T-Mobile Breach - Expect Increased Mobile Fraud
Breached data fuels increased SIM Swap fraud, social engineering attacks and fake account creation.
In 2021 there have already been several high-profile cyber attacks including the attacks at JBS and Colonial Pipeline and most recently this week the T-Mobile breach. In each case the source of the breach is different and companies will be looking to shore up enterprise security to ensure similar breaches do not happen within their organizations. Of equal importance for companies is understanding the expected impact of these breaches and methods to mitigate the exposure.
What is different about this week’s revelation of a data breach at T-Mobile?
In addition to exposing the SSNs and phone numbers of 50 million customers, in the T-Mobile breach the fraudsters also secured specific mobile phone identifiers (IMEI numbers). With increasing use of mobile apps for banking and commerce, this breached data creates increased vulnerabilities for companies offering fintech and mcommerce services.
What is the expected impact on mobile fraud?
The downstream impact of a breach such as T-Mobile on companies offering mobile services is three-fold:
1. Increase in SIM Swap Fraud
The additional piece of data of the mobile phone identifier makes it easier for fraudsters to execute SIM-swaps to transfer a victim’s phone number to a fraudster. SIM-swaps enable fraudsters to circumvent the most commonly used authentication techniques, such as one-time passcodes (OTPs) that depend on the victim’s phone number.
With OTP over SMS as the most prevalent method of authentication used by mobile apps, this week’s breach will inevitably lead to greater vulnerability to account takeovers (ATOs) of victim accounts. In a recent study made by Incognia, it was revealed that approximately 80% of the fintech mobile Apps reviewed still use SMS as the main channel for multi-factor authentication.
2. Increase in Fake Account Creation
With the data exposed in the T-Mobile breach, fraudsters will have sufficient information to create fake accounts for mobile banking for the purposes of stealing funds.
3. Increase in Social Engineering
Breached data such as SSNs and phone numbers are the fuel for social engineering attacks such as smishing or vishing, whereby fraudsters often posting as customer support representatives use a few key pieces of stolen data to gain credibility with the victim and then obtain additional pieces of information that enable access to victim’s accounts, such as passwords and access codes.
Tips for Mitigating Increased Fraud Risks
1. Deprecate use of OTP over SMS for Mobile Authentication
OTP over SMS has already been identified by NIST as a restricted authentication method that should be avoided because of vulnerability to SIM Swap Fraud. Despite this, many companies still use OTP over SMS since it offers comparatively less friction than other authentication methods.
Today there are new alternatives, such as Incognia zero factor authentication that provides increased security and lower friction which should be explored.
For a review of the security and friction rankings for authentication read more here >>.
2. Use Behavioral Analytics to Detect Anomalies in User Behavior
Even with stolen credentials, fraudsters can be effectively stopped based on detecting anomalies in user behavior. At Incognia we use the motion and location sensors on the mobile device to create a location behavioral pattern, like a location fingerprint consisting of trusted locations unique to each user. While fraudsters may have access to a user’s stolen credentials it is virtually impossible to mimic a user’s location behavior, making it one of the strongest trust signals on mobile.
3. Verify Physical Address Against User Behavior
Matching a user’s location behavior with their stated home address is another important technique in mitigating risk. For instance, if a user has never visited their stated home address or any location in the vicinity that should be flagged as high risk. This is a good option to prevent new account fraud, given that users are required to provide their home address information when opening a bank account.
At Incognia we work with banks and fintechs to effectively address account takeovers (ATOs) by providing an additional layer of security without additional customer friction. One customer analyzed more than 100 million Incognia authenticated mobile logins and reported zero ATOs.