Blog
Fraudsters are always looking for ways to innovate. Whether it’s to find creative new methods to steal data, impersonate customers, or implement nefarious phishing attacks, today’s consumers must always be on the lookout. It’s no surprise that over 60% of digital fraud now occurs through mobile devices because consumers are using their phones more often for high value transactions like online banking, and fraudsters are more than happy to exploit this anonymous method of interaction.
This uptick in fraud has led the FCC to enact FCC Order 23-95A. According to the FCC, this new order is meant to,
“...protect consumers against scams that aim to commandeer their cell phone accounts. The rules will help protect consumers from scammers who target data and personal information by covertly swapping SIM cards to a new device or porting phone numbers to a new carrier without ever gaining physical control of a consumer’s phone. These updated rules will help protect consumers from SIM swapping scams and port-out fraud while maintaining their well-established freedom to pick their preferred device and provider.”
This Order, while good for consumers, poses several challenges to telecommunications companies. For instance, it can be difficult for carriers to identify whether SIM swap or port out requests are coming from real customers or bad actors posing as real customers. This can be even more complex when fraudsters implement "man in the middle" attacks, aimed at tricking both consumers and call center employees into sharing sensitive information that the fraudster then uses to gain access to bank accounts or harvest other valuable customer data.
Additionally, carriers may contend with costly implementation of new systems, tools and trainings to help their employees comply with the new FCC order. Not complying with the new order opens carriers up to the risk of litigation.
While it is critical for telecommunications companies to update their policies to adhere to these new regulations, FCC Order 23-95A is not prescriptive. It’s up to each business to implement the solutions they believe will help them (and their customers) to avoid falling victim to fraudulent attacks. And although there is no "one size fits all" approach, TransUnion has developed a list of recommendations to help carriers adhere to the new order safely and without unnecessary expense or labor.
1. Use telephone signals to understand caller risk
Many carriers have customer relationship management (CRM) systems to identify calling customers and give them appropriate service. However, in about 33% of cases there will be no ANI match, meaning a CRM will not be able to identify the customer. Perhaps this is because the CRM data is incorrect or outdated, or perhaps the customer signed up with a number they no longer use. In these cases, it is helpful to link and match the ANI against an authoritative identity database to automatically turn otherwise unknown callers into known ones.
Additionally, inbound call centers can use signal from the call to flag for attributes often linked to fraud. For example, a spoofed call or virtualized call is a significant red flag because fraudsters don’t want to be identified and often use these services to remain anonymous. Calls from numbers with no associated identity data or that have recently been ported also suggest risk and can be routed to appropriate fraud specialists in the call center.
2. Add friction at the right time
If a red flag suggests potentially abnormal activity, like a customer trying to log in on a device that they don’t normally use, it means a deeper risk assessment may be needed to ensure nothing nefarious is taking place. This could take the form of knowledge-based verification questions, document verification, or OTPs (one-time passcodes).
3. Identify if an OTP is at risk of interception
One-time passcodes are easy tools to use because they’re nonrepeatable; consumers don’t have to remember an OTP like they do a password. But what if the OTP is at risk of interception? If there’s an active call session with the target subscriber, this suggests a possible man in the middle attack and the carrier should take additional precautions before sending a one-time passcode.
4. Block suspicious SIM swaps and port outs
Analytics can help you understand the history of each device and quickly determine how risky each transaction request might be. Does the device already have a track record of SIM swap and port out requests? What about adjacent devices in the same family or on the same corporate account? There are different network level details and data sets that can help carriers determine whether a SIM swap or port out request should be treated as suspicious.
5. Track failed authentication attempts across all carrier touchpoints and channels
Carriers too often have siloed data. One department may be responsible for online interactions while another is responsible for call centers. Some work on new subscribers while others manage existing customers. This lack of consolidated identity creates a vulnerability that allows fraudsters to jump across channels and exploit weaknesses. Failed login? No problem for fraudsters, who can socially engineer a call center agent to get the necessary personal information or one-time passcode. Carriers need to share data and work with a partner that can help consolidate identity activity across channels and devices.
6. Empower your subscribers
Sometimes your customers just need a helping hand to keep fraudsters at bay. When SIM swap and port out requests are received, notify your subscribers so they can take action if it’s actually unauthorized. Don’t only contact via SMS or call—fraudsters may already anticipate that. Also consider other channels, like email or social, to ensure the subscriber is notified in a timely fashion. Offer subscribers the ability to easily freeze their account, stopping all swap and port outs until the customer unlocks the account again.
7. Screen internal fraud vectors through comprehensive background checks
Fraudsters are not just using call centers and digital channels to take over mobile phones; they’re also often working with insiders, paying them for each SIM swap. This could be a call center employee or an onsite employee, both of which would have access to customer account details. It’s critical to hire employees that you can trust to uphold your security standards.
8. Build out your internal reporting suite
While the FCC order is not prescriptive in mandating specific actions, the more historical data that carriers are able to capture and share, the better. Make it easy for the FCC to understand the actions that you have taken to adhere to the new order. Quantifying key metrics, like the total number of successful and failed requests, along with suspicious and fraudulent requests, will provide the FCC with an historical view and help carriers show the impact of their good-faith implementations to mitigate SIM swap and port out fraud. Tracking the number of complaints received can also help show an improvement over time, providing evidence of your company’s efforts to the FCC.
The common thread across these recommendations is identity. The more identity data you have on your customers, the easier it will be to mitigate SIM swap and port out fraud. Given the requirements that are put on carriers by regulators, working with a partner with expertise in both consumer identity and telecom knowledge can help ensure you maintain trusted relationships with your customers while minimizing your fraud exposure. To learn more about how carriers can comply with the new FCC order, watch Transunion’s latest webinar, "Finding and Fixing the Fraud: Navigating the new FCC Order 23-95A.”