Almost everyone today owns a mobile phone – to be exact, 5 billion people around the globe (two-thirds of the world’s population) have a mobile phone connection. And now more than ever, consumers are using those mobile phones to shop, check bank balances and open new accounts. Sixty-two percent of smartphone users have made a purchase online using their mobile device in the last 6 months, a number that is poised to grow.
With mobile come great opportunities both for consumers and businesses, but also for criminals. Over half of the businesses surveyed in the Sixth Annual Fraud Report from IDology experienced an increase in mobile fraud. In fact, they reported that the prevalence of mobile device attacks increased 117% in the last 12 months alone. But why?
The ways that fraudsters exploit mobile devices have also grown in number, but among the most popular are:
Caller ID spoofing: the practice of manipulating the telephone network to indicate that the person is calling from somewhere else other than their true location, increased 76 percent.
Intercepting SMS: intercepting inbound SMS communication, such as two-factor authentication messages relaying one-time passcodes (OTP), increased 50 percent.
SIM cloning: copying SIM values from a victim so fraudsters can impersonate a subscriber on the network and obtain all incoming communication, increased 30 percent.
SIM swapping: social engineering the mobile network operator call center with stolen personally identifiable information (PII) in order to deactivate an existing user’s SIM and activate a device in the fraudster’s possession to hijack mobile communication, increased 77 percent.
Change is the only constant
You’ve probably heard, “change is the only constant.” It’s a saying that comes to mind when evaluating the state of mobile fraud today because change is one of the main forces behind the increase in mobile fraud, year after year.
The mobile market is enormous and highly fluid. Last year in the U.S., 80 million mobile users switched providers, 90.3 million purchased or upgraded their mobile phones, 25.8 million changed their mobile phone number and 12.9 million mobile phones were lost or stolen. According to IDology’s Consumer Digital Identity Study, within the last 12 months, 47% of consumers (an estimated 100.6 million mobile phone owners) experienced at least one mobile change event. These frequent change events make establishing and maintaining a digital device identity difficult and complex.
As a result, many mobile identity methods are ineffective without re-verifying the consumer’s identity throughout the customer lifecycle, from onboarding to authentication, which can create friction for the customer and potential false positives when assessing fraud risk. With mobile convenience becoming a competitive differentiator, many businesses are rethinking mobile identity verification.
There is no silver bullet
There are numerous ways to authenticate a customer’s mobile device, such as sending a one-time passcode (OTP) via SMS to their device and requiring the customer to input the key in order to access their account. While this type of authentication has become the standard method of protection in recent years, it requires a user to conduct the same tedious process time and again. In addition, there are concerns about security due to its potential for spoofing and SMS interception.
Other, more recent methods that incorporate biometrics seem like science fiction, such as eye vein biometrics, while others, such as fingerprint biometrics, have made their way to the mainstream. However, biometrics require an established relationship with the customer, making them ineffective for onboarding and account origination. Each of these has pros and cons, but there is no silver bullet. It takes a combination of methods to ensure multiple layers of user attributes are in place.
Leveraging mobile network data
One thing is certain: tracking device attributes and change events is a critical part of preventing mobile fraud. To truly fight mobile fraud, you need to know whether the device is a pre-paid phone, if there has been a SIM swap, if the device is currently reported lost or stolen, and the tenure of the account.
Each day, billions of phones are securely authenticated and billions of dollars in calls, texts and web sessions are silently authenticated using SIM cards through carrier networks. The same technology can verify devices and service records in real-time at an account level, across mobile network operators.
Forward-thinking businesses are actively investing in ways to utilize mobile network operator (MNO) data for identity verification and fraud prevention. By tapping into this data, attributes such as the tenure of the account, the type of account (prepaid or postpaid) and change events (such as SIM swaps) can all be used to assess customer risk, deter fraud and improve the customer experience. Also, mobile network operator data can be used to match the name given in the process confirming with the name on the mobile carrier account, verifying the identity. Real-time visibility into these attributes at an account level can only come directly from the mobile carrier but with it, you’ll gain a significant leg up in detecting and deterring fraud, and winning the user experience battle.
In the past, businesses were forced to choose between additional, enhanced security at the cost of cumbersome layers of customer interaction and effort. Today, new multi-layered methods provide improved, practically invisible, digital identity verification and effective identity layers and risk attributes for greater intelligence and better fraud detection. Further, by joining a consortium network you can gain additional protection through insights into the fraud that other organizations are experiencing across industries—making trends easier to spot and deter.