February 24, 2021
Identity theft, one of the most common contributors to fraud globally, has been on the rise since the start of the COVID-19 pandemic. According to a study by Javelin Strategy & Research, fraud losses due to identity takeover rose 15% in 2019 compared to the previous year. The study also notes that 40% of identity takeover-related fraudulent activities take place within a day of opening an online account.
In this article, we’ll explore how companies can protect themselves and their customers from rising identity fraud attacks using step-up authentication with Phone-Centric Identity.
IcedID Banking Trojan: This phishing attack started in March 2020. Users of several financial institutions and e-commerce companies have been victims of IcedID attacks. Fraudsters use steganography techniques, i.e., the practice of hiding malicious code in image files, to trick users into opening COVID-themed attachments. The malware collects users’ credentials and online financial data.
Vizom: Vizom uses remote overlay attacks and DLL hijacking by disguising itself as video conferencing software. Once downloaded, the malicious code detects online banking transactions. What follows is a series of fraudulent transactions from a victim’s bank account. This malware was first used for cyber fraud in Brazil but is reportedly spreading to other South American countries and Europe.
Mobile Emulator Farms: Fraudsters use malware to access mobile devices and mobile emulators and set up thousands of spoofed devices. This helps fraudsters steal a victim’s online credentials. As the entire device, including device characteristics, is emulated, fraudsters can easily circumvent standard security methods such as device binding. Fraudsters have reportedly used over 20 such emulators.
SIM Swapping: SIM swapping is one of the fastest-growing fraud vectors globally. Scammers trick victims into sharing their personal information and use it to fake identity documents to secure duplicate SIM cards or port a number to one of their existing SIM cards. They gain access to SMS-based one-time passcodes, which are later used to authenticate transactions.
The general pattern in most fraud-related cases can be broken down into two parts—stealing identity credentials by installing malware on devices and executing fraudulent transactions using the stolen credentials.
While educating consumers on best practices to avoid online fraud is a good initiative, it may not be enough. Companies need to safeguard their customers against fraudulent transactions by strengthening transaction-level security using robust authentication methods. Multi-factor authentication (MFA) techniques using SMS- and voice-based one-time passcodes (OTPs) have existed for a long time. However, fraud vectors such as those based on SIM swaps can still manage to circumvent them. A study of 385,000 transactions by Prove revealed that 5% of MFA-based mobile transactions still had low SIM tenure, indicating a high likelihood of SIM swap.
The solution to reinforcing step-up authentication lies in using Phone-Centric Identity. Phone-Centric Identity refers to a broad set of phone signals that can be combined with data and transactional attributes from other sources such as banks and credit bureaus to perform stronger authentication and identity verification. These signals include line tenure, line behavior such as calls, texts, ad-views, line event history, SIM swaps, and event velocity. Since mobile phones provide the most comprehensive digital footprint of a consumer, the volume and diversity of signals collected over a long time provide the highest correlation to consumers’ identities. Phone-Centric Identity can either completely replace traditional authentication methods, such as passwords and OTPs, or strengthen them. It can also eliminate the need to download soft tokens or use physical hardware for authentication, thereby improving customer experience.
Continuous innovations and improvements in security leveraging alternate data sources and signals are key to a steadfast response to emerging threats. Phone-Centric Identity, combined with emerging techniques such as passive biometric authentication and behavioral detection, is critical to mitigating these types of threats.
Read and learn about FinTech topics you are interested in.