Forrester Consulting Study – Firms Seeking Technology to Secure OTPs
Aite-Novarica predicts that financial institutions will start sunsetting OTPs (one-time passwords) in 2022 due to “well-documented” weaknesses.[i] This trend may propagate to other industries where consumer identity is important, but where the financial stakes aren’t as high. Financial institutions are often at the vanguard of fraud prevention because their substantial assets under management attract more sophisticated fraud attacks than other industries. But given that most common mitigation strategies to OTP fraud degrade customer experience and/or enable additional fraud vulnerabilities, abandoning OTPs may not be that easy.
OTPs often serve as a backup or step-up authentication method to consumer accounts and facilitate password-reset requests. Consumer accounts come under fraudsters’ control when the passwords for the accounts are reset via an OTP.[ii] Fraudsters have become adept at diverting OTPs intended for a consumer to a phone in the attacker’s control.
Insecure OTPs increase the risk of account takeover attacks, incur millions of dollars in fraud loss, and damage customer trust and lifetime value.[iii]However, alternative strategies that increase security will not gain widespread adoption if they also increase false positives and manual review rates, or if they degrade customer experience and operational efficiency. Organizations that perceive a binary choice between the convenience and efficiency of OTPs versus greater security from alternative strategies fall victim to a false dichotomy that harms organizations and consumers.
How OTPs lost trust
A commissioned study conducted by Forrester Consulting on behalf of Neustar (Improve Your Customer Authentication Strategy with More Secure One-Time Passwords, March 2022) found that more than one-third of organizations use OTP sent via SMS/text message (referred to as “OTPs” for the remainder of this post) as the primary method of multifactor authentication. OTP fraud attacks succeed because organizations aren't sure if the phone number receiving the OTP has recently been compromised via unauthorized number reassignment, call forwarding, or SIM swap, among other vectors. Respondents using OTP in the Forrester survey reported an average of almost 20 OTP fraud incidents in 2021.
Telephone carriers know changes to phone numbers in near real-time, but other organizations often learn of the changes days or weeks later. The delay creates a significant window of opportunity for bad actors. Almost half of organizations lack the technology to detect OTP fraud. The problem could be greater, as more than 40% of organizations told Forrester it is hard to know and measure when OTP fraud has occurred.
Without the means to detect and prevent OTP fraud, organizations face increasing fraud risk. Two-thirds of the Forrester survey respondents believe that authentication fraud will increase or remain constant over the next two years. Suspected digital fraud — a symptom of authentication fraud — grew over 50% between 2019 and 2021, according to TransUnion’s 2022 Global Digital Fraud Trends Report. In addition to immediate fraud losses, these incidents cut short customer lifetime value — nearly 15% of financial consumers close their accounts after an identity fraud incident, even if they are satisfied with the assistance provided by the related organization.[iv]
Alternative authentication approaches fall short
In response to the perceived failures of OTPs, the Forrester survey respondents report implementing alternative strategies (see figure below), including sending OTPs via email and soliciting alternative phone numbers from customers.
Most of these alternative approaches either degrade customer experience, enable additional fraud vulnerabilities or both. Consumer email addresses (the most common alternative approach listed in the figure above) are susceptible due to poor password hygiene. Bad actors may simply provide their own alternative phone numbers when given the opportunity. Call center agents succumb to schemes involving social engineering, ill-gotten answers to challenge questions, and virtual calling apps.
These alternative approaches also force consumers to wait for service, which degrades the customer experience. According to TransUnion’s 2022 Global Digital Fraud Trends Report, nearly two-thirds of consumers would switch companies for a better digital experience. Organizations that fail to provide a safe, smooth authentication experience face the double threat of losses due to fraud and customer attrition.
OTPs are secure. Consumer phones are vulnerable.
Organizations sunsetting SMS-based OTPs in favor of alternative approaches overlook a far simpler choice: fixing the vulnerability in OTPs. Restoring trust in OTPs costs far less than implementing an alternative, and is far more consumer-friendly. Over two-thirds (68%) of consumers believe OTPs are easy to use, according to a 2021 study by Javelin Strategy & Research.
When organizations have real-time data that a phone is at risk of SIM swap, call forwarding or unauthorized number reassignment, they can put additional verification steps in place before sending an OTP, thereby protecting consumer accounts. These insights are available within the phone network and cannot be manipulated by outside parties. Respondents to the Forrester study expected that preventing OTP fraud would bring multiple benefits: improved customer experience (64%), improved brand reputation (63%), increased transaction speed (58%), and reduced annual fraud losses (55%).
How Neustar restores trust in phone-based OTPs
Neustar Phone Takeover Risk helps prevent OTPs from falling into the hands of fraudsters. Using continuously corroborated signals on over 99% of U.S. phone numbers, with authoritative linkages to each phone’s owner, Neustar provides the real-time intelligence needed to determine whether a phone number is at high risk or a low risk for common OTP fraud techniques.
By identifying high-risk phone numbers with easy-to-interpret notifications, organizations mitigate risk of account takeover fraud without requiring extra resources or dedicated specialists. These phone-based insights support a higher degree of trust for step-up authentication.
Restoring trust to OTPs demonstrates a commitment to improving consumer safety and satisfaction. By doing so, forward-thinking organizations align operations with internal needs for fraud prevention and consumer expectations for safe, smooth experiences.
[i] Aite-Novarica, Top 10 Trends in Fraud & AML, 2022: Braving the New Normal
[ii] Communications of the Association for Computing Machinery, Security Analysis of SMS as a Second Factor of Authentication
[iv] Aite-Novarica, U.S. Identity Theft: The Stark Reality