While the rate of robberies in the United States has plunged by 68% since 1993, according to statistics compiled by the FBI, rates of identity theft have skyrocketed. In just one year, between 2019 and 2020, identity theft losses jumped by 42% to a total of $712.4 billion. To put that in perspective, the total amount of money lost to identity theft in the United States is comparable to the GDP of Turkey. While many different crimes fall under the identity theft umbrella, nearly one-third of identity theft victims lose their digital identity through account takeovers (ATOs). An account takeover occurs when “a malicious third party successfully gains access to a user’s account credentials. By posing as the real user, cybercriminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization.” Fortunately, merchants have the power to prevent fraud and protect consumers by investing in new phone-centric technology that fortifies one-time passwords and prevents account takeovers.
To understand one of the most common ways fraudsters commit account takeovers, it’s crucial to understand both the pros and cons of one-time passwords (OTPs). When a consumer forgets their password, they can request an OTP to be sent to their mobile device. After entering the OTP into the website, the consumer can then reset their log-in credentials. This offers consumers a convenient and quick way to access their accounts. Unfortunately, there are also downsides to OTPs. While some criminals trick victims into sharing their OTPs—this is called social engineering—others steal the OTPs by hacking into an individual’s mobile phone.
Here are three common ways fraudsters exploit weaknesses in the telephonic infrastructure to compromise OTPs:
While there are significant differences between these three common methods of stealing OTPs, each involves two key elements: exploiting cybersecurity weaknesses in our telephonic infrastructure and stealing OTPs. While improving our telephonic infrastructure is critical, it will require unprecedented cooperation between cellular carriers and government regulatory agencies and could take years to implement. In the meantime, companies must prevent ATOs by becoming more discerning about who should and who shouldn’t receive OTPs.
To prevent fraudsters from committing ATOs, companies need to measure the trust level of a transaction based on intelligence gathered about a phone number. Trust indicators can drive the decision and workflow for enforcing different modes of authentication. Typical trust indicators are tenure of the SIM, tenure of the device linked to the phone number, and whether call-forwarding has been enabled on it. Low SIM and device tenures and an out-of-the-ordinary call-forwarding setting on a phone number are red flags that indicate a potential account takeover. Using phone-centric technology, companies must make informed decisions about whether or not a phone number is trustworthy enough to receive an OTP.
Using Prove’s Trust Score™, companies can detect whether or not a phone has recently undergone a SIM swap or whether or not it has a call-forwarding setting enabled. In order to cut down on fraud and protect customers from identity theft, companies can fortify their one-time password protocol using phone-centric technology.
To learn more about Prove’s identity solutions and how to accelerate revenue while mitigating fraud, schedule a demo today..
Join over 1,000 businesses that rely on Prove across multiple industries, including banking, FinTech, healthcare, insurance, and e-commerce. Contact us today.
Contact us to learn how leading companies are using Prove Pre-Fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.
Get in touch to find out how we can help you identify your customers at every stage of their journey and offer them seamless and secure experiences.
Let our expert team guide you through our identity verification and authentication solutions. Select a date and time that works for you.
Find out how we can help you deliver seamless and secure customer experiences that comply with PSD2/SCA. Select a date and time that works for you.