Porting used to exploit weak authentication protocols

Posted on: May 14th, 2015 by Art Barger

Porting is when someone requests the same telephone number when they switch telephone providers. This can be done relatively easy, and apparently without much questioning by telephone companies or mobile carriers.

Criminals know this and are now exploiting out-of-band authentication to port owners of unsuspecting landline numbers to their mobile phones. Then, they open Apple Pay accounts under these numbers to commit various types of fraud.

In the recent article, “How Apple Pay Is Exploited for Fraud,” telephone porting is the latest tactic crooks are using to take advantage of loopholes within the Apple Pay authentication process. I recently discussed how criminals were focusing on provisioning channels to exploit these vulnerabilities. With banks doing whatever they can to close these gaps and meet new authentication requirements, thieves are once again on the move, looking for new ways to defeat the system.

Gartner’s Avivah Litan said to verify mobile payments and transactions, financial institutions typically send text messages or place outbound phone calls to users. This process includes sending a one-time password to customers, who have to send it back for verification. But with criminals on the receiving end of the accounts, they simply confirm a transaction or payment and continue to perpetrate criminal activities banks even knowing it.

As banks deploy more reliable and effective authentication methods, the fact that criminals are gravitating to phone accounts doesn’t surprise Al Pascual, a fraud expert with Javelin Strategy & Research.

“After credit card accounts and DDAs [demand deposit accounts], phone accounts are the most likely to be affected by account takeovers, because of their role in out-of-band authentication for financial accounts, which has made them valuable targets for fraudsters. It is certainly another example of how vulnerable the solution is to fraud, as a result of poorly conceived account holder verification protocols.”

Using weak verification protocols that still rely on knowledge-based authentication (KBA), banks need to find ways to verify users and their devices without relying on caller input or sensitive customer data. Automated authentication does this by proactively validating callers without them knowing it.

Either way you look at it, automating your telephone authentication process is good for your business, whether you’re validating good or bad callers. Authenticating good callers faster allows for a more seamless banking experience and reduce call times by not having to interrogate customers with a bunch of security questions. On the flip side, when banks remove spoofed calls from the system it reduces fraud rates and labor costs as call center agents no longer waste valuable time on the phone with known violators.

Using real-time telephone network forensics, the TRUSTID® Physical Caller Authentication solution validates the exact location of the calling device to determine if the call is legitimate, or poses a risk to a bank. By automating the authentication process, your contact center operations can instantly block any suspicious calls from entering your phone system.

For customers that have been validated pre-call, your call center representatives don’t have to grill your good customers with a bunch of challenge questions. Instead, they only answer calls that have been verified as trustworthy. When this happens, customers are immediately greeted by agents who are ready to resolve any issues your customers may have.