Out-of-Band Authentication: Evolving Fraud Requires Evolving Solutions
Like most industries, financial institutions (FIs) have gone digital. Consumers are increasingly taking advantage of banking from their mobile device or laptop for the convenience of making payments, applying for loans, sending money to friends, family and more. Although this isn’t new, the pace by which consumers are adopting and using these channels is accelerating. In fact, a recent Aite Group study showed that one in five U.S. consumers use their mobile device exclusively to access the Internet.1 That means 20% of Americans don’t even use their laptops or computers for everyday web browsing.
As with all digital channels that provide consumers with greater convenience, there is always a chance bad actors will find new ways to conduct fraud, including phishing attacks, porting phone numbers and SIM swapping. So how can FI’s make sure they are securing those channels every time a consumer utilizes them? Or each time a consumer calls from their mobile device into the contact center for help? Having a solid, layered authentication strategy is key to providing consumer convenience without adding unnecessary friction. This strategy provides passive, behind the scenes authentication when it is needed, and also the ability to step-up authentication when there are red flags present.
Many FIs already use Out-of-Band Authentication (OOBA) to authenticate their customers today. It can be delivered via text (SMS), phone and through the use of biometrics. SMS typically uses a one-time passcode (OTP), but can also be delivered via app push, secure message, email or voice for stepped-up authentication. Despite these increased security measures, there is still an increase in account takeover (ATO) attempts, due to the uptick in data breaches. These data breaches have not only exposed personally identifiable information that is used in traditional knowledge based authentication, but also customer credentials used in digital banking, creating a challenge to trust the device associated with the true customer.
I met up with Early Warning’s Authentication authority, Rich Rezek, to discuss why now is the time for FIs to reevaluate their one-time passcode strategies.
Ian: Rich, thanks for your time today. OOBA has been around for a long time and is key in stepped-up or active authentication strategies. What enhancements should companies look for when upgrading their OOBA solutions?
Rich: Thanks Ian. OOBA has been around for quite some time now. In fact, Early Warning has been a leader in authentication ever since our first OOBA patents were filed several decades ago. OOBA is still a relevant and important part of the multifactor authentication mix, and even more importantly, consumers are very familiar with the technology and adopt it easily. In terms of delivery, OOBA can be used on its own, or used to enhance existing solutions as part of a multi-factor authentication strategy for stepped-up authentication in high-risk transactions. By way of a few examples, OOBA supports use cases such as new account openings, password resets, and website and mobile app logins.
The point is to leverage two separate channels simultaneously to authenticate a user. However, fraudsters are getting savvier and they are, sadly, starting to use OTPs against companies with porting or SIM swapping schemes. Just because an SMS is sent to a phone and a response is given that doesn’t mean the mobile device hasn’t been compromised. OOBA shouldn’t be regarded as just another commodity. FIs need a solution that can help secure the delivery of the OTP and have greater confidence it landed on the intended customer device, and not a fraudster’s.
Ian: We heard in the media recently that SIM swapping is on the rise and that fraudsters are intercepting mobile numbers. Is this something OOBA can help mitigate?
Rich: A strong multilayer authentication program will help to mitigate risk when this type of fraud occurs. OOBA can be one part of that solution in combination with additional data points. We engage in a consultative approach to understand our customers and their processes. We then make recommendations based on our industry experience and best practices we’re seeing in the market. This would include a combination of passive authenticators such as telco, mobile network operator (MNO) and device/browser intelligence to detect possible threats. These behind-the-scene capabilities help determine whether the device has been previously recognized on the network, associate the customer and device directly with carriers and can scan the device for malware of other possible compromises, helping reduce friction in the process. These types of passive authenticators will allow the organization to perform risk decisioning methods to determine if stepped-up authentication, such as OOBA should be used. However, it is important to note that even an OOBA solution can be compromised.
For example, SMS or voice OTP are methods consumers are familiar with, but it’s important to fortify delivery to ensure the authentication code lands on the intended device in the event of a SIM swap. Early Warning can help enhance OTP methods by leveraging telco data, for instance, that can help confirm the phone number the OTP is being sent to still belongs to the customer. Additionally, this helps a verifier to “know before they send” an SMS when authenticating a customer. This ensures that the FI is not attempting to send an SMS message to a landline or high-risk lines, such as VoIPs.
Ian: Are there ways to secure an SMS message before it is sent?
Rich: There are solutions available that use certain data to validate the phone prior to an SMS being sent. For example, FIs can have a customized OTP sent with a secure URL link to authenticate the recipient on his or her device. This provides a second factor token to authenticate the user and validates that the SMS has made it to the intended mobile number and device. FIs should also work to leverage telco data to determine if there were any changes made to the recipient’s mobile account, and ensure the phone number the SMS is being sent to is an eligible line, and not a VoIP line, which can be associated with higher fraud rates.
Ian: Why are email and Voice-over IP (VoIP) lines no longer viable delivery methods for two factor authentication?
Rich: About two years ago, the National Institute of Standards and Technology (NIST) updated its Digital Identity Guidelines advising that email and VoIP are no longer viable methods for OTP delivery because they cannot prove possession of a specific device and can be easily compromised by fraudsters. This suggests the U.S. Government sees email and VoIP OTPs as risky. Surprisingly, many FIs are still using these two delivery methods as the second factor of authentication. As I mentioned before, these are not secure channels and FIs should move quickly to change them.
Ian: Ok, last question Rich. We keep hearing a lot about International Revenue Share Fraud (IRSF) impacting telephone OOBA. What is it, and what can organizations do to detect it?
Rich: IRSF is the most persistent type of fraud within the telecom industry. In 2017, there was over $6B in fraud losses associated with IRSF according the CFCA Global Fraud Loss Survey. Fraudsters often utilize illegal resources to gain access to a telco operator’s network, utilize international premium rate phone number providers and place calls in rapid succession racking up toll charges on behalf of a customer. We have heard of this being used with OTP Voice calls and even conference bridge calls. This is also known as toll fraud.
For Early Warning, we’ve added IRSF detection to our OOBA solutions to help mitigate risk of these types of losses and help organizations operate more efficiently. We monitor the velocity of calls to defend against these types of attacks, and provide piece of mind to our customers.
Ian: Thanks for all the great insights, Rich. I look forward to diving into some of these topics in greater detail in future conversations. To learn more about Early Warning’s OOBA solutions visit our Out-of-band Authentication product page to learn more.