MAY NOT BE REPRODUCED WITHOUT PERMISSION
The statistics tell a grim story.
Phishing attacks increased nearly 60% in 2023. There are nearly a million unique phishing sites globally — a 10X increase since the beginning of 2020.
The U.S. Federal Trade Commission (FTC) received 1.4 million identity theft complaints with total fraud losses topping $10.2 billion.
93% of organizations had two or more identify-related breaches in the past year.
Consumers and businesses are being attacked on all fronts and AI tools that are improving workplace productivity are also empowering scammers to scale up operations.
With fraud so prevalent, there is an increased focus on who is responsible for providing solutions and how should telcos approach this problem.
The Debate Over Telco Liability
Recent developments have sparked a heated debate about the role and responsibility of telcos in preventing fraud. In Singapore, for example, the government is considering making telcos jointly liable for phishing scams that pass through their SMS gateways. This move has raised important questions about the extent of telco responsibility in fraud prevention.
We believe holding telcos liable for losses due to fraud is simply misguided. Mobile operators are in the business of building technology communication. Voice calls and SMS messaging facilitate communication between individuals. Use for authentication is a highly beneficial feature, but it serves a secondary purpose.
Instead of imposing punitive measures, governments should encourage telcos to develop value-added security services. For instance, telcos could offer enhanced security features for SMS or voice services as a premium offering. A market-driven approach would incentivize innovation without stifling the development of new communication technologies.
The Persistence of SMS in Two-Factor Authentication
Some organizations are leading the charge to abandon SMS for authentication. However, it remains one of the best ways of validating identity. It doesn’t matter what the OS is, where you are, or what phone you have, it works. While it may not be the most elegant solution, it gets the job done. Today, people are used to managing two-factor authentication (2FA) using SMS.
However, SMS is not without its vulnerabilities. It is susceptible to interception and SIM-swapping attacks. To address these concerns and maintain SMS as a viable authentication method, telcos can take proactive steps to enhance its security. One potential solution is the implementation of SIM swap detection. By offering this feature, telcos can provide companies with additional information about the trustworthiness of a particular SMS channel for authentication purposes. This added layer of security could go a long way in restoring confidence in SMS as an authentication method.
Leveraging Technology to Combat Fraud
As frauds become increasingly sophisticated, telcos and tech companies are turning to advanced technologies to stay ahead of the curve. One notable initiative is the “scam likely API” deployed by some mobile operators, particularly in Europe.
This API is based on the observation that users typically don’t engage in phone calls while transferring money. If a user is on a call during a bank transfer, it could indicate that they’re being coached through a fraudulent transaction.
While promising, the scam likely API faces challenges in widespread adoption. Every mobile operator has to come up with the deployment of that API to make it ubiquitous. So far, only a handful of mobile operators are on board with this solution.
Tech giants are also joining the fight against fraud. In May 2024, Google announced a scam call detection feature it’s testing using its nano AI technology.
This AI listens to conversations and uses machine learning to identify potential scams.
While this represents a significant step forward in fraud detection, it also raises privacy concerns, as it involves allowing Google to listen to and record phone conversations.
The Double-Edged Sword of AI in Authentication
The rise of AI creates opportunities and threats when it comes to scams and user authentication. On one hand, AI can significantly enhance fraud detection capabilities. On the other hand, it also equips scammers with powerful tools to commit fraud.
AI makes fraud more scalable.
A hallmark of many phishing attempts used to be poor grammar, often due to scammers who weren’t native language speakers. But now, AI tools help fraudsters run social engineering scams and conduct large-scale operations in perfect English (or any other language). Scammers can even replicate official documents using generative AI.
This escalation demands a collaborative approach to fraud detection, involving not just telcos but also third-party companies specializing in AI-powered security solutions.
The Growing Complexity of User Authentication
As security threats evolve, so too do authentication methods. However, this evolution has led to increased complexity in implementing robust authentication systems.
Many companies now find themselves at a crossroads. Should we invest heavily in developing sophisticated in-house authentication systems or outsource this critical function to specialized third-party providers?
We’re at a tipping point.
Today, companies are choosing to outsource their authentication needs rather than build their own — especially with today’s IT labor shortages. If security is not their primary business, organizations are finding it more cost-effective and efficient to outsource authentication and security. A good example would be healthcare. Privacy is essential to protect medical records and personally identifiable information (PII), but it’s not the core business. Adopting a best-in-class third-party solution allows organizations to focus efforts on providing high-quality healthcare and improving the user experience.
This trend towards outsourcing authentication could also lead to more standardized and potentially more secure authentication methods across various industries. However, it also raises questions about data privacy and the centralization of sensitive information.
The Case for Layered Authentication
In the face of evolving threats and diverse user needs, a one-size-fits-all approach to authentication is no longer sufficient. But, we shouldn’t be talking about getting rid of SMS as an authentication method. Instead, the industry should be looking at a layered approach, including SMS one-time passcodes (OTPs), voice biometrics, multi-factor authentication (MFA), hardware tokens, and other methods of passwordless authentication.
This layered approach is particularly crucial for digital identity resets – situations where users need to re-establish their identity, such as when getting a new phone or changing their phone number. In these scenarios, having multiple authentication channels available ensures that users can always regain access to their accounts, even if one channel is compromised.
Striking the Right Balance
It’s clear that there’s no simple solution to the challenges we face. Telcos, tech companies, and businesses across different sectors must work together to develop authentication methods that are both secure and user-friendly.
The key lies in striking the right balance. While we must prioritize security to protect users from increasingly sophisticated fraud attempts, we can’t forget about user experience. Cumbersome authentication processes will frustrate users and create churn, or — worse yet — failing to use such services.
Moving forward, businesses must embrace a flexible, layered approach. This might involve combining traditional methods like SMS OTPs with newer technologies like AI-powered fraud detection. Companies should also partner with specialized authentication service providers to ensure they’re employing the most up-to-date and effective security measures.
Ultimately, the goal is to create an authentication ecosystem that’s robust enough to identify and stop the scammers, yet seamless enough that users hardly notice it’s there.