{"url":"https://www.clear.sale/blog/old-phone-new-fraud-how-phone-numbers-can-raise-the-risk-of-account-takeover","title":"Old phone, new fraud: how phone numbers can raise the risk of account takeover","tldr":"Fraud is always evolving in the digital age, and the latest example is account takeover (ATO) fraud. ","markdown":"Fraud is always evolving in the digital age, and the latest example is account takeover (ATO) fraud. This type of fraud increased in 2018, especially ATO fraud involving mobile phone accounts and online shopping accounts.\n\nWhy has ATO become such a problem? In part, it’s because **fraudsters have learned how to exploit phone numbers to break into victims’ accounts**. And that leaves merchants and their customers vulnerable.\n\n## The rise of mobile phone account takeovers\n\n[Mobile phone account takeovers](https://www.javelinstrategy.com/coverage-area/2019-identity-fraud-report-fraudsters-seek-new-targets-and-victims-bear-brunt) rose from 380,000 in 2017 to 679,000 in 2018, per data from Javelin Strategy & Research. It makes sense because unlike login credentials, phone numbers are easy to find—we share them online and on business cards.\n\nThe problem is that many sites tie their password reset process to customers’ mobile numbers.\n\nOnce a fraudster hijacks a phone number, they can intercept SMS messages like [two-factor authentication](https://vpnpro.com/web/two-factor-authentication-2fa/) codes. With those codes, they can access the victim’s online accounts to reset passwords and change delivery addresses.\n\nUntil the victim or merchant realizes what’s going on, the fraudster can shop on the victim’s account.\n\nThe percentage of [ATO fraud targeting online shopping accounts](https://www.digitalcommerce360.com/2019/04/09/card-not-present-fraud-decreases-but-online-account-take-over-fraud-increases-in-2018/) rose from 20% in 2017 to 22% in 2018.\n\n## SIM swaps and port-out scams\n\nHow, exactly, do fraudsters take control of someone else’s phone? Physical theft happens, but most of the time, **the scammers are hijacking the victim’s phone numbers, not the phones themselves**.\n\n- SIM swap fraud\n\nIt’s a growing problem around the world. Fraudsters who know the victim’s phone number and carrier can dupe customer service reps into linking the number to a new SIM card. In some cases, thieves bribe mobile provider employees to make the swap.\n\n- Port-out scams\n\nPort-out scams use number and carrier information, plus as much personal data as the thief. Then they call the carrier and request that the phone number is moved to a different carrier. The personal data they’ve gathered can help convince the rep that they’re the customer. In both SIM swap and port-out scams, the fraudster then sees the SMS messages sent to the number.\n\n## Keeping fraudsters out of customer accounts\n\nAsking customers to use mobile phone numbers for account authentication and password recovery is not ideal. What are the alternatives? There’s no single option that’s completely secure, but there are some new approaches that may be safer:\n\n- Moving from SMS to push notifications or out-of-band biometrics to authenticate your customers\n\nThese methods are convenient for customers but significantly more difficult for fraudsters to overcome.\n\n- The new 3D Secure 2.0 authentication protocol\n\nIt supports m-commerce and in-app transactions, reduces friction—which was a major problem for 3DS—and uses machine learning and a broader data set for better real-time authentication than 3DS. They also recommend having ways besides SMS and voice to alert customers to suspicious account activity.\n\n- Checking the customer’s behavioral biometrics and other mobile attributes during each transaction\n\nBy comparing this to a database of historical data for the customer—like time spent on each page, use of autocomplete, the total number of apps installed on the phone, and more–the scan can flag orders when the current user’s behavior doesn’t match the customer’s past behavior.\n\nAs with Card Not Present fraud, layered security is the best way to spot ATO fraud attempts. A robust **anti-fraud program should verify customer identity, device, and geolocation and [IP address](https://vpnpro.com/vpn-basics/what-is-an-ip-address/)**. It should also analyze returning customers’ orders in the context of past purchases. These parameters should be adapted to the risks in each channel.\n\nFor example, as mobile account takeover rates rise, it’s wise to closely monitor your m-commerce channel’s rates of attempted fraud, completed fraud, and false positives. That data can help you improve your fraud screening process in that channel.\n\n### Flagged transaction: alerting customers\n\nOne technique that reduces false declines can also help identify ATO attacks. When an experienced fraud analyst manually reviews a flagged transaction, they may contact the customer directly. That call is a chance to see if the account holder is the person placing the order. If the analyst has a way to communicate with the account holder besides SMS and mobile voice (such as a work phone number or an email address), they **can alert the real customer when there’s a problem–even if that customer’s phone number has been hijacked.**\n\nAs we can see, fraud techniques are always evolving. When your business keeps improving its fraud prevention techniques—replacing phone numbers with more secure authentication methods, monitoring your fraud data in each channel, and giving your analysts multiple ways to reach customers—your layers of security will grow stronger and more effective.\n\nOriginal article at: [https://vpnpro.com/blog/how-phone-numbers-raise-the-risk-of-account-takeover/](https://vpnpro.com/blog/how-phone-numbers-raise-the-risk-of-account-takeover/)"}