It’s easy to assume that fraud issues follow the trends of the day: LTE, 4G, mobile money. But technology actually wasn’t a hot topic for presenters and delegates attending this year’s CFCA annual fraud management event in Philadelphia, USA.
The biggest concerns were around the day-to-day issues they’ve struggled with for years: financial scams, subscription fraud, account takeover fraud, PBX hacking, and Revenue Share types of fraud.
It’s not that fraudsters have trouble keeping up with the last technology; they are actually quite tech savvy. It’s just that they look at technology investments like a normal business would – it’s got to earn a better ROI. But today fraudsters can launch very profitable attacks on the customer acquisition and retention processes using almost no technology.
For instance, if a fraudster gets hold of 5 new iPhones, the potential value of that is $5,000 and they don’t need any technology to do that -- just make a few phone calls.
Let’s walk through a couple of the hot fraud issues folks talked about at the CFCA:
Hidden SIM Swaps
If a customer loses a SIM card, he can get and activate a new replacement SIM: no problem. But what if that SIM card replacement process is targeted by a fraudster? Well then, the fraudster can – very conveniently -- take over the account without ever having to become the account holder. And making free phone calls is the just beginning.
A bigger threat from account takeover happens when the customer’s bank uses the phone number to validate banking transactions -- because calls are now going to the fraudster who has assumed control of the account, not to the original customer.
Say the fraudster makes an on-line banking transaction paying his own company $10,000 out of the customer’s bank account. Well, your bank will often call to validate a large transaction like that, but since the SIM has been swapped, it’s the fraudster who validates the transaction.
So I think you can easily see that a bank account fraud loss like that -- whether the operator is actually to blame or not – can kill a customer’s trust in his mobile carrier.
It’s a very natural thing for operators to try to keep the customer happy, so if they do genuinely lose their SIM or lose their phone, they want the customer to be able to replace it quickly – it may be their only communications device. So what does the operator do to keep the customer happy? The operator simplifies the rules and process in these situations and fails to apply the same high levels of controls or prescribed identity checks used for new subscribers. Well, this is exactly what opens the door for the fraudster.
Attacking Existing Accounts
Over the last several years, CSPs have put good controls in place to spot simple identity fraud, so that issue has basically flat-lined: it’s not growing. Where the real identity fraud growth is occurring today is in capturing existing accounts, or what we call account takeover.
Identity checking is usually very good if you are new customer and you walk into a mobile store to buy a handset and network service. To get an account, they are going to check your government ID, ask for other proof, do a credit check, and check your history as a financial entity with official agencies.
And yet, if you have been a good customer for a year, the only thing you have to do to get verified is to ring customer service, give them your name and address and perhaps another item of simple information. That could be a password, but it could also be the amount of your last bill. So the security screen is much thinner.
Let’s say you call to add a new line as an existing customer. Often an operator won’t do any credit check or any other checks and balances. This turns out to be a big security hole. So the attempt to be customer friendly and make it easy for the customer to add new services provides an opportunity for the fraudster.
The other technique, of course, is phishing using either the phone or email. On the phone, they set the Caller ID to make you think they are calling from the customer service department of a network or service provider, and their goal is to extract sensitive identify information, by making statements, such as “there are issues on your account” (a technique called social engineering.).
So in phishing emails, you are likely to read that there are problems or issues with the account of the phone system and ask you to respond back with a password or other verification details.
Then once the fraudster gains such customer’s details, he can freely come on the network -- via customer service/ or web self-service -- using the obtained passwords and add four extra phone lines and four more handsets to the account.
This scam offers very quick returns for the fraudster. Once again, the unhappy customer blames the operator for allowing his account details to be compromised – even if the customer gave away his account details through an email or phone call or SMS.
Once the fraudsters have the handsets and SIMs, yet they will resell the handsets and also do the traditional routine: call reselling, premium rate fraud on the account, and other ploys.
Now when two or three lines are added to the account, it’s quite obvious when the customer looks at his next statement. However, in many cases, the customer will detect the change. Say the customer is at the end of her two-year contract. She might be quite happy with her current iPhone and doesn’t even think about upgrading her handset, but if the fraudster gets in and does the upgrade for her, she may not even realize the account has been upgraded because there are not necessarily any new charges on the account -- just a renewal of the contract, and if the customer does not know their contract expiration date can run for several months until detected when the customer eventually decides they would like an upgrade.
So to conclude, fraudsters are always looking at ways of exploiting new technologies such as LTE and 4G. However, they see no need to invest in that quite yet, because they have found lucrative avenues for creating plenty of revenue and profit by attacking the existing weak points of customer service systems and processes at the carriers, banks, and retailers within the communications network.
Clearly one of the best antidotes in such fraud prevention is to introduce more solid controls in the customer service process and focus on the protection of customer data and identities.