One-time passwords are considered the gold standard for account takeover fraud prevention, but don't confuse a gold standard with a silver bullet. What can you do if you are seeing unauthorized activity claims from customers who successfully entered a one-time password?
Some background on OTPs
One of the main defenses fintechs and financial institutions have against online account takeover attacks (ATO) is multi-factor authentication (MFA), and its most common application - one-time password (OTP). OTPs are codes triggered as part of the login process and are delivered to your customer through a separate communication channel they have previously set-up (SMS, email, push notification, or authentication app). Your customer is then asked to enter the code as part of their online login or session, confirming that they have access to one of those alternative communication channels and by proxy that they are likely the same person who set-up that alternative communication channel, and by proxy that they are your legitimate customer.
Having OTP capability in place should go a long way in helping your organization reduce unauthorized access into your customers accounts, and help keep your fraud losses under control. It is a very strong tool to have in your arsenal, and highly recommended one. This capability is usually paired with a trust infrastructure, which is used to both collect trusted alternative communication channels, and evaluate user logins and sessions to decide when an OTP should be required. Pairing good OTP capabilities with a smartly designed trust infrastructure is currently the industry’s best practice to ensuring your customers accounts are safe from unauthorized access.
When OTPs stop working
OTPs are far from silver-bullets. Bad actors have found a verity of ways to compromise them. Over the past decade, as OTPs became more standard practice, the tools and methods bad actors have at their disposal to bypass this defense have grown and scaled. OTP-busting bots and scam-guides are now common and easily available for the aspiring criminal.
If you are seeing a spike in ATO complaints despite the user providing a OTP during the reported unauthorized session, it could be that you have a gap that needs addressing. In the vast majority of such attacks, the bad actor is getting the OTP directly from your customer by scamming them into thinking they are giving it to you. Other attacks require much more effort or sophistication. This would suggest the gap is mainly in your additional defenses around the OTP, which are failing to identify abnormally high risk events that outweighs the strong positive signal of obtaining a OTP.
However there are a few additional signals worth looking into to ensure the gap isn’t found elsewhere in your system.
Things you can look into
True MFA success
you should double check that the OTP was actually entered, and this isn't a gap with your MFA / OTP service provider or your product having a bug that allows sophisticated users to bypass this requirement all together, while still giving your system the signal that a OTP was provided.
it is sometimes easier for the bad actors to change the MFA phone number first, due to defenses gaps around contact details change. You should be able to check in your system if there were recent phone number changes by these customers.
Specific telecom provider
a few of the more sophisticated attacks tend to target specific phone providers. You can check in your system or with your MFA provider who was the provider the MFA-SMS was sent to. If you are seeing it concentrated with a single provider there's a much better chance that's where the gap is at (especially if it's a smaller, less common provider).
it's never fun to consider, but depending on the transaction activity and customer tenure prior to the complaint you can see how likely it is to be false claims. This can be due to an issue with your claim reporting system, forcing users into reporting an event as unauthorized when their actual issue is different but is not available as a reporting option. This can be investigated by getting additional information from the customers about their complaints. False claims however can also be a case where your organization is being targeted by true a first party fraud trend. First party fraud is much more common among newer customers or ones with very low level of engagement with your product. Since newer users are also far less likely to be victims of ATO, if you see the complaints skewing towards newer users you should investigate the option of first party fraud.
Keep in mind that there are very few things you can do that alienate a good customer more than treating them as a suspected criminal when they are in fact a victim. If you are investigating first party fraud associated with false claims, you should do so very carefully and thoughtfully.
Want to get additional advice from us? See how we might be able to be of help to you? Just chat about what you are going through? contact us.
We’d love to chat. We’d love to be of help.