Scams – Have we created our own Catch-22?

By Amir Nooriala, Chief Commercial Officer at Callsign

Anyone who grew up with the internet as a regular feature in their lives has long had the fear of clicking on the wrong link or visiting the wrong website. One bad move online can not only compromise your devices’ security, but your entire identity.

This fear has always been mitigated by the assurance that, if we, the consumer, do our part and follow the security instructions of the business we’re trying to engage, we’d be safe. However, that’s no longer as straightforward as it should be.

That’s because the means of authenticating identity that businesses regularly use have long been compromised by scammers. The vulnerabilities of passwords are well known, but in the last couple of years we’ve seen a meteoric rise in fraud attacks through another authentication method – the SMS OTP (one-time-password). Whether it’s through SIM-swap attacks or the prevalence globally of SMS scam messages in which fraudsters socially engineer us into transferring away our life savings, SMS OTPs, which were once the main channel of security and communication between brands and their customers, have now become the number one channel for fraudsters. The more businesses depend on these methods to further bolster security, the more vulnerabilities they create for scammers to exploit. And often times, consumers aren’t given the choice of channel through which to authenticate themselves when interacting with these businesses. Being asked to authenticate by a business through the same channel that a fraudster is attempting to scam is ludicrous.

Businesses and consumers now find themselves in a catch-22 – and the only way out of this cycle is for organisations to completely revolutionise their strategies for customer security to match the realities of the modern world.

The limitations of analogue 

The reason that our current authentication methods are vulnerable is because we have taken what are essentially analogue processes and digitised them – leaving them open to exploitation in the new online world.

For instance, the password is a 60-year-old innovation, regularly bought and sold on the dark web for a few dollars. And while OTPs seem like a digital translation of the password, it’s merely the digitised version of a physical tool, which when used digitally is open to significantly more attack vectors from malware to SIM swap attacks and phishing.

With individuals more reliant on digital channels than ever before due to the Covid-19 pandemic, it’s no surprise that this has led to a boom in these kinds of online scams. Customers today live in constant doubt as to whether a text message they’ve received is from a legitimate company or a criminal mimicking that business. Our own research revealed that consumers receive up to three scam texts a day, and over a quarter say they get more messages from scammers than their friends and family.

These ploys are getting increasingly harder to spot, with some scammers even coaching victims around warning messages and security measures. But we shouldn’t be allowing customers to get to this stage, we can prevent this by re-thinking some of the channels we’re using to authenticate.

The limitations of passwords, pins and OTPs to authenticate organisations’ customer base, have been laid bare by the pandemic.

It’s time for businesses to begin exploring new options and look towards solutions designed and built to tackle today’s digital challenges.

Businesses need the right technology

The post-pandemic world we’re emerging into is much more virtualised than when we went in. That means the kind of scams mentioned above will only become more frequent and more sophisticated – unless we break the cycle and stop relying on analogue methods of authentication.

We need to move away from a reliance on outmoded technologies such as SMS OTPs – that are now as ubiquitous with fraudsters day-to-day activities as they are as an authentication method. Looking towards more digital solutions, which are not only designed to protect digital identities, but are designed as digital first meaning they fit seamlessly into customer journeys.

A robust way to confirm digital identities is to layer contextual data and behavioural biometrics on top of passwords, devices, or location data. This helps businesses create a strong means of confirming a person’s identity (as opposed to a password which doesn’t actually prove a person is who they say they are).

Solutions that work to positively identify the customer whilst simultaneously identify bots and malware can work passively in the background, helping organisations to offer true personalisation. Most importantly, this empowers businesses to start investing in ways to develop digital trust with customers. By digitally transforming (instead of simply digitising), they can evolve their security challenges into new opportunities – ones that are more contextual to users and add value to their journeys.

The most successful online businesses will be those that earn digital trust with their customers. To do this, organisations must give customers the confidence that when they interact with their business online, that they are safe.

Businesses need to stop using the same channels to authenticate users that fraudsters are using to scams us. We must break the Catch- 22. We need to move away from SMS OTPs.

