Fraud is always evolving in the digital age, and the latest example is account takeover (ATO) fraud. This type of fraud increased in 2018, especially ATO fraud involving mobile phone accounts and online shopping accounts.
Why has ATO become such a problem? In part, it’s because fraudsters have learned how to exploit phone numbers to break into victims’ accounts. And that leaves merchants and their customers vulnerable.
The rise of mobile phone account takeovers
Mobile phone account takeovers rose from 380,000 in 2017 to 679,000 in 2018, per data from Javelin Strategy & Research. It makes sense because unlike login credentials, phone numbers are easy to find—we share them online and on business cards.
The problem is that many sites tie their password reset process to customers’ mobile numbers.
Once a fraudster hijacks a phone number, they can intercept SMS messages like two-factor authentication codes. With those codes, they can access the victim’s online accounts to reset passwords and change delivery addresses.
Until the victim or merchant realizes what’s going on, the fraudster can shop on the victim’s account.
The percentage of ATO fraud targeting online shopping accounts rose from 20% in 2017 to 22% in 2018.
SIM swaps and port-out scams
How, exactly, do fraudsters take control of someone else’s phone? Physical theft happens, but most of the time, the scammers are hijacking the victim’s phone numbers, not the phones themselves.
- SIM swap fraud
It’s a growing problem around the world. Fraudsters who know the victim’s phone number and carrier can dupe customer service reps into linking the number to a new SIM card. In some cases, thieves bribe mobile provider employees to make the swap.
- Port-out scams
Port-out scams use number and carrier information, plus as much personal data as the thief. Then they call the carrier and request that the phone number is moved to a different carrier. The personal data they’ve gathered can help convince the rep that they’re the customer. In both SIM swap and port-out scams, the fraudster then sees the SMS messages sent to the number.
Keeping fraudsters out of customer accounts
Asking customers to use mobile phone numbers for account authentication and password recovery is not ideal. What are the alternatives? There’s no single option that’s completely secure, but there are some new approaches that may be safer:
- Moving from SMS to push notifications or out-of-band biometrics to authenticate your customers
These methods are convenient for customers but significantly more difficult for fraudsters to overcome.
- The new 3D Secure 2.0 authentication protocol
It supports m-commerce and in-app transactions, reduces friction—which was a major problem for 3DS—and uses machine learning and a broader data set for better real-time authentication than 3DS. They also recommend having ways besides SMS and voice to alert customers to suspicious account activity.
- Checking the customer’s behavioral biometrics and other mobile attributes during each transaction
By comparing this to a database of historical data for the customer—like time spent on each page, use of autocomplete, the total number of apps installed on the phone, and more–the scan can flag orders when the current user’s behavior doesn’t match the customer’s past behavior.
How to spot ATO fraud attempts
As with Card Not Present fraud, layered security is the best way to spot ATO fraud attempts. A robust anti-fraud program should verify customer identity, device, and geolocation and IP address. It should also analyze returning customers’ orders in the context of past purchases. These parameters should be adapted to the risks in each channel.
For example, as mobile account takeover rates rise, it’s wise to closely monitor your m-commerce channel’s rates of attempted fraud, completed fraud, and false positives. That data can help you improve your fraud screening process in that channel.
Flagged transaction: alerting customers
One technique that reduces false declines can also help identify ATO attacks. When an experienced fraud analyst manually reviews a flagged transaction, they may contact the customer directly. That call is a chance to see if the account holder is the person placing the order. If the analyst has a way to communicate with the account holder besides SMS and mobile voice (such as a work phone number or an email address), they can alert the real customer when there’s a problem–even if that customer’s phone number has been hijacked.
As we can see, fraud techniques are always evolving. When your business keeps improving its fraud prevention techniques—replacing phone numbers with more secure authentication methods, monitoring your fraud data in each channel, and giving your analysts multiple ways to reach customers—your layers of security will grow stronger and more effective.