file taxes using stolen PII before legitimate taxpayers could file.

  • We stopped the bad actors 🛑 by determining that the phone number used for the fraudster’s OTP did not belong to the PII submitted in the application. 

Prove also identified fraudulent transactions where bad actors recently claimed ownership of the phone number (e.g., less than 90 days before the attack).

For further protection, and to avoid the potential fraudulent transactions altogether, clients can replace traditional SMS OTP workflows with next generation authentication services that protect against social engineering, such as Prove’s Mobile Auth possession check that is performed as part of Prove Identity™ solution.

What is Prove’s next security enhancement? We are developing a signal to tag phone numbers associated with online SMS services as being higher risk.

2. SIM Cloning and SS7 Vulnerability Chatter

Fraud experts were alive with chatter about a potential SS7 vulnerability that could lead to SIM Cloning attacks. Our telephony experts dug in to clear up any confusion.

SIM cloning happens when someone creates a duplicate SIM card from an existing one. When deployed correctly, the SS7 protocol (international standard architecture for telephony signals) protects against SIM Cloning. 

  • We did our own research 💡 by contacting US mobile operators and confirmed that there are no known SS7 vulnerabilities that would allow SIM cloning to occur.

During our investigation, Prove identified that “usage forking” is commonly confused with SIM Cloning. Usage forking occurs when a bad actor accesses a phone number via an online portal or paid ‘fraud-as-a-service’ and uses the phone number without the actual owner knowing. 

3. OTPs Are Not Enough 

Prove continues to observe that high-risk transactions secured only by an OTP (SMS or Voice) are vulnerable to attacks. In some cases, bad actors used the same phone number combined with many different sets of stolen PII to try and create accounts. Without using a separate reputation check and phone ownership check as part of the authentication process, it’s tough to identify and prevent fraud. 

We wanted to remind attendees about Prove’s PRO methodology 🔐 and explain why it’s a next generation approach for lowering fraud rates and mitigating risk:

  • Possession: Confirm the phone number being used during a transaction 
  • Reputation: Evaluate real-time signals such as SIM history, porting history, and line type to determine riskiness of a phone number
  • Ownership: Confirm that the owner of a phone number is the person completing the transaction

PRO is a powerful methodology designed to prevent fraud through a layered, secure approach.

Conclusion

The discussion among Prove's industry executives in identity, fraud, and risk highlighted the importance of developing and implementing next-generation authentication services to combat social engineering and fraud attacks. A warm thank you to all of the executives who participated in this critical discussion.

The modern
way of proving identity

Trusted by 2500+ leading companies to reduce fraud and improve consumer

Keep reading

See all blogs
Read the article: Account Takeovers: The Silent Revenue Killer
Blog
Account Takeovers: The Silent Revenue Killer

Account takeover (ATO) fraud is rapidly becoming one of the biggest threats facing digital marketplaces and gig platforms. Learn how ATO attacks work, why they are accelerating, the latest fraud trends and statistics, and how continuous identity verification helps organizations prevent account takeovers while protecting revenue, customer trust, and user experience.

Blog
Read the article: The Silent Drain: How SMS Pumping Is Bleeding Digital Marketplaces Dry
Blog
The Silent Drain: How SMS Pumping Is Bleeding Digital Marketplaces Dry

SMS pumping fraud is silently increasing verification costs for digital marketplaces by exploiting OTP workflows. Explore how these attacks operate, why traditional SMS authentication is failing, and how proactive phone intelligence can prevent fraud before an SMS is sent.

Blog
Read the article: Prove and Baselayer Partner to Bring Real-Time Business Verification to ProveX
Blog
Prove and Baselayer Partner to Bring Real-Time Business Verification to ProveX

Prove and Baselayer simplify business verification by combining trusted identity, real-time KYB intelligence, and seamless onboarding into a single workflow without requiring additional verification steps.

Blog