How can the telecoms industry block the account takeover threat?

Telecoms.com periodically invites third parties to share their views on the industry’s most pressing issues. In this piece Roberto Valerio, CEO of anti-fraud specialist, Risk Ident, explores the challenge of identity theft in the telecommunications sector, and explains how companies can cut off the fraudsters before they do damage.

Identity theft used to be something that only worried banks, insurers and financial institutions. Over the past several years, however, the threat has expanded to other critical industries, including the mobile telecommunications space.

So widespread is the issue of identity theft that it is now reaching epidemic levels. In 2016, for example, 1.4 billion data records were exposed in nearly 1,800 security breaches worldwide. In September 2017, the network security system of U.S. credit bureau Equifax was breached, compromising the personal data of 143 million consumers.

The UK company TalkTalk was hit with a record £400,000 fine in October 2016 for the cyber attack in 2015 that placed the personal details of more than 150,000 customers in the hands of criminals.

The issue with these data breaches is what criminals do with the information afterwards. Once identity data has been stolen, fraudsters create new accounts online – or worse – use the personal information to hijack existing accounts. They can masquerade as a legitimate user and hide behind their good history to make fraudulent purchases – this “account takeover” threat is rising fast.

Mobile telecoms is at particular risk

The mobile telecoms industry is especially vulnerable to the threat of identity theft. The mobile phone contract model that is prevalent across the whole of Europe – where customers receive a high-value phone handset up-front and pay for it monthly – is very attractive for fraudsters, precisely because it offers so many avenues for crime to occur.

Such mobile phone fraud is growing fast. Cifas reported a 60% uplift in such mobile telecoms identity fraud from 2016-2017. Failure by firms to respond now could cause untold misery for customers, as they battle to recoup losses and protect their hard-earned cash. For the companies themselves, inaction could lead to financial penalties, such as fines, and a significant negative impact on their brand reputation.

So, what can mobile telecoms companies do to protect themselves and their customers?

Understanding fraud

There are a number of ways criminals are using stolen identities to carry out contract fraud.

A common and straightforward one sees fraudsters use a victim’s account details to sign up to a mobile contract – complete with expensive phone – then quickly sell the handset on, leaving the genuine account holder to deal with the contract repayments and other fall-out.

Contract extensions are also carefully targeted by criminals.

Many telecom providers aim to reduce friction with customers by avoiding the complex re-sign process – which inadvertently presents an attractive target to nimble fraudsters. It is not uncommon for criminals to use stolen data to hijack contract renewals by changing victims’ details to ensure the new handsets arrive at an address they can access.

These attacks are easy to carry out and can be highly lucrative – it’s no wonder that they are so attractive and tempting to criminals. With this in mind, it is vital that businesses do all they can to safeguard their customers’ data.

So, what can be done?

Quite simply, telecoms firms need to find ways of not just tightening security around their data storage, but of trying to close the gaps presented by the mobile phone contract process by predicting where customers may be most vulnerable to fraud.

Tackling the problem over the past five years, we’ve found that slightly more than 19 percent of confirmed fraud cases are identified as account takeovers.

At the same time, we identified several characteristics that can help any telecoms firm spot a case of account takeover, including:

  • Recent account changes: In nearly every instance RISK IDENT determined ATO to have occurred, either the password, email address or physical address had been changed in the previous 10 days.
  • Big spend: In cases of account takeover, the average order value is four times higher than typical orders – crucial for fraudsters to justify the effort. Fraudulent contract requests may involve a phone handset with a significantly higher RRP than the customer’s previous phone.
  • Customer’s age: The older an account holder is, the more likely they are to be the victim of an account takeover. Older users may have less technical expertise that could leave them vulnerable to data theft.

With these in mind, telecoms firms should take these factors into account when evaluating whether or not they have a problem with ATO, so they can take steps to act to protect their customers, before any fraud is actually committed.

Other business’ leaks will cause you headaches

Successfully protecting customer information means doing more than simply shoring up your own business’ computer systems and taking steps to predict the likelihood of account takeover fraud among your customer base. Other businesses and partners also present weak spots in a telecoms firm’s defences that fraudsters can exploit.

Take the 2017 Equifax breach, for example. More than 140 million credit records were leaked and telecoms businesses were among the victims hardest hit. Many ultimately paid for the security failings of Equifax, suffering a rash of mobile phone contract applications from crooks using stolen credentials.

The risk of partners suffering data breaches is significant. Telecoms firms, then, need to ensure their customers’ data is protected across the supply chain, by promoting solutions to help predict fraud risk.

A game of cat and mouse

It is not a question of “winning” against fraud – no one wins. Fraud is a cat-and-mouse game and telecoms firms have to up the stakes to take on the fraudsters. The harder you make it for them, the less likely you will be hit.

Simple steps like incorporating systems to predict account takeover vulnerability can go a long way towards helping telecoms companies prepare themselves to tackle the ever-increasing fraud threat. By talking to experts, firms can ensure their fraud prevention processes are fit for purpose well into the future.

 

Roberto Valerio CEO Risk IdentRoberto Valerio is one of the foremost experts on the rise of AI in combating fraud and founder of RISK IDENT, Europe’s leading provider of new intelligent anti-fraud software. Roberto sits on the European Advisory Board of the Merchant Risk Council and is a regular speaker on Europe’s anti-fraud conference circuit

Crime moves upmarket as fraud becomes the UK’s number 1 offence

New research from Experian claims fraud is now the UK’s most common criminal offence, much to the dismay of thugs and hoodlums everywhere.