By Amir Nooriala, Chief Commercial Officer at Callsign

Anyone who grew up with the internet as a regular feature in their lives has long had the fear of clicking on the wrong link or visiting the wrong website. One bad move online can not only compromise your devices’ security, but your entire identity.

This fear has always been mitigated by the assurance that, if we, the consumer, do our part and follow the security instructions of the business we’re trying to engage, we’d be safe. However, that’s no longer as straightforward as it should be.

That’s because the means of authenticating identity that businesses regularly use have long been compromised by scammers. The vulnerabilities of passwords are well known, but in the last couple of years we’ve seen a meteoric rise in fraud attacks through another authentication method – the SMS OTP (one-time-password). Whether it’s through SIM-swap attacks or the prevalence globally of SMS scam messages in which fraudsters socially engineer us into transferring away our life savings, SMS OTPs, which were once the main channel of security and communication between brands and their customers, have now become the number one channel for fraudsters. The more businesses depend on these methods to further bolster security, the more vulnerabilities they create for scammers to exploit. And often times, consumers aren’t given the choice of channel through which to authenticate themselves when interacting with these businesses. Being asked to authenticate by a business through the same channel that a fraudster is attempting to scam is ludicrous.

Businesses and consumers now find themselves in a catch-22 – and the only way out of this cycle is for organisations to completely revolutionise their strategies for customer security to match the realities of the modern world.

The limitations of analogue 

The reason that our current authentication methods are vulnerable is because we have taken what are essentially analogue processes and digitised them – leaving them open to exploitation in the new online world.

For instance, the password is a 60-year-old innovation, regularly bought and sold on the dark web for a few dollars. And while OTPs seem like a digital translation of the password, it’s merely the digitised version of a physical tool, which when used digitally is open to significantly more attack vectors from malware to SIM swap attacks and phishing.

With individuals more reliant on digital channels than ever before due to the Covid-19 pandemic, it’s no surprise that this has led to a boom in these kinds of online scams. Customers today live in constant doubt as to whether a text message they’ve received is from a legitimate company or a criminal mimicking that business. Our own research revealed that consumers receive up to three scam texts a day, and over a quarter say they get more messages from scammers than their friends and family.

These ploys are getting increasingly harder to spot, with some scammers even coaching victims around warning messages and security measures. But we shouldn’t be allowing customers to get to this stage, we can prevent this by re-thinking some of the channels we’re using to authenticate.

The limitations of passwords, pins and OTPs to authenticate organisations’ customer base, have been laid bare by the pandemic.

It’s time for businesses to begin exploring new options and look towards solutions designed and built to tackle today’s digital challenges.

Businesses need the right technology

The post-pandemic world we’re emerging into is much more virtualised than when we went in. That means the kind of scams mentioned above will only become more frequent and more sophisticated – unless we break the cycle and stop relying on analogue methods of authentication.

We need to move away from a reliance on outmoded technologies such as SMS OTPs – that are now as ubiquitous with fraudsters day-to-day activities as they are as an authentication method. Looking towards more digital solutions, which are not only designed to protect digital identities, but are designed as digital first meaning they fit seamlessly into customer journeys.

A robust way to confirm digital identities is to layer contextual data and behavioural biometrics on top of passwords, devices, or location data. This helps businesses create a strong means of confirming a person’s identity (as opposed to a password which doesn’t actually prove a person is who they say they are).

Solutions that work to positively identify the customer whilst simultaneously identify bots and malware can work passively in the background, helping organisations to offer true personalisation. Most importantly, this empowers businesses to start investing in ways to develop digital trust with customers. By digitally transforming (instead of simply digitising), they can evolve their security challenges into new opportunities – ones that are more contextual to users and add value to their journeys.

The most successful online businesses will be those that earn digital trust with their customers. To do this, organisations must give customers the confidence that when they interact with their business online, that they are safe.

Businesses need to stop using the same channels to authenticate users that fraudsters are using to scams us. We must break the Catch- 22. We need to move away from SMS OTPs.