In-depth analysis of OTP fraud (2FA/MFA/OTP)
The pressures of data breaches, phishing and account takeovers make companies around the world implement two-factor authentication or MFA on their accounts to protect themselves as well as their users from these risks.
Exactly this security measure that can help protect your online accounts from being compromised, opened the door to various companies and individuals around the world and has created a lucrative market for those who discovered in this an opportunity for an easy profit.
What is 2FA
First, we need to explain what 2FA/OTP is and how it works so you can further understand how the fraud is done.
Two factor authentication, or 2FA, is an extra layer of security that can be added to your online accounts. With 2FA enabled, you'll need two pieces of information to log in - something you know (like a password) and something you have (like your phone)
The most popular MFA solution is SMS-based verification: A 4 to 6 digits code is sent to your mobile phone via text message (SMS), which you then use to log in. If the SMS isn't arriving due to various reasons (such as an error with the network or due to congestion) then an IVR dialer is calling your phone to dictate the 4 to 6 digits code.
How is made?
If you are familiar with what we already explained, then now is the time to learn more about fraud. This fraud has deep connections with telecom companies as they are the main pawns in this activity.
There is a market in telecommunications which offers premium rate numbers (usually 0900 in EU or 1-900 in USA) for different activities, mostly used in the past for VAS (value added services). In addition to these numbers there also exists international premium rate numbers which are regular mobile/landline numbers with high termination rate ($0.50 or above) which serve the same reason as the local premium rate numbers, mostly for VAS. Now the fraud works on both sides of the OTP/2FA process (on SMS and on the voice call as well).
SMS: There are companies/individuals that rented International Premium Rate Numbers that have the SMS capability enabled and they are getting paid for any incoming SMS (Text messages received on any of those international premium rate number). They are using scripts and VPN to TRY (important) to create hundreds of thousands even millions of accounts per day on different apps or platforms that have the 2FA/MFA/OTP capability enabled so they can receive the text message (sms) on one of their rented International Premium Rate Numbers therefore generating revenue for them.
The content provider (app or platform) is happy that the fraudster didn’t succeed to create a fake account (they only tried). For them the 2FA successfully protected against fake account creation. BUT the real intention of the fraudster was to receive the text message on their premium number so they can get paid not to really create a fake account.
At the end of the day everyone involved in this dirty business is happy: The content provider feels happy that his 2FA layer of security protected him against fake account creation. The fraudster generated an easy revenue. The Mobile Network Operator that delivered the text message (sms) is happy because he was paid by the content provider.
IVR call: There is a similar behavior as SMS but instead of using International Premium Rate Numbers to receive SMS they are using them to receive the incoming voice calls. Each transactional voice call has in average 30 seconds and the mobile operators are more than happy to keep this traffic alive as their international voice traffic is affected by the OTTs (whatsapp, viber, skype etc).
In fact, the Mobile Network Operators are the main winners from this deal because they finally make some money back from the OTTs (Over-the-top media services).
The MNOS lost so much money and power due to the OTTS (roaming usage decreased, international calls decreased, international SMS decreased, marketing decreased because in the past the marketing was done by the MNOS rather than Google or Meta or others). There is an open war between MNOS and OTTs and there is no chance that MNOS decrease their prices for these transactional SMS (A2p SMS) or transactional calls (A2p Voice). On the other side the OTTs depend on the MNOS as SMS and Voice is the best tool to verify that their users are real or if they are in the possession of their mobile device where the entire activity of the OTT happens.
What can be done or how this OTP fraud can be stopped?
There is a way to stop the fraud, and this way is the Authenticalls way. Always trying to revolutionize and reinvent itself, Authenticalls has gone from managing over 3 billion phone calls a year, to telecom anti-fraud and anti-spam services and currently to combining online security with telecommunications, reaching the best phone number verification services, 2FA, MFA, OTP, all at the most competitive price on the market.
Authenticalls has emerged as an efficient and reliable way to securely access mobile apps and websites through its flash call two-factor authentication (2FA). As a result, companies can authenticate and verify users seamlessly and in seconds.
The team at Authenticalls has pooled its 244 years of cumulative cybersecurity and tech experience to develop a flash call authentication system that makes it more difficult for hackers to bypass 2FA. When a user tries to log into an account or service, they will receive a flash call or missed call. The login authentication code is the last four to six digits of the number displayed on the custom caller ID.
This service is not only resilient to OTP fraud, but it’s also more cost-effective than text message 2FA methods. In some countries, it costs as much as $.25 per authentication to enable 2FA. Instead, Authenticalls customers can get 1,000 free authentications, and another 4,000 costs only $1.
Flash calls are the future of 2FA. There were 60 million flash authentication calls in 2021, but experts predict the number to jump to 130 billion by 2026.
Start working with Authenticalls.
We should never put a price on security, but when security becomes expensive something is wrong. Security should not be expensive and the protection from data breach is priceless. With Flash call OTP, you can get the security you need without breaking the bank. We offer affordable, reliable security solutions that will give you peace of mind.