The evolution of authentication: Out-of-Band authentication and one-time passcodes
The gold standard for stepped-up authentication just got better.
Out-of-band authentication (OOBA), a type of multifactor authentication that uses two different channels to authenticate customers, has been used by financial institutions for decades. At first, financial institutions relied on knowledge-based answers (KBAs), which ask customers for things like their mother’s maiden name, favorite music, or brand of first car to validate that customers are who they say they are. Today, OOBA has evolved to include one-time passcodes (OTP) sent via text message (SMS), biometrics, facial and voice recognition, and QR code scanning, to name a few.
But fraudsters continue to evolve and have gotten better at intercepting OTPs to commit account takeover (ATO) fraud. Although OOBA will likely always play an important role in a financial institution’s fraud arsenal, OOBA needs to address new fraud threats.
What’s New in Multifactor Authentication and OTPs?
As most of us know, the National Institute of Standards and Technology (NIST), a government agency that defines security best practices, has long supported multifactor authentication, but has recently urged organizations, including financial institutions, to move away from sending OTPs to email addresses that may not be encrypted. Instead, NIST suggests sending encrypted OTPs via SMS to supported devices.
Although mobile devices are more secure than email, they are not foolproof - fraudsters can port or spoof phone numbers or steal SIM cards. If successful, the financial institution inadvertently sends the OTP directly to the fraudster.
However, by gathering device data from multiple sources, you can determine if the mobile device is at risk of being fraudulent. For example, if the phone number has recently been ported, there’s a much higher probability that a fraudster is in control of the device.
Here are a few high-impact methods that you can use to up your institution’s OOBA game:
- Use data from trusted third parties including mobile network operators (MNOs) and telecommunications providers to associate a phone number or device with the recipient to “know before you send” and have greater assurance the OTP is delivered to the intended customer/device and not a fraudster.
- Use a layered approach to authentication. This includes frictionless authentication such as device identification that takes place in the background to recognize your good customers and only step up to active authentication like an OTP for customers you identify as high-risk.
- Consider delivering multifactor authentication via a hosted services platform so your technology partner is responsible for system updates as new fraud types evolve.
- Use voice recognition or fingerprint recognition to improve confidence that the mobile device receiving the OTP is indeed in the hands of the legitimate customer.
Known Fraud Vectors in MFA
Fraudsters are becoming increasingly more sophisticated, which is making it more and more difficult for the good guys to keep up. Take International Revenue Share Fraud (IRSF), a newer type of fraud specific to voice-related multifactor authentication. In the past decade, losses from IRSF have topped $38 billion, according to the Communications Fraud Control Association.1
With IRSF, scammers illegally takeover access routes and use premium phone numbers to place calls in rapid succession from different numbers to collect tolls. It’s a lucrative type of fraud that results in huge losses because it’s so difficult to detect where the calls are coming from. IRSF criminals can make thousands of calls per minute, racking up millions of dollars in toll charges to customers.
It’s a frightening problem and fraud detection technology firms and telecos are scrambling to keep up. They are frantically implementing artificial intelligence and machine learning algorithms to identify fraudsters based on patterns and then systematically shutting down the calls to reduce losses.
To deal with fraud schemes such as IRSF and other emerging threats, you need to continually enhance your institution’s fraud detection. OOBA and OTPs have formed a foundation that financial institutions can continue to use to protect against new fraud threats. But financial institutions will need to use these fraud detection stalwarts in new and innovative ways to fight against fraud.
Futureproofing for the Next Fraud Scheme
OOBA and OTP tools are tried-and-true methods of authentication. And as fraudsters perpetrate new fraud schemes such as IRSF, financial institutions need to be ready to deploy new authentication technology.
To do that, partner with an authentication solution provider that offers a layered approach to fraud detection and is committed to performing continued updates to address changing fraud threats. Look for a platform that can update all customer-facing applications at once without having to painstakingly address each application separately.
Additionally, it is essential to use a wide variety of tools and data sources to fight fraud. The best approach is to begin with passive authentication and move to more active forms of authentication such as an OTP when you can’t be confident that the customer is who they say they are.
How you deliver the OTP matters. Sending OTPs via SMS is more secure than using email. To improve the customer’s experience with an OTP, replace sending a passcode with sending a secure URL link that a customer can click on to confirm receipt of the SMS and ensure the OTP landed on the intended device.
Shore up your current OTP delivery so you can be confident that the OTP is received by your customer and not a fraudster. You can do so by using MNO and other non-carrier data to authenticate the device with the true customer and better detect ATO threats.
Fraud evolves, and although OOBA and OTPs have been a time-tested authentication solution, they too have their vulnerabilities. Getting too comfortable with today’s digital security strategy will render you vulnerable to fraudsters tomorrow.
To learn more about Early Warning’s enhanced OOBA solutions, click here.
About Early Warning
Early Warning Services, LLC, is a fintech company owned by seven of the country’s largest banks. For almost three decades, our identity, authentication and payment solutions have been empowering financial institutions to make confident decisions, enable payments and mitigate fraud. Today, Early Warning is best known as the owner and operator of the Zelle Network®, a financial services network focused on transforming payment experiences. The combination of Early Warning’s risk and payment solutions enable the financial services industry to move money fast, safe and easy, so people can live their best financial lives.
To learn more about Early Warning, visit www.earlywarning.com.