Blog

Using Trust Score™ To Counter Account Takeover Fraud 

Post by:
Prove
September 2, 2021
Using Trust Score™ To Counter Account Takeover Fraud 

While the rate of robberies in the United States has plunged by 68% since 1993, according to statistics compiled by the FBI, rates of identity theft have skyrocketed. In just one year, between 2019 and 2020, identity theft losses jumped by 42% to a total of $712.4 billion. To put that in perspective, the total amount of money lost to identity theft in the United States is comparable to the GDP of Turkey. While many different crimes fall under the identity theft umbrella, nearly one-third of identity theft victims lose their digital identity through account takeovers (ATOs). An account takeover occurs when “a malicious third party successfully gains access to a user’s account credentials. By posing as the real user, cybercriminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization.” Fortunately, merchants have the power to prevent fraud and protect consumers by investing in new phone-centric technology that fortifies one-time passwords and prevents account takeovers.

To understand one of the most common ways fraudsters commit account takeovers, it’s crucial to understand both the pros and cons of one-time passwords (OTPs). When a consumer forgets their password, they can request an OTP to be sent to their mobile device. After entering the OTP into the website, the consumer can then reset their log-in credentials. This offers consumers a convenient and quick way to access their accounts. Unfortunately, there are also downsides to OTPs. While some criminals trick victims into sharing their OTPs—this is called social engineering—others steal the OTPs by hacking into an individual’s mobile phone. 


Here are three common ways fraudsters exploit weaknesses in the telephonic infrastructure to compromise OTPs: 


  • SIM Swap. While legitimate SIM swaps allow customers to keep their phone numbers while switching carriers, hackers can use stolen PINs (often stolen during data breaches and sold on the dark web) to SIM swap a victim’s phone without their knowledge or consent. Jason Cipriani from CNET explains: “At its most basic level, during a SIM swap, a SIM hijacker convinces your mobile carrier to port your phone number over to their SIM card. By transferring those incoming messages, fraudsters can easily access your most sensitive accounts by completing text-based two-factor authentication checks.”
  • Call Forwarding Scam: When a customer requests an OTP, they often choose to have the OTP sent via SMS or read to them over the phone (voice OTP). While voice OTPs are a great way to provide equitable service to visually impaired customers, fraudsters can also steal them using the call forwarding setting. 
  • Device Swap: A device swap is a simpler version of a SIM swap because it involves stealing the actual SIM card of a victim. A fraudster inserts the stolen SIM card into a new phone, enters the stolen PIN purchased from the dark web, and steals the OTPs to access the victim’s accounts.


While there are significant differences between these three common methods of stealing OTPs, each involves two key elements: exploiting cybersecurity weaknesses in our telephonic infrastructure and stealing OTPs. While improving our telephonic infrastructure is critical, it will require unprecedented cooperation between cellular carriers and government regulatory agencies and could take years to implement. In the meantime, companies must prevent ATOs by becoming more discerning about who should and who shouldn’t receive OTPs.

 

To prevent fraudsters from committing ATOs, companies need to measure the trust level of a transaction based on intelligence gathered about a phone number. Trust indicators can drive the decision and workflow for enforcing different modes of authentication. Typical trust indicators are tenure of the SIM, tenure of the device linked to the phone number, and whether call-forwarding has been enabled on it. Low SIM and device tenures and an out-of-the-ordinary call-forwarding setting on a phone number are red flags that indicate a potential account takeover. Using phone-centric technology, companies must make informed decisions about whether or not a phone number is trustworthy enough to receive an OTP. 


Using Prove’s Trust Score™, companies can detect whether or not a phone has recently undergone a SIM swap or whether or not it has a call-forwarding setting enabled. In order to cut down on fraud and protect customers from identity theft, companies can fortify their one-time password protocol using phone-centric technology.

To learn more about Prove’s identity solutions and how to accelerate revenue while mitigating fraud, schedule a demo today..


Create secure frictionless customer experiences using modern identity solutions

Join 1,000+ companies and 500 banks, including 9 of the top 10 US financial institutions, that are already using Prove to accelerate revenue, mitigate fraud, and enhance customer experience. Contact us today.

Accelerate your onboarding

Contact us to learn how leading companies are using Prove Pre-fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.

Create frictionless customer experiences

Get in touch to find out how we can help you identify your customers at every stage of their journey and offer them seamless and secure experiences.

Schedule a demo

Let our expert team guide you through our identity verification and authentication solutions. Select a date and time that works for you.

Schedule a demo

Find out how we can help you deliver seamless and secure customer experiences that comply with PSD2/SCA. Select a date and time that works for you.