December 5, 2018
November 29, 2018
Posted July 17, 2018
As the retail, payments and financial services industries continue to harden their cyber-defences, criminals are increasingly targeting the telecommunications industry — and finding fast money in account takeovers and subscription fraud.
Call it dialing for dollars, texting for treasure, or even just surfing for smartphones. The fact is, from cable TV and landline telephony, to broadband Internet and, most especially, mobile phones and services, this rapidly-evolving industry is creating rich opportunities for fraudsters looking to turn a quick buck. And the losses are adding up fast.
We’ll be delving into the threat around account takeover for telcos in a future article, but for now let’s look at subscription fraud and why it is becoming increasingly front-of-mind in this industry.
By some industry estimates, the annual cost of telco subscription fraud could top $12 billion this year. By others, it could consume between 3% to 10% of operators’ bottom lines—putting potential losses closer to $20 billion.
Among the key drivers: the accelerating move into digital channels to meet the want-it-now demands of today’s telecom consumer, along with booming mobile adoption around the world. In fact, the same technologies that are fueling telecom’s growth in recent years are also making it easier than ever for thieves to rip off operators and their customers alike.
Subscription fraud involves the use of stolen identity credentials to open up new accounts, or take over existing ones, in order to acquire premium hardware like pricey smartphones to sell online, and post-paid service contracts they’ll use or resell while defaulting on the bill.
Thanks to the 9 billion identity credentials lost through data breaches since 2014, getting the information to do all this is easier than you may think. Names, addresses, credit card info, social security numbers, usernames and passwords—all of this and more is available for sale on the dark web.
In other instances, even that kind of footwork is unnecessary. In early July, reports surfaced that some Android smartphones sold in developing markets contain pre-installed malware that collects that personal information, depletes the victims’ data allowance and triggers fraudulent subscription charges on pre-paid credit.
While this is territory financial services and others have long had to navigate, it’s still relatively new to operators. On the one hand, they have to find a way to verify the true identity of customers and block fraudsters. On the other, they’d better do it without creating even 10-seconds of added friction, or risk losing prospects and customers in a hyper-competitive market.
If ThreatMetrix data is any indication, they might want to step on it.
Telcos are gaining the attention of fraudsters at exactly the wrong moment.
Across all industries, there has been an 800% increase in cyberattacks since 2015, according to the latest Cybercrime Report from ThreatMetrix. As you can imagine, this has important implications for an industry that’s prioritising automation, digitisation and a streamlined customer experience through mobile and online channels.
Those online transactions for new services or equipment? The rate of growth in attempted fraud is outpacing legitimate transactions by 83% compared to Q1, 2016.
In fact, even accounting for established online retailers with hardened defences, ecommerce transactions are now 10X riskier than those in financial services—which doesn’t bode well for telcos.
Meanwhile, all that growth in mobile adoption is creating fertile ground for fraud attacks from around the world. In just the first three months of the year, cyberthieves launched 1 billion bots designed to test login credentials—with a growing number targeting telcos.
For the fraudulent new account creations that lead to subscription fraud it’s those high-value handsets and post-paid services that are so attractive to scammers, who use device, identity and location spoofing to mask their true identities.
A number of telcos looking to repel these and other attacks are adopting approaches that verify users based on their digital identity. But even then, they face some serious challenges.
Digital identity-based identity verification is designed to help telcos detect and block fraudsters signing up for new accounts using stolen identities, without creating friction.
Operators deploying such solutions leverage global device intelligence and behavioral analytics in order to perform a real-time assessment of every customer at the point of each transaction and account creation.
But most important of all? Global, crowdsourced identity intelligence that draws from thousands of companies in numerous industries worldwide and is able to detect fraudsters wielding stolen identity information as quickly as the first time they ever attempt to login or set up an account.
These organisations may be onto something—or at least they’d better be.
While subscription fraud now accounts for up to 35-40% of all fraud in this industry, mobile services in particular holds yet another appeal—as a gateway that lowers defences against other attacks, such as mobile banking (the topic of an upcoming post).
Either way, this is a battle in which nobody wants to be an easy target.
Join our webinar where we will present the latest fraud patterns and trends for the telecommunications industry from our Global Digital Identity Network of over 6,000 customers and 40 billion transactions per year.