SMS OTP is by far the most widely adopted second factor authentication modality.
The reasons for this are very simple. It is convenient, affordable, and compatible with any mobile device.
It is not a perfect security control, but it does raise the baseline of a bank’s online banking secure posture and therefore an important component within a layered fraud prevention stack.
However, SMS was never designed as a secure authentication medium, and therefore it can be easily defeated by cyber criminals.
The most common ways to defeat SMS OTP include:
- SIM swap
- Phone porting
- Device compromise (e.g. SMS stealing malware)
- Social engineering (i.e. ‘vishing’)
The challenge for banks is that the customer impact, change management and costs associated with migrating to a more secure authentication medium are massive. Imagine trying to migrate millions of customers from SMS OTP to something more secure......never mind in the middle of a global pandemic! Call centre meltdowns, payment delays, customer complaints, technology failures…does not sound like fun to me!
So, the question is: how can we better protect customers, without migrating from SMS OTP and creating a large negative impact to an existing client base? Are there complimentary controls that may increase the longevity of SMS OTP, whilst not raising the fraud risk exposure of a bank?
Behavioural biometrics and advanced modelling techniques can provide the answers!
From a data perspective, these are elements that are present in all SIM swap and phone porting fraud cases:
- Change in behavioural biometric user patterns - as is impossible for criminals to reverse engineering the deep behavioural patterns of a victim
- New device attributes
- New network attributes
When you combine each of these dimensions into features within an advanced fraud detection model, what results is a very accurate assessment around the probability of a SIM swap or phone porting fraud case.
To give you an idea of what is possible. Within the highest scorebands of BioCatch’s Account Takeover model, we are consistently detecting over 30% of phone porting and SIM swap cases in only <0.05% of sessions. Truly finding a needle in a haystack!
As well as accurate fraud detection, the benefit for our clients of using this approach include:
- Project costs. Avoiding multi-million dollar SMS OTP migration projects
- User experience. Protecting genuine user experience
- Operational costs. Reducing the need to send SMS OTP on low-risk sessions
By deploying passive, complimentary and data driven behavioural biometric controls, we can effectively increase the lifespan of SMS OTP, whilst still raising the fraud risk capability. A great outcome for both banks and all of their customers!