May 11, 2020

Adam Lee, Chief Product Officer at Boku, reviews efforts to combat account takeover threats that target One-Time Passcodes (OTPs) delivered via SMS, and suggests a better way to fight one of the fastest-growing forms of fraud.

Account takeover (ATO) is a major issue for any business looking to protect customer data in the digital environment – and these days, that means pretty much everyone. ATO occurs when criminals harvest consumers’ stolen log-in credentials for use in fraudulent transactions. Growing fastest in the mobile internet environment, ATO is estimated to have risen by 80 percent in 2019 alone.

Fraud is migrating online in lock-step with our use of digital devices to access and pay for services. Worldwide, FIS Global predicts that m-commerce will grow at 19 percent on average to reach US$2.29tn by 2022. By contrast, physical sales are set to grow at less than 5 percent a year over this period. The takeaway is that as business moves online, fraud follows – with account takeover leading the way.

Some sectors have tried to improve fraud detection through the use of Artificial Intelligence and Machine Learning techniques, although these remain in their infancy. As a result, a lot of companies now rely on multi-factor authentication techniques like One-Time Passcodes (OTPs) transmitted over SMS in the fight against account takeover.

However, there are growing concerns about the vulnerability of SMS OTP. The proliferation of SMS OTP as a confirmatory factor risks creating a false sense of security in consumers, as OTPs are increasingly vulnerable to compromise. Our experience at Boku suggests that over 70 percent of SMS OTP compromises are linked to the theft of OTPs, usually through social engineering. Other app-based solutions, such as in-app push notifications, are notoriously difficult to convince consumers to adopt.

Another problem is that consumers don’t like using SMS OTPs, believing they create unwanted friction. A mid-2019 study from Gocardless based on 4,000 interviews with European consumers found that 44 percent of UK online shoppers abandoned an order because of complex security processes. Nearly half (45 percent) of UK digital consumers also said they would be frustrated with new security processes during online checkout.

The most promising alternative to OTPs is a next-generation service developed by MNOs called phone number verification (PNV) that validates a user’s mobile number and SIM card through real-time queries over the mobile network. PNV does not utilize an OTP, thereby eliminating the risk of passcode theft and improving the customer experience. Boku’s Authenticate solution provides merchants with a single connection to access PNV across a global network of MNOs. As our white paper makes clear, Authenticate is the best choice for businesses looking to grow sales online, protect their brands and customer relationships, and secure confidential data.