The company’s Annual Fraud Indicator 2017 estimates the annual cost of fraud in the UK is £190 billion, exceeding the total Gross Domestic product of 148 out of 191 countries on the planet. Splitting it down, private sector fraud costs the UK economy £140 billion over the course of 2017, while it is only £40.3 billion in the public sector.

“Awareness of the dangers fraud poses is growing, but the total of £190 billion is startlingly high,” said Nick Mothershaw, Director of Fraud and Identity Solutions at Experian. “Plastic card and online banking fraud continues to increase, so new regulations which make it harder for fraudsters to use someone’s cards online are a necessary step.

“Fraudsters are shamelessly opportunistic and are now turning their attention to the pensions release, lured by the promise of high value returns when their scams are successful.”

Procurement has been pinned down as the biggest sucker for fraud, but the report notes new technologies are opening up new opportunities for the tricksters. Online Banking fraud has grown by 226% and Telephone Banking Fraud by 178% in the past year, with millennials getting caught out as well.

While this number is surprisingly high, the growing popularity of mobile money and contactless payment solutions might add to the problem. Another area which we haven’t seen the impact of is social media.

With the online world taking more control of our daily lives, authentication techniques using social media accounts are becoming more common. The vast majority are used for free services, but that doesn’t mean someone won’t work out how to commit a white collar crime using this little development. Individuals seems very enthusiastic about handing out their personal information online, and in truth we haven’t seen any particularly devastating negative impacts yet. That doesn’t mean it isn’t possible though.

Breaking the bottleneck of counter fraud management

Telecoms.com periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece Joseph George, Senior Vice President of Fraud & Security at Mobileum, argues operators need to revise their approach to countering fraud.

We live in a golden age of data. For operators looking to counter fraud, there has never been more actionable information available at their fingertips, than there is now.

In theory, this is an amazing advantage for communications service providers (CSP) looking to stay one step ahead of increasingly sophisticated ‘fraudsters’, as well as gain insights that can help their business thrive in new service areas. A wealth of useful data, an increased ability to fight fraud, and a way to add to the bottom line all are all wonderful things for operators. However, this explosion of data has also created unforeseen challenges too.

Operators are reaching a tipping point, as the telecoms sector significantly expands its global services with faster broadband, 5G roll-out and more connected devices. Combined with the overall trend of traffic moving from voice to data networks, CSPs are facing huge challenges as many fraud management systems are buckling under the weight of trying to detect and act with the speed and accuracy needed to prevent potential revenue losses.

Simply put, many traditional fraud management systems can’t keep up with the sheer volume of data out there. It’s leaving operators staring at a mountain of overlooked (and underutilized) data, too much of a pain and inconvenience to be analysed thoroughly.

The root problem with many systems is that they can only handle limited datasets, not accounting for volume, variety and velocity of critical data. Also, modern capabilities and features are missing in older systems, including mobility, machine-learning, self-service analytics, and more visual and intuitive interfaces. In fact, some legacy systems still in use today by CSPs monitor fraud by only analysing aggregate records of calls.

There is a real, looming threat that fraud management is becoming a bottleneck, impeding CSPs’ ability to offer and expand services until fraud data can be interpreted and managed. Like a clogged kitchen sink, fraud management is creating a backup. Initially it might just cause a small pipe leak, but if operators aren’t proactive, they could have a full-blown burst on their hands.

That burst may be caused from the pressure of a mounting catalogue of services (and data) CSPs are involved in the delivery of, which they also need to analyse. Although outside their control, CSPs are often best positioned to identify instances of fraud occurring over carrier traffic on their networks. Examples of this include data fraud, international revenue share fraud and bypass fraud, among others. Along with the risk of IoT and sensor networks having fraudulent apps installed, the result is that the blind spots of many current CSP systems are being exposed by emerging sources of fraud.

So how can operators get ahead of the problem? How can they break this ballooning bottleneck, take advantage of that fact that they have access to vast amounts of data, and expand their services? The first step is to go beyond merely detecting fraud. CSPs should look inward, circling back and advancing their fraud protection tactics.

CSPs should have integrated, actionable and prescriptive control of fraud and abuse, based upon a combination of dynamically auto-configured business rules and policy control. By obtaining a high degree of detection accuracy, operators can get a clear understanding of the fraud data they are being presented with, and what it is telling them. With IoT for example, it means having an ability to uncover fraud outside of rule-based detection.

The implementation of predictive, big data technologies and machine-learning is a way to keep up with new frauds in real time, stopping it in its tracks. It also offers the added benefit of creating more parameters and making greater volumes of data available for analysis. All of this can be accomplished by employing a comprehensive multi-protocol solution that is nimble, fast and adds to an operator’s current system capabilities.

It’s no secret that the telecoms sector is significantly expanding its services and capabilities. But it’s the savvy operators who realize that breaking through the bottleneck of fraud data saves time and money in the long-term, and facilitates investment in new opportunities and services that otherwise would have been missed.

 

Joseph GeorgeJoseph George joined Mobileum in May 2017 as Senior Vice President, Fraud & Security. He leads the global strategy for solutions that help service providers control their risks related to fraud & security and prevent revenue leaks in their business.