Enhancing the Security of Passcodes

Adding a layer of phone number and device intelligence can slash the risk of fraud, giving the organization and customers greater security while maintaining a positive experience.

Lock on a blue door

Although insurers have been dealing with fraud since the dawn of the industry, digital transformation has led to new fraud-fighting challenges — with authentication often at the top of the list. How do insurers confirm that people using electronic payment platforms or digital claims management tools are really who they say they are? 

Criminals’ increasingly easy access to consumers’ personal information, thanks to near-constant data breaches and widespread social media use, has led many organizations to move from relying exclusively on traditional knowledge-based authentication (such as user names and passwords for online channels, or challenge questions in the call center) to multifactor authentication that includes sending a one-time passcode (OTP) via SMS to the user’s mobile phone.

But security experts warn that the growing number of increasingly sophisticated attacks against consumer phones — via malware, man-in-the-middle schemes, phishing, SMS rerouting, SIM card swaps, call forwarding and other techniques — are reducing the reliability of OTPs as a means of protecting against fraud. 

Mobile fraud on the rise

A recent Forrester survey of 300 North American fraud prevention decision-makers indicates that phone-related fraud is pervasive, with virtually every respondent confirming that their organization had experienced some type of mobile fraud in the past year. SMS OTP hijacking was recognized as one of the most common types of mobile fraud, but many organizations also stated that they lack the tools to effectively detect these attacks, suggesting that the real scale of the problem is significantly underreported. 

OTP fraud gives criminals access to the customer accounts of insurers, which in addition to compromising a customer’s personal information (a particularly serious infraction in the case of health information) can lead to account takeovers and submission of fraudulent claims.

It’s a serious concern, but the insurance industry hasn’t adopted a convincing substitute. Common alternatives to mobile OTP authentication, including sending OTPs to email addresses or soliciting phone numbers from customers, degrade the customer experience and create additional fraud vulnerabilities, according to the Forrester survey.

Consumer email addresses are susceptible to poor password hygiene, and bad actors may simply provide their own alternative phone numbers when given the opportunity. Adopting more stringent authentication measures presents their own challenges, making it difficult for customers to file claims and receive support from an insurer when they need it most. The additional vetting required from agents and the frustration caused to customers hurts both the brand reputation and the bottom line.

That’s why most companies still rely on OTP authentication; more than 70% of survey respondents said that the technology is user-friendly and that customers perceive it to be secure. Any additional security measures must meet these criteria to avoid damaging the customer experience. 

The majority of survey participants are therefore looking for technologies that can work unobtrusively to flag potential fraudsters before an OTP is sent to a customer device. They rate the following capabilities as either mission-critical or important: identifying high-risk phone numbers, detecting if a scam is active before sending the OTP, and using a decision engine to determine the lowest-risk channel available (e.g., email, mobile app or SMS) and then sending the OTP to that channel.

See also: Cyber Risk and Insurance in 2022

Complementing OTP authentication 

It’s clear that OTPs aren’t going anywhere despite their increasing vulnerability. So, to keep themselves and customers protected, savvy insurers are embracing greater authentication intelligence. These methods work in tandem with OTPs to unobtrusively enhance the customer experience without compromising the safety of their accounts or information. 

For example, phone takeover risk solutions provide companies with real-time intelligence that helps enable them to determine whether sending an OTP to a given phone number presents a high risk. These solutions ask, for example, whether there have been recent changes to the phone’s SIM card, whether the phone number has been reassigned or whether calls are being forwarded. Identifying devices or interactions that are at high risk for fraud allows OTPs to be safely sent to recipients who are legitimate customers with legitimate phones — the vast majority of cases. The organization can then focus its fraud-fighting resources on a much smaller pool of high-risk interactions without creating increased friction for everyone.

Integrating inbound caller intelligence with the organization’s customer relationship management system can help enable pre-answer caller authentication, helping agents to spend less time interrogating low-risk callers (again, the vast majority) on their identity and more time helping them, thus improving the customer experience and boosting call center efficiency.

Intelligence services can be applied to provide an automated and optimized approach to managing constantly changing customer contact data. These services gather intelligence in the background from a variety of vetted, continuously updated third-party sources to confirm the authenticity of customer numbers. Intelligence that incorporates email and text gives the organization additional ways to initiate contact with a customer and additional data points for authentication – helping insurers to better connect with customers while mitigating compliance risks. 

Reducing risk without sacrificing the customer experience

Virtually every organization in every industry — insurance included — is looking for ways to block fraudsters while allowing legitimate interactions to proceed smoothly. For years, OTPs have been a useful means to help achieve this goal, and, although mobile fraud is rising, it is not time to abandon this user-friendly and widely adopted tool. Adding a layer of phone number and device intelligence can significantly help to reduce the risk of fraud, giving both the organization and its customers greater security while maintaining a positive authentication experience.

Shai Cohen

Profile picture for user ShaiCohen

Shai Cohen

Shai Cohen leads TransUnion's Global Fraud Solutions Group.

Cohen has spent decades in the IT and cybersecurity industries leading business units and software engineering and product management teams. He joined TransUnion from RSA, where he was the general manager of its Fraud and Risk Intelligence business. Previously, Cohen served in leadership roles at EMC and Intel.

Read More