How can the telecoms industry block the account takeover threat?

Telecoms.com periodically invites third parties to share their views on the industry’s most pressing issues. In this piece Roberto Valerio, CEO of anti-fraud specialist, Risk Ident, explores the challenge of identity theft in the telecommunications sector, and explains how companies can cut off the fraudsters before they do damage.

Identity theft used to be something that only worried banks, insurers and financial institutions. Over the past several years, however, the threat has expanded to other critical industries, including the mobile telecommunications space.

So widespread is the issue of identity theft that it is now reaching epidemic levels. In 2016, for example, 1.4 billion data records were exposed in nearly 1,800 security breaches worldwide. In September 2017, the network security system of U.S. credit bureau Equifax was breached, compromising the personal data of 143 million consumers.

The UK company TalkTalk was hit with a record £400,000 fine in October 2016 for the cyber attack in 2015 that placed the personal details of more than 150,000 customers in the hands of criminals.

The issue with these data breaches is what criminals do with the information afterwards. Once identity data has been stolen, fraudsters create new accounts online – or worse – use the personal information to hijack existing accounts. They can masquerade as a legitimate user and hide behind their good history to make fraudulent purchases – this “account takeover” threat is rising fast.

Mobile telecoms is at particular risk

The mobile telecoms industry is especially vulnerable to the threat of identity theft. The mobile phone contract model that is prevalent across the whole of Europe – where customers receive a high-value phone handset up-front and pay for it monthly – is very attractive for fraudsters, precisely because it offers so many avenues for crime to occur.

Such mobile phone fraud is growing fast. Cifas reported a 60% uplift in such mobile telecoms identity fraud from 2016-2017. Failure by firms to respond now could cause untold misery for customers, as they battle to recoup losses and protect their hard-earned cash. For the companies themselves, inaction could lead to financial penalties, such as fines, and a significant negative impact on their brand reputation.

So, what can mobile telecoms companies do to protect themselves and their customers?

Understanding fraud

There are a number of ways criminals are using stolen identities to carry out contract fraud.

A common and straightforward one sees fraudsters use a victim’s account details to sign up to a mobile contract – complete with expensive phone – then quickly sell the handset on, leaving the genuine account holder to deal with the contract repayments and other fall-out.

Contract extensions are also carefully targeted by criminals.

Many telecom providers aim to reduce friction with customers by avoiding the complex re-sign process – which inadvertently presents an attractive target to nimble fraudsters. It is not uncommon for criminals to use stolen data to hijack contract renewals by changing victims’ details to ensure the new handsets arrive at an address they can access.

These attacks are easy to carry out and can be highly lucrative – it’s no wonder that they are so attractive and tempting to criminals. With this in mind, it is vital that businesses do all they can to safeguard their customers’ data.

So, what can be done?

Quite simply, telecoms firms need to find ways of not just tightening security around their data storage, but of trying to close the gaps presented by the mobile phone contract process by predicting where customers may be most vulnerable to fraud.

Tackling the problem over the past five years, we’ve found that slightly more than 19 percent of confirmed fraud cases are identified as account takeovers.

At the same time, we identified several characteristics that can help any telecoms firm spot a case of account takeover, including:

  • Recent account changes: In nearly every instance RISK IDENT determined ATO to have occurred, either the password, email address or physical address had been changed in the previous 10 days.
  • Big spend: In cases of account takeover, the average order value is four times higher than typical orders – crucial for fraudsters to justify the effort. Fraudulent contract requests may involve a phone handset with a significantly higher RRP than the customer’s previous phone.
  • Customer’s age: The older an account holder is, the more likely they are to be the victim of an account takeover. Older users may have less technical expertise that could leave them vulnerable to data theft.

With these in mind, telecoms firms should take these factors into account when evaluating whether or not they have a problem with ATO, so they can take steps to act to protect their customers, before any fraud is actually committed.

Other business’ leaks will cause you headaches

Successfully protecting customer information means doing more than simply shoring up your own business’ computer systems and taking steps to predict the likelihood of account takeover fraud among your customer base. Other businesses and partners also present weak spots in a telecoms firm’s defences that fraudsters can exploit.

Take the 2017 Equifax breach, for example. More than 140 million credit records were leaked and telecoms businesses were among the victims hardest hit. Many ultimately paid for the security failings of Equifax, suffering a rash of mobile phone contract applications from crooks using stolen credentials.

The risk of partners suffering data breaches is significant. Telecoms firms, then, need to ensure their customers’ data is protected across the supply chain, by promoting solutions to help predict fraud risk.

A game of cat and mouse

It is not a question of “winning” against fraud – no one wins. Fraud is a cat-and-mouse game and telecoms firms have to up the stakes to take on the fraudsters. The harder you make it for them, the less likely you will be hit.

Simple steps like incorporating systems to predict account takeover vulnerability can go a long way towards helping telecoms companies prepare themselves to tackle the ever-increasing fraud threat. By talking to experts, firms can ensure their fraud prevention processes are fit for purpose well into the future.

 

Roberto Valerio CEO Risk IdentRoberto Valerio is one of the foremost experts on the rise of AI in combating fraud and founder of RISK IDENT, Europe’s leading provider of new intelligent anti-fraud software. Roberto sits on the European Advisory Board of the Merchant Risk Council and is a regular speaker on Europe’s anti-fraud conference circuit