Our phones are increasingly like our online passport. Fraudsters have ways around it, but here’s how to stop them.
2FA (2 Factor Authentication) and OTP (One Time Passwords) are so common these days, that app developers are increasingly letting your phones fill them in for you automatically.
After all, if the user receives the message, they must indeed be the rightful device owner of whatever account needs the extra verification step. Why create extra friction and frustration by forcing them to input the code manually?
But what if the phone number that received the code isn’t legit in the first place? Doesn’t that defeat the whole purpose of multi-factor authentication?
As we’ll see in this post, obtaining disposable numbers and SIM cards isn’t hard at all. And that has serious implications for the security of your Internet business.
Why 2FA and OTP In The First Place?
According to Google’s own research, adding a recovery phone number to an account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.
So we are in fact talking about preventing the problem of account takeover, or ATO. In short, businesses want to ensure your account remains yours, for legal reasons, but also to avoid a PR crisis.
And phones are increasingly seen as a powerful secondary identification tool, either to receive a confirmation SMS (phone number), or via authenticator apps, such as Google’s.
The goal is simple: support the fact that the person logging into their account, whether it’s an online store, crypto exchange, or bank, is indeed the account owner of the right sim cards.
You can read our complete guide on ATO and how to prevent them here.
Workaround #1 – Disposable Phone Number Services
Now phone verification isn’t just used for authentication these days. It’s increasingly part of the standard account creation process. In theory, linking a phone number to a new account helps complete a piece of the customer profile.
But what happens when the user doesn’t have a phone or doesn’t want to use their real number? And more worryingly, what happens when a user is creating a profile based on fake ID or synthetic ID.
They have plenty of solutions, and the first one is to do a quick online search for disposable, or temporary phone numbers.
Some of these online services are free, while others operate under a pay-as-you-go model, where you buy credit (usually via cryptocurrencies).
The service receives the confirmation SMS for you and lets you create a new account in seconds, with a non-official phone number, all for the very affordable price of €0.1 – 0.5 per message.
Workaround #2 – Burner Apps and eSIMs
What if you don’t want to leave your actual smartphone to receive confirmation SMS from numerous numbers? It’s also possible thanks to burner apps.
Named after “burner phones”, or disposable mobile phones used in the drug trade, these apps allow anyone to benefit from a second line for private calls, texting and pictures.
Sold under the pretense of protecting your real number (for privacy reasons), we also know that these apps are quickly becoming tools of the trade for fraudsters who want to create multiple accounts. And multi-accounting usually means bonus abuse, fake reviews or payment fraud.
Similarly, a quick Google search for the App or Play Store will reveal dozens of eSIM services, which give you multiple accounts for VOIP and SMS. Each account comes with its own profile, perfect for easy multi-accounting and identity fraud.
Workaround #4 – SIM Jacking
Without a doubt the most worrying consequence of an increase in phone verification is that fraudsters will now attempt to hijack the original number.
The process isn’t easy, but the success rate is frightening. In fact, even Jack Dorsey, CEO of Twitter fell victim to what is called SIM jacking, or a SIM swap attack. Here’s how it works:
- Fraudsters obtain a phone with a number they control
- They find their victim’s phone number
- They call the network company and convince the operator to change the victim’s number to theirs. (More organized criminals have known to pay staff at the phone company to help.)
- All the verification SMS for 2FA and OTP are now under their control. They can begin resetting passwords for social media accounts or bank accounts.
The consequences of SIM swapping attacks cover a wide range. At the lighter end, pranksters just want to show off their hacking skills. Others use it to take hold of valuable Instagram handles.
But of course, the end goal of organized criminals is to access digital wallets or financial details, and to drain the accounts of money.
Workaround #5 – SS7 Hacking
One of the most sophisticated types of attacks we’ve detected in recent years involved SS7 hacks. These technical methods exploit a vulnerability which allows the fraudsters to receive calls and SMS for a subscriber on another phone.
As you can imagine, this opens the door to endless phishing and social engineering possibilities. Combined with advances in audio deep fakes, it should be enough for an organization to be extra vigilant about confirming anything via phone call or SMS.
Solutions for Virtual SIM Card Detection
It should now be clear that checking a phone number isn’t enough to guarantee your users’ identity. But what about hidden metadata that can be gathered via enrichment?
This is exactly what the SEON Intelligence tool lets you verify, using a number of features:
- CNAM, or Caller Name Delivery: this technical check is requested to the telephone company. It helps us compare the subscriber’s full name and compare it to the caller ID. We can already begin flagging unmatching data here.
- HLR, or Home Location register: this check lets us access more data linked to the phone subscriber, as logged in a central database. We can check the carrier name, whether the phone has been routed, and if the phone number is virtual.
- IMSI and MSISDN lookup: an International Mobile Subscriber Identity and Mobile Station International Subscriber Directory Number are also useful databases to scan. If two users share the same one, it points to a virtual SIM.
It’s worth noting at this stage that virtual and cloud SIM carriers do not even allow an HLR lookup. This is probably the strongest indicator that your tool is working.
Enriching User Profiles With Social Data
The magic bullet when it comes to verifying user info based on a phone number only is social media and messenger lookup.
And SEON is the only fraud detection solution that allows you to check 20+ social media networks and messenger apps to find info such as:
- Whether the user has registered to social media sites: in some industries, such as online lending, we found that 76% of users without a social presence would default on their loan. SEON can check up to 20+ social networks including LinkedIn, Twitter Facebook and many others.
- User bio and gravatar: if you want to go in-depth with your KYC, social media lookup can give you an idea of who your customer is, and what they look like.
- Last time seen: useful for manual review, to confirm whether our user’s messenger profiles are actually in use or just dummy / abandoned accounts.
All this extra data helps build a more complete profile, based on a phone number alone.
SEON Phone Analysis for the Lending Industry
Analyzing a user’s given phone number can point to whether they use a real one or not. But it’s not enough to flag them as fraudsters, only to raise suspicion. Which is why phone analysis is especially useful as an extra data enrichment, combined with email and IP analysis.
This is exactly how one of our clients, a P2P lending platform, leverages SEON’s Intelligence tool for phone analysis. Performed via API, this real-time check helps their credit scoring, and decide if they are trustworthy borrowers, or should be avoided.
For more information about how phone analysis helps them save on manual review costs, you can read the case study here.
Virtual SIM Card Detection And You
Phone numbers are increasingly used as verification methods, and extra data points for KYC or credit checks. The problem? They are also easier than ever to spoof.
The good news is that SIM swap protection and virtual SIM card detection is a fast, affordable and effective process thanks to CNAM lookup and HLR lookup tools, all available with SEON’s Intelligence phone analysis module.
Combined with other data enrichment modules from our anti-fraud suite, or integrated into our full end-to-end fraud detection platform, we’re giving you all the tools to protect your business and your users.
Learn more about our products
Tamas is the founder and CEO of SEON and an expert in all the technological aspects of fraud prevention.