Tough Call: The Rapidly Escalating Threat of Account Takeover Attacks
Posted August 30, 2018
Account takeover (ATO) attacks against mobile telcos are rising sharply as cyberthieves leverage more than 2.5 billion identity credentials compromised by data breaches last year to commandeer mobile service accounts.
The repercussions for both victims and operators can be devastating.
In part one of this series, we discussed how the telco industry’s accelerating move into digital channels has been accompanied by a dramatic rise in subscription fraud as thieves exploit stolen identity credentials to open fraudulent new accounts and get their hands on premium hardware like pricey smartphones they can then use or resell online.
But the ramifications from account takeover of existing, legitimate customer accounts can be far worse. For victims, it can spell financial ruin. For an operator, it can mean serious reputational damage that can destroy its competitive standing in the marketplace.
Keys to the Kingdom
A steady stream of data breaches and phishing schemes have provided cyberthieves with all the personal information they need to impersonate legitimate customers and take control of their accounts.
According to industry estimates, the identity fraud rate in the mobile telecoms space, rose 60% last year. Sometimes, especially In Europe, the goal is ordering expensive handsets, making calls, and using or reselling services. Other times, hijacking a mobile account is just part of something far more dangerous.
In a so-called SIM swapping or SIM hijacking attack, fraudsters use stolen identity information to trick an unsuspecting (or sometimes, complicit) telco call-center employee into moving the victim’s mobile phone number to a different SIM card.
According to press reports, once that switch happens, thieves can reset passwords on the victim’s online accounts—Instagram, Amazon, credit card and bank accounts, you name it—by using the victims’ mobile phone number as a recovery method.
As Roel Schouwenberg, director of intelligence and research at Celsus Advisory Group, recently reported, this trend is especially troubling because mobile phone numbers have become “master keys” to our entire online identities.
Dialing Up Defenses
But how can telcos protect themselves and their customers from these and other forms of ATO when threats can range from identity, device and location spoofing, to automated bot attacks and remote access maneuvers that piggyback on login sessions that have already been fully authenticated?
Some may double down one-time passcodes using alternatives to SMS, such as hardware tokens or two-factor code generators. But that just creates user friction that will turn off consumers quickly. And it’s not effective if other components of the customer’s digital identity or their devices have already been compromised.
Others may be forced to rethink the way they authenticate users all together.
It stands to reason that some will erect multiple layers of defense that include modern identity verification technologies, which don’t rely solely on identity credentials. For instance, there are already digital identity-based solutions that go beyond static information such as usernames, passwords, addresses, social security numbers and so on by leveraging hundreds of dynamic data elements that can’t be stolen or faked.
Given the rise in SIM swapping and other forms of advanced ATO techniques, solutions that draw from global, shared identity intelligence—from thousands of online and offline data sources—will likely prove most compelling.
A Call-to-Action Against ATOs
Will any of this really help? There’s growing cause for hope—and urgency.
One European telco that has deployed digital identity-based solutions, reports achieving a reduction in successful fraud attempts that is so low, it suspects cybercriminals have moved on to other targets.
Others operators may take different routes, of course. But sooner is better than later. As it stands now, telecom companies are seen as one of the highest-value targets for cybercriminals.
With overall account takeover tripling in recent years to $5.1 billion in losses, lawsuits flying and customers waking up to the threat, telcos seeking to stomp out ATO have plenty of incentive to answer the call.
To learn more, download this solution brief, Account Takeover: Prevent Fraudulent Account Takeover While Minimizing Friction for Good Customers.