Identity theft continues to be the most common contributor to fraud globally, and it is rising since the start of the coronavirus. In August 2020, 29% of respondents to a survey of fraud examiners worldwide reported a significant increase in identity theft risk. Additionally, 43% of respondents expected a substantial increase in identity theft risk over the next twelve months. According to a study by Javelin Strategy & Research, fraud losses due to identity takeover rose 15% in 2019 compared to the previous year. The study also notes that 40% of identity takeover-related fraud happens within a day of opening an online account. Buoyed by a surge in online and mobile banking transactions over the last few years, fraudsters have shifted their focus from card fraud to online identity takeover.
In the next section, we will explore some of the most prevalent identity fraud attacks and what companies can do to protect themselves and their customers using stepped-up authentication reinforced by Phone-Centric Identity.
IcedID Banking Trojan: This phishing attack started in March 2020 as the COVID-19 pandemic set in and is still ongoing. Fraudsters use steganography techniques—the practice of hiding malicious code in image files—to trick unsuspecting users into opening COVID-19 related attachments. The malware then collects users’ credentials and online financial data. Users of several financial institutions and e-commerce companies have been the victims of the IcedID attack.
Vizom: Used to attack online banking users in Brazil, Vizom is a malware that utilizes remote overlay attacks and DLL hijacking by disguising itself as video conferencing software. Once downloaded, the malicious code resides in the operating system and detects online banking transactions to steal sensitive credentials. What follows is a series of fraudulent transactions from the victims’ bank accounts. Since discovered in Brazil, this malware is reportedly spreading into other South American countries and Europe.
Mobile Emulator Farms: A major mobile banking fraud operation managed to steal millions of dollars from financial institutions in Europe and the US within a matter of days in each attack before being intercepted and halted. In these attacks, a professionally motivated group of fraudsters uses malware to access mobile devices and then uses mobile emulators to set up thousands of spoofed devices. Fraudsters steal the victims’ online credentials to initiate fraudulent financial transactions. Since the entire device, including its device characteristics, is emulated, fraudsters can circumvent standard security methods such as device binding. Fraudsters reportedly used over 20 emulators in the spoofing of well over 16,000 compromised devices.
SIM Swapping: SIM swapping is one of the fastest-growing fraud vectors globally. Scammers trick victims into sharing personal information, which is then used to fake identity documents to secure duplicate SIM cards or port the number to an existing SIM card in their possession. This allows them to gain access to SMS-based one-time passcodes, which scammers use to authenticate financial transactions. SIM swap fraud has surged globally, particularly in emerging markets, where growth in digital transactions has been exponential.
The wave of financial fraud during COVID-19 has been particularly pronounced. In the early days of the pandemic’s onset in March 2020, Action Fraud, the UK’s fraud & cybercrime reporting center, reported a 400% increase in fraud. In a TransUnion study in March 2020, 22% of Americans stated that they had been targeted by digital fraud since the onset of COVID-19. According to a report by The Wall Street Journal, investigators estimate close to $70 million worth of losses in 2019 due to SIM swapping. According to Action Fraud, SIM swapping cases have also been steadily increasing in the UK, with estimated consumer losses exceeding £10 million since 2015.
The general pattern in all the cases above can be broken down into two parts—stealing identity credentials using malware installation on devices, followed by the execution of fraudulent transactions using the stolen credentials. Effective prevention of fraud should include mitigating the vulnerabilities of both parts of this process.
Consumers are expected to exercise basic prudence when it comes to securing their devices from malicious intrusions. This includes keeping their operating system updated, having an updated anti-malware software, refraining from responding to unsolicited emails & attachments, and downloading unverified apps on their devices. It also helps to change user credentials frequently. However, as observed in the past, this may not be enough.
Enterprises need to secure their customers against fraudulent transactions by strengthening transaction-level security using robust authentication methods. This will ensure that consumers stay protected from financial losses even in the event of identity theft. Although multi-factor authentication using SMS- and voice-based one-time passcodes (OTPs) has existed for a long time, fraud vectors such as those based on SIM swaps may still manage to circumvent them. A study of 385,000 transactions by Prove uncovered that 5% of MFA-based mobile transactions still had low SIM-tenure indicating a high likelihood of SIM swap.
The solution to reinforcing stepped-up authentication lies in using Phone-Centric identity. Phone-Centric identity refers to a broad set of phone signals that can be combined with data and transactional attributes from other sources such as banks and credit bureaus to perform stronger authentication and identity verification. These signals include line tenure, line behavior such as calls, texts, ad-views, line event history, SIM swaps, and event velocity. Since mobile phones provide the most comprehensive digital footprint of the consumer, the volume and diversity of signals collected over a long time provide the highest correlation to a consumer’s identity. Phone-Centric identity can either completely replace traditional authentication methods such as passwords and OTPs or strengthen them. In addition to its advantages over traditional methods such as security questions and static passwords, it removes the need to download soft tokens or use physical hardware for authentication, thereby improving customer experience.
As technology improves consumer convenience, cyberthreats continue to improvise. Continuous innovation and improvement in security leveraging alternate sources of data and signals is key to a steadfast response to emerging threats. The ubiquity of mobile devices in consumer lives makes them a proxy for consumers’ digital identities. Phone-Centric identity, combined with emerging techniques like passive biometric authentication and behavioral detection, is critical to mitigating these types of threats.