One-time passcodes, or OTPs, sent to mobile phones are the cornerstone of many organizations’ customer authentication strategies.
This is in large part due to the positive reputation it has with consumers: it’s convenient and assumed that these codes are secure. But with the increasing prevalence of mobile malware, man-in-the-middle attacks, phishing, SIM card swaps, call forwarding and other fraud techniques, mobile OTPs are becoming a progressively less reliable means of protecting customer accounts.
Fraudsters are using an increasing number of ways to compromise consumer phones, and businesses are feeling the impact. A recent Forrester survey of 300 North American fraud prevention decision-makers indicates that phone-related fraud is rife: almost every respondent reported that their organization had experienced mobile fraud in the past year. SMS OTP fraud attacks were among the most commonplace, even though one of the main reported challenges from these companies was that they lack the tools to accurately detect OTP fraud. It’s a near certainty that the true extent of the problem is severely under measured.
The high cost of fraud…
Customer authentication fraud loss rates exceeded 5% last year for nearly half of survey respondents, indicating that they lost more than 5 cents of every dollar earned. And, as mobile transactions gain ground, the share of fraud costs from the mobile channel is rising, jumping from 5% to 39% of fraud costs in U.S. e-commerce between 2020 and 2021, according to the LexisNexis True Cost of Fraud Study.
Direct fraud losses balloon with the addition of related costs such as chargeback fees, interest, and merchandise replacement and redistribution. LexisNexis calculates that in 2021, every $1 of fraud cost U.S. retail and e-commerce merchants $3.60 — up from $3.36 in 2020 and $3.13 in 2019.
And even these figures are dwarfed by the indirect costs of false declines, negative customer experience, loss of customers and damage to brand reputation.
…and fraud prevention
Fraud prevention is always a balancing act, with merchants attempting to verify buyers’ identities and block fraudulent purchases while at the same time trying to avoid rejecting legitimate orders or creating so much friction that customers are driven away. This is especially true across digital channels where customers can take their business elsewhere with just one click.
Many industry analysts believe that the majority of declined transactions are actually legitimate orders, representing a massive loss of potential revenue to merchants. A report by Sapio Research suggests that for every $1 in credit card fraud, e-commerce merchants lose $13 in false declines. But other sources estimate that false-decline losses are actually up to 70 times the fraud losses.
What’s more, 39% of consumers say they will never go back to a merchant that declines a transaction — leading to a significant loss in lifetime customer value. And 28% say they will report their negative experience on social media, potentially influencing other prospective customers as well.
A precise, low-friction approach
Unfortunately, the vulnerability of the mobile channel has weakened OTP effectiveness. The significant rise of SMS OTP fraud puts both the organization and the customer at risk. New strategies are needed that complement the ease and convenience of authentication via SMS text messaging or callbacks. The question becomes, how do you flag potential fraudsters before sending that one-time passcode to a customer device?
The majority of survey respondents are looking to answer that question with technology partners who can enhance OTP authentication security while maintaining a user-friendly experience for consumers. Just three in 10 decision-makers surveyed by Forrester believe that their companies’ ability to prevent authentication fraud is optimized, and nearly seven in 10 have already begun investing in technology to help prevent OTP incidents. Respondents identified the following capabilities as either mission-critical or important: identifying high-risk phone numbers, detecting if a phone scam is active before sending an OTP, using a decision engine to determine the lowest-risk channel (mobile app vs. SMS, for instance) and then sending the OTP via that channel, and obtaining a low-risk phone number when the initial phone number is identified as high risk.
The above trends are leading to the increased adoption of phone takeover risk solutions. These tools provide companies with real-time intelligence to determine whether sending an OTP to a phone number presents a high or low risk. It signals if common fraud tactics, such as SIM swaps, call forwards and reauthorized assignments, may have recently occurred. Understanding if a device or interaction is at high risk for these types of fraud allows the vast majority of one-time passcodes to be safely sent and received while stopping fraudsters from receiving these same passcodes after hijacking consumer phones.
Protecting the Customer Experience
As more consumers embrace mobile transactions, organizations need tools that help make the use of one-time passcodes, one of the most universal and widely adopted authentication processes, safer from bad actors. These solutions will ensure a difficult experience for fraudsters while maintaining a positive authentication experience for customers — thus laying the foundation for greater trust, enhanced brand value and market share growth.
About the Author
Shai Cohen leads TransUnion‘s Global Fraud Solutions Group. Cohen has spent decades in the IT and cybersecurity industries leading business units and software engineering and product management teams. He joined TransUnion from RSA, where he was the general manager of its Fraud and Risk Intelligence business. Previously, Cohen served in leadership roles at EMC and Intel.