We have often spoken about the disadvantages of SMS OTPs when used for two-factor authentication, including their vulnerability to phishing and the SS7 design flaw.
However, it seems that this list is growing longer so we have to address a quickly-scalable cybercrime strategy that you could be susceptible to if you’re using SMS OTPs.
Have you heard about AIT fraud? It’s the latest in the string of SMS OTP vulnerabilities, significantly accelerated by the speedy development of artificial intelligence in recent years.
Let’s look at SMS AIT Fraud, offer an analysis of what happened at Twitter, and finally delve into some solutions that can provide protection against it for your business.
What Is SMS AIT Fraud?
Artificial Inflation of Traffic (AIT) fraud is a cybercrime technique used by criminals to create a large volume of fake traffic through apps or websites.
It involves the manipulation of online systems through automated bots or malicious software to simulate a high volume of user interactions, such as clicks, views, or interactions, which appear genuine but are entirely fabricated.
While this can also affect advertising networks, manipulate market values, or mislead business decisions, today we’ll focus on businesses that use SMS OTP for authentication and verification, wherein cybercriminals incur huge costs for these companies.
Within the typical AIT scenario:
1. A fraudster deploys a bot to create a multitude of fake accounts.
2. These fake accounts prompt the issuance of one-time passcode (OTP) SMS messages to mobile numbers as part of multi-factor authentication (MFA).
3. The fraudster collaborates with a rogue entity within the mobile ecosystem (like an operator or aggregator) to intercept the AIT, withholding message delivery to the end-user.
4. Together, the fraudster and the complicit party within the mobile ecosystem profit from this interception.
This fraud strategy has been on a constant increase in the last few years. And while it can often go unnoticed, some companies like Twitter have noticed this occurrence and revised their authentication options as a consequence.
What Happened at X (Formerly Twitter)?
Shortly after Elon Musk took over Twitter, it was announced that the network would only offer SMS OTP authentication for its premium subscribers.
Musk had revealed that Twitter was losing $60 million per year to AIT fraud, and this is without counting North America, one of its biggest markets. Now, I’m sure you’d agree that even for a company of this size, this is just way too much.
Although the messages were never delivered to the rightful owners, they were delivered successfully. This means that Twitter had to pay for each of those, and the same would be the case should your app fall victim to AIT fraud.
Because AIT is not regulated by SMS agreements and regulations, it’s free to bypass MNO firewalls. This makes it notoriously difficult to identify without at least calculating the conversion data and return on investment.
With that in mind — in addition to its security weaknesses — it should be enough to realize that we just may be better off looking to some newer, better authentication solutions.
Moving Away From SMS OTP As The Key to Protecting Your Business
If your bodyguard isn’t the best around — and its vulnerabilities only seem to grow and bring about additional financial risks — it