Porting attacks have earned their place on Prove’s list of 8 major fraud vectors because they are both quite common and extremely harmful to the victim.
A porting attack refers to a type of fraud where fraudsters use call porting to take over the online accounts (banking, crypto, etc.) of victims. Hence, porting attacks (similar to SIM swap fraud) fall under the umbrella category of Account Takeover Fraud.
To understand how a porting attack works, you need to understand the purpose of legitimate call porting first. With call porting, consumers can switch service providers while keeping their phone numbers. If you have ever switched from AT&T to Verizon or vice versa to take advantage of a compelling offer, for instance, but still kept your phone number the same, you have used call porting.
Because ensuring access to call porting is critical to maintaining a healthy and competitive telecommunications marketplace, the FCC requires service providers to port numbers within one business day. Unfortunately, the speed and ease of porting paired with the widespread adoption of 2FA and OTPs, have given criminals a relatively easy way to commit widespread fraud at scale.
2-factor authentication (2FA) pairs two forms of credentials with the goal of making digital interactions more secure. For example, 2FA might pair ‘something you know’ (your username & password) with ‘something you have’ (your phone). To complete a possession check, companies might send out a one-time passcode or OTP. For companies that choose this method of 2FA, this is the step that is vulnerable to a porting attack.
Today, the one-time passcode (OTP) is a commonly used credential that verifies a user’s identity using something you have (a phone). At Prove, we call this ‘running a possession check.’ When a customer first creates an account, they enter their phone number. Later, when they log in or complete a high-risk transaction, a series of random digits is texted to their phone. This is an OTP. To continue, the customer must enter the OTP that was texted to them. With porting attacks, fraudsters can intercept the OTP and gain access to the victim’s account.
To take over a victim’s online bank account, a fraudster will need to reset the account’s password. In many cases, resetting passwords is not possible without completing the possession check. To access the victim’s OTP, the fraudster may use a porting attack.
During a porting attack, the fraudster will sign up for a new cellular carrier under the victim’s name and provide some basic information. In his article for Medium, (“SIM-swap and number porting attacks: should you be concerned?”), Luc Delorme explains the basics:
“It’s also deceptively simple to steal someone’s service by porting it to a new plan at a new carrier. All a scammer needs to do is sign up for a new phone line and provide your name, phone number, and your wireless account number. The new carrier will set up the line and port in your number. This usually happens in minutes.”
By the time the victim realizes their phone is no longer connected to a service provider, the fraudster has intercepted the OTP, gained access to the victim’s bank account, and often stolen their life savings.
While porting attacks involve switching a phone number from one carrier to another, SIM swap fraud involves changing devices within one carrier.
Victims of porting attacks describe the experience as traumatizing. Losing access to your phone number, bank accounts, and ultimately, your money in short succession is terrifying.
An important step consumers can take today to protect themselves from porting attacks is to set up a SIM transfer PIN. Of course, more advanced solutions that don’t require additional PINs and customer intervention would ultimately be preferable from both a security and customer experience perspective.
Companies play an integral role in preventing fraudsters from stealing OTPs and accessing victims’ accounts. Today, leading banks, financial institutions, and companies from almost every industry are leveraging Prove’s Trust Score to avoid sending vulnerable OTPs to bad actors. Here’s how it works:
Prove’s Trust Score™ is a real-time measure of phone number reputation that can be leveraged for identity verification and authentication purposes. Trust Score analyzes behavioral and Phone-Centric Identity™ signals from authoritative sources at the time of a potential transaction to mitigate fraud such as SIM swap fraud and other account takeover schemes. Trust Score can be utilized to secure the customer experience in a number of different scenarios from digital onboarding to digital servicing and existing customer authentication.
In short, a phone number that has recently undergone a porting attack will have a lower Trust Score and not be eligible to receive OTPs. Today, Trust Score is widely considered a must-have for any organization that issues OTPs.
Companies are also beginning to phase out passwords and OTPs together in favor of passwordless technology.
The rise of 2FA has contributed to the significant surge in porting attacks. Porting attacks leverage vulnerabilities in our telecommunications system to take over the accounts of victims. To prevent porting attacks from compromising your customer’s accounts, leverage Trust Score before sending out an OTP.
Join over 1,000 businesses that rely on Prove across multiple industries, including banking, FinTech, healthcare, insurance, and e-commerce. Contact us today.
Trusted by 1,000+ leading companies to reduce fraud and improve consumer experiences. Contact us today to learn how you can frictionlessly secure your digital consumer journey — from onboarding to ongoing transactions.
Tap the button below to read our latest white-paper on the subject as industry leaders.
Contact us to learn how leading companies are using Prove Pre-Fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.
Get in touch to find out how we can help you identify your customers at every stage of their journey and offer them seamless and secure experiences.
Let our expert team guide you through our identity verification and authentication solutions. Select a date and time that works for you.
Find out how we can help you deliver seamless and secure customer experiences that comply with PSD2/SCA. Select a date and time that works for you.
Download Aite-Novarica Group’s full report about Prove Pre-Fill, including a product overview, customer results, and how the product works.
Download the guide now to learn how you can improve security, cut down on fraud, and create the best possible customer experience.