Time for telecoms firms to take on the account takeovers
With identity theft on the rise across the telecommunications sector, Roberto Valerio, CEO of anti-fraud specialist, RISK IDENT, explains how companies can tackle the issue before customers are hurt.
These days, it’s not just banks, insurers and financial institutions that are concerned about identity theft. In the last five or so years, the issue has spread to a wide range of sectors with the telecommunications industry now heavily targeted.
Researchers are warning that the threat is now reaching ‘epidemic levels’; in 2016, 1.4 billion data records were exposed in nearly 1,800 security breaches worldwide. Meanwhile, last September, the U.S. credit bureau Equifax suffered a breach of its network security system, compromising the personal data of 143 million consumers across the globe. The UK company TalkTalk was fined £400,000 in October 2016 for a cyber attack the previous year that saw the personal details of more than 150,000 customers stolen by hackers.
The data breaches themselves are not the sole problem – what should be keeping telecoms bosses up at night is what criminals do with the information once they’ve stolen it. Once identity data has been stolen, fraudsters create new accounts online – or worse – use the personal information to hijack existing accounts. In doing so, they wear the mask of the legitimate user and hide behind their good name to purchase things fraudulently, with ramifications for the victim and company the account data has been stolen from.
The mobile telecoms industry is especially vulnerable to this identity theft threat. Fraudsters are particularly attracted to Europe’s distinctive mobile phone contract model – where customers receive a high-value handset up-front and pay for it monthly. This model provides many lucrative opportunities for crime to occur and subsequent crimes have risen significantly over recent years.
For instance, Cifas reported a 60% year-on-year uplift in mobile telecoms identity fraud in 2017. If firms hesitate to respond, they could cause undue suffering for customers, and stand to lose significant amounts of revenue. Inaction can also lead to financial penalties, such as fines, and irreversible reputational damage.
Spotting the security gaps
With all of this in mind, how can mobile telecoms companies ensure safeguards are in place for their customers and for themselves? First and foremost, they need to understand how criminals carry out contract fraud using stolen identities.
One of the most widespread method entails the use of a victim’s account details to apply for a mobile contract before selling on the costly handset, and leaving the genuine account holder to make the monthly repayments.
Another common approach is to target contract extensions. Many telecom providers seek to avoid the complex re-sign process, minimising friction with customers. While this improves the customer experience, it does present an attractive target to nimble fraudsters – many criminals use stolen data to hijack contract renewals by changing victims’ details to divert the delivery of the handset to an address they control.
Such crimes are simple to carry out and offer a substantial financial pay-off for fraudsters while posing a significant risk to companies and consumers. As such, it is all the more important for telecoms firms to take steps to optimise data security.
Tackling the problem
First and foremost, telecoms firms must identify solutions not only to tighten data security around their data storage, but to close the gaps presented by the mobile phone contract process. This means spotting the areas where consumers are at greatest risk of identity theft.
We’ve been committed to tackling the problem for many years now, and throughout our work, we’ve found that account takeovers account for slightly more than 19 percent of conﬁrmed fraud cases.
In addition, we have identified a number of behavioural changes that may indicate that an account has been taken over. For example, recent account changes can suggest that the account has been compromised – RISK IDENT’s research shows that, in nearly every instance of account takeover, either the password, email address or physical address had been changed in the previous 10 days.
In cases of account takeover, RISK IDENT has determined that the average order value is four times higher than that of typical orders – this is necessary for criminals to justify the effort to steal their victims’ identities. In cases of fraudulent contract requests, the phone handset ordered may be much more expensive than the genuine account holder’s previous model.
Finally, the age of an account holder can have a bearing on their vulnerability to data theft. Older customers are at particular risk of account takeover fraud, as they may have less technical expertise, which could leave them susceptible to fraud.
Taking such factors into account, telecoms firms can accurately evaluate whether or not they have a problem with ATO. Armed with this information, they can take action to safeguard their customers and prevent fraud from occurring in the first place.
Working with partners
Even with the best security systems in place, telecoms companies can be at risk of account takeovers – this is because their partners and other businesses can present weak spots that can be targeted by criminals.
During the 2017 Equifax breach, for instance, telecoms businesses were among the victims hardest hit, with a rash of mobile phone contracts being taken out by crooks using credentials from one of the 140 million records stolen from the company.
With this in mind, telecoms firms need to work with partners and other businesses throughout the supply chain to promote improved data security and other measures to predict cases of account takeover.
Time to up the stakes
It is not possible to “win” against fraud. Fraudsters are constantly finding new ways to commit crimes, making it vital for companies to do all they can to keep ahead of the game.
By incorporating solutions that can predict account takeover vulnerability, telecoms companies can ensure they are one step ahead of the fraudsters, ensuring they have the information they need to protect themselves from the growing fraud risk. As a result, firms can be confident their customers are protected against present and future threats.
See the whole article published by TMT News (Technology. Media. Telecoms.)