The rising risk of OTP hijacking & SIM swap attacks and how behavioral biometrics helps thwart these attacks

January 18, 2022

As we head into 2022, organizations must enhance their digital fraud & authentication strategy, especially around the use of OTP (one-time passcodes).  Historically, OTP has been an effective tool to authenticate users based on “something you have” within an MFA (multi-factor authentication) strategy, which also includes “something you know” and “something you are”.  However, fraudsters are continuing to become more sophisticated and clever in defeating these controls, including compromising victim credentials (something you know), hijacking OTP’s (something you have), and biometric replay attacks (something you are).  This blog will be focused on how fraudsters are defeating OTP’s and how BehavioSec, with its deep behavioral biometrics technology, is helping organizations effectively mitigate this threat.

Today, OTP is mostly delivered via SMS or through mobile apps.  Some organizations still deliver OTP via email or landline, but it is not widely adopted because these mechanisms are much easier for fraudsters to intercept and are inconvenient for customers.  Regardless, fraudsters are becoming more successful in defeating device-based OTP through social engineering and SIM swapping attacks.  In a recent article published by KrebsonSecurity, it is noted that fraudsters “trick or bribe an employee at a mobile phone store into transferring control of a target’s phone number to a device they control.  From there, the attackers can reset the password for almost any online account tied to that mobile number, because most online services still allow people to reset their passwords simply by clicking a link sent via SMS to the phone number on file.  Scammers commit number port-out fraud by posing as the target and requesting that their number be transferred to a different mobile provider (and to a device the attacker controls).”  Fraudsters are also automating and scaling their OTP attacks, as noted in this Vice article “The fraudster used a type of bot that drastically streamlines the process for hackers to trick victims into giving up their multi-factor authentication codes or one-time passwords (OTPs) for all sorts of services, letting them log in or authorize cash transfers. Various bots target Apple Pay, PayPal, Amazon, Coinbase, and a wide range of specific banks.”

The good news is BehavioSec, with its deep behavioral biometrics technology, can prevent fraudsters from taking over accounts, regardless if an OTP is passed. BehavioSec analyzes a user’s behavior, passively and continuously, from login to logout to identify if the user is genuine or a fraudster. BehavioSec analyzes a user’s desktop or mobile device behavior such as keyboard, mouse, swipe, and pressure characteristics to verify if the current session matches the user’s behavioral profile for that account. In the fraud scenarios mentioned earlier in this blog, BehavioSec effectively detects fraudulent login attempts or transactions, regardless of whether OTP is passed, by analyzing the user’s behavior throughout the session. When fraud is suspected, BehavioSec alerts fraud teams in real-time of this risk so that organizations can make informed decisions on how to mitigate, such as automatically declining the transaction or alerting a fraud operations team to reach out to the customer (victim) to remediate and secure the account. Further, in instances where BehavioSec identifies that the user is genuine, organizations use this information in real-time to reduce the need for users to verify OTPs, resulting in a better customer experience, reduced costs associated with OTP tools, escalations into the call center, abandoned transactions, and more.

These results are evidenced through success stories with our customers. In particular, a large global bank deployed BehavioSec in 2017 because the bank was challenged with rising sophisticated digital fraud attacks, including ATO’s resulting from compromised OTP’s, as well as increased friction for their customers. After 3 years of deploying BehavioSec, the bank reduced their ATO fraud attacks by over 90%, resulting in ~$7.2MM in fraud savings. Further, by layering in BehavioSec into their existing risk decisioning engine and authentication processes, the bank reduced their false positives reviewed by their fraud operations team by 91% and multi-factor step-ups (OTP’s) by 88%.

If you are interested in reducing your organization’s digital fraud risk while delivering a better customer experience, then let us know because we can help!