ANI trolling (also known as ANI trawling) is an emerging fraud vector that involves fraudsters running thousands of spoofed phone numbers through a business’s IVR (interactive voice response) system in order to identify which numbers belong to customers of that business. Once the hackers have identified which numbers belong to customers, they launch targeted SMS phishing or smishing attacks on the individuals who own those numbers.
How ANI trolling/ANI trawling works:
When a consumer dials into a call center, it’s common for a call center to try and recognize/match the ANI (automatic number identification) of the caller. If the ANI is recognized, indicating that the number is on file as belonging to a customer, the caller can be given a “green path/fast lane”. If not recognized, the caller is taken down another, more generic path (typically security questions).
Armed with the knowledge about how this works, fraudsters will run thousands of numbers through a given IVR. In the process of doing that, they can identify which numbers belong to customers (based on the path that each number is routed through). When they’ve identified the numbers that belong to customers, they can then take those numbers and buy personal data (name, address, SSN, DOB, etc.) on the black market for them in order to run targeted smishing attacks.
How Payfone helps protect IVRs against ANI trolling/ANI trawling:
Instead of using ANI matching as a decision point, call centers can use Payfone’s ANI match + call authentication to detect whether a call is being spoofed. Then they can set up the decision path such that spoofed calls always go down the generic path, regardless of whether the ANI is matched or not. That way, fraudsters can’t identify which numbers belong to customers/account holders, and therefore cannot carry out SMS phishing attacks on those individuals.
By now, you might already know that SIM swap fraud is a major problem that can’t be ignored. It’s on most fraud executives’ radars, not to mention in the news nearly every other week. According to the Wall Street Journal, investigators say they know of more than 3,000 SIM-jacking victims, accounting for $70 million in losses nationwide (the real numbers are likely much higher considering that many cases go unreported).
Congress is also getting involved to battle this epidemic. Earlier this month, Senator Ron Wyden published a letter to FCC chairman Ajit Pai calling on him to take action to protect consumers against number porting (a.k.a. SIM swap) scams. In Canada, the CRTC also issued a similar letter to the Canadian Wireless Telecommunications Association echoing these concerns. On top of all this, Princeton just released a study finding that top U.S. mobile carriers were vulnerable to SIM swapping tactics.
Now you know that SIM swap fraud is a serious threat to you, your company, and your customers.
A different way of looking at SIM swap fraud
The focus of the Princeton study, Senator Wyden’s letter, and really most of what has been written on the internet about SIM swap fraud has been the role that mobile carriers play in attackers carrying out fraud. As evidenced in these writeups, the step where hackers dupe customer service agents into swapping their SIMs is vital to the attack being successful. But it’s also very difficult to prevent because it involves humans, and specifically customer service agents, who are trained to be as helpful as possible. But upon further inspection, this step is not where the actual damage is done.
In most cases, the actual damage – theft of funds, hijacking of a social media account, or theft of cryptocurrency – occurs after the fraudster actually goes to log into the victim’s accounts using the phone number he has just taken over. So technically, just taking over your phone number is not enough. In order to really inflict damage, a fraudster also needs to log into your accounts.
An opportunity to stop SIM swap fraud in its tracks
This is where Payfone’s patented Phone Intelligence comes into play. When the fraudster goes to log into the victim’s account, the business (whether it be a bank, crypto platform, social media platform, or other kind of enterprise) can use Phone Intelligence to detect that a SIM swap has taken place and block the fraudster from taking nefarious actions.
Consider this scenario involving a cryptocurrency exchange:
1) Fraudster steals username/password of victim and logs into cryptocurrency exchange.
2) Fraudster takes over victim’s phone number through a SIM swap attack.
3) With Payfone enabled, the cryptocurrency exchange can call our APIs to see if a SIM swap has occurred on that account.
4) If a SIM swap has occurred, the cryptocurrency exchange routes the user to further inspection before granting them access to the account.
5) Because accounts can be locked before any damage can be done, the cryptocurrency exchange is able to shut down hackers before they can do harm, safeguarding their users’ cryptocurrency.
Why CX and digital executives should also take note
From a customer experience standpoint, Phone Intelligence has the additional benefit of creating a more seamless experience for legitimate users. Since many SIM swaps are legitimate (in 2018, there were 90 million ports and 100 million device upgrades in the U.S.), simply detecting SIM swaps and hitting anyone who has swapped their SIM with a ton of friction can be significantly damaging to your customers’ experience and, in turn, customer satisfaction. Enterprises must be careful not to slow down the experience for customers who may have legitimately ported their numbers or upgraded their devices. By analyzing the contextual behavior and time of a SIM swap, Payfone provides a more sophisticated and nuanced approach to thwarting SIM swap fraud. As a result, you can offer a faster and easier experience for good customers while identifying potential bad actors and subjecting them to further inspection.
It’s also important to note that customers of businesses who do not use Payfone have to jump through considerable hoops if they want to go the DIY route to protect themselves against SIM swap fraud. There are numerous articles that give recommendations on how to do this (calling your mobile carrier, setting up a pincode, then setting up a longer 16-digit pincode, etc.) but not only is this time-consuming, these precautions are totally ineffective when hackers break directly into telecom companies to swap SIMs.
The Bottom Line: Implementing technology that not only safeguards your customers against SIM swap attacks but also betters their experience is an investment. However, it’s an investment that can not only help you avoid losing customers, but also to attract new customers by differentiating your company as one that cares about their security, convenience, and experience.
Want to learn more about protecting your company against SIM swap fraud while also improving your customer experience? Request a free consultation below.
Payfone is a proud sponsor of the 2020 Hack@CEWIT hackathon at Stony Brook! Hosted by the Center of Excellence in Wireless and Information Technology (CEWIT), this year’s hackathon will see over 150 regional hackers battle it out for over $5K in prizes for the most innovative security, health-care, machine learning, A.I., blockchain, social impact, and IoT projects. The hackathon takes place February 14-16, and is open to college undergrad and grad students.
The event will also be open to the public on Sunday, Feb. 16 from 10:30am – 12pm, so come by and say hello! Visit the CEWIT site to register.
Heading to San Francisco for RSA? Use the form below to meet with us at the show to discuss how and why your fraud mitigation technology should also be improving your customer experience. And be sure to join Payfone CEO Rodger Desai as he takes the stage at eFraud Global Forum.
eFraud Global Forum: The Key to Thwarting Advanced Fraud Attacks While Improving CX
Speaker: Rodger Desai, CEO, Payfone
Date: Monday, February 24, 2020
Heading to Washington, D.C. for Health Datapalooza 2020? Join our VP of Healthcare Strategy, Mike Bechtel, as he takes the stage to share insights about how healthcare organizations can increase contactability and engagement in a HIPAA-compliant, privacy-first manner through Payfone’s tokenized identity solutions.
HDP Rapid Fire: Ensuring Data Privacy and Security
Session: Stop the Tug of War between Delivering Great Member Experiences, Privacy and Security
Speaker: Mike Bechtel, MHSA, FACHE, Payfone
Date: Tuesday, February 11, 2020
Location: Marriott Marquis, Washington, D.C.
At this point, the bank has a decision to make: every year millions of their customers actually do forget their password and need help. These processes are now automated so that call centers can focus on higher value services for customers. But of course, the OPEX savings and better customer experience don’t outweigh heavy fraud losses due to SIM swaps. So what do the Tier 1 banks do?
(3) The bank pings Payfone’s patented SIM swap technology, and in real time, Payfone is able to tell the bank whether a SIM swap has occurred in the last few hours. Payfone does this by checking the “born on date” of the SIM. If the SIM was recently changed (via a port-out or device swap) then the born-date would be a smoking gun.*
* The likelihood of a high-risk event such as password reset happening at the same time as a SIM change warrants further vetting, so the bank does not send an SMS with a password reset code to the customer/possible fraudster, and instead steps up the transaction.
Simple and powerful, Payfone protects the leading banks, insurers, fintechs and cryptocurrency wallets from SIM swap attacks in real-time for over 100M US consumers. In a recent case, a Tier 1 US bank saw SIM swap fraud drop significantly in real-time after launching Payfone.
We also recently expanded this capability to UK banks as part of a global roll-out.
Did you know that Sir Richard Branson is a digital security do-gooder? The Virgin founder is taking aim at online fraudsters in a delightful new animated video posted on his Instagram feed. In the clip, Branson and his dubious doppelganger walk through some common online scam methods such as phishing, bots and social engineering. Branson briefly describes each of the suspicious scenarios and warns Virgin followers not to trust anyone masquerading as him or his team and asking for personal information.
“At Virgin Group, we’re working hard to unmask scammers,” he says. “Only trust what we post on our official channels and social media channels.”
To further fight fraud, Virgin has even set up a webpage dedicated to stopping online scams here. Branson urges viewers to report anything they think is suspicious on the site. “If you think it’s a con, send it on,” he says.
While being defrauded and losing money is clearly a concern for most people, there is an important – albeit less obvious – consequence. Online scammers lower everyone’s trust of transacting online – from consumers to enterprises. Because no one trusts anyone, all consumers are forced through experience-killing, time-sucking, and revenue-stunting friction (passwords, security questions, one-time passcodes) to prove they are who they say they are. Payfone-powered digital experiences restore Trust and sideline scammers so that they are unable to touch your customers’ cash or ruin their experience.
To learn how our Trust Score can help you distinguish between fraudsters and your real customers, contact us.
Last month, industry leaders gathered at Tearsheet’s inaugural Embedded Conference in New York City to discuss the future of the growing trend known as “embedded finance”. One of the main takeaways from the conference was that embedded financial services will require better customer experiences, and that trust and data are the new currency that will drive that.
If you weren’t able to attend, Tearsheet highlighted four important themes from the conference in their helpful writeup, including the fact that as fraud becomes increasingly more sophisticated, it’s becoming harder for companies to make their digital experiences seamless while also safeguarding customers and their accounts. Our CEO Rodger Desai weighed in on this trend and how Payfone was able to double the pass rate (from 40 percent to 80 percent) for an online lender using passive multi-factor authentication combined with a secure pre-filled loan application.
Financial services is the nervous system of our economy; a critical system that needs to operate efficiently and equitably for our society to function. The legacy 20th century business models in finance have become increasingly obsolete and most have not adapted to the fundamental paradigm shift—technological, institutional and societal—ushered in by our continuing transition from an Industrial Age to an emerging Information Age. It is essential that these business models be transformed in order to serve the needs of 21st century economies. There is an enormous, multi-decade opportunity to reimagine and rebuild financial services. We can create a system that is more efficient, more equitable and more resilient—and, therefore, better able to adapt to an ever-changing economy and society.
At Anthemis we see this future state of financial services as embedded, augmented and ubiquitous. Rather than finance being discrete, we see it becoming an intimate part of the products and services that drive our economies—an often invisible but critical societal infrastructure, similar to today’s communications or energy infrastructures. We imagine a world where finance is embedded deep inside the workings of our businesses and economies, powering the lives and progress of citizens and businesses rather than being a service consumed independently.
Instead of financial services being yet another sector that becomes internet-enabled, it will allow all sectors to become “financeenabled.” The result is not just finance on the internet, but rather the “Internet of Finance.”
At the Gartner Identity & Access Management Summit in Las Vegas this week? Meet with Payfone’s identity authentication sherpas to get tips about best practices and to learn how our digital trust solutions can transform your customers’ experience while safeguarding them against fraud in a private manner. We’ll demo our patented Trust Score, which can significantly increase the percentage of consumers that can interact with your brand frictionlessly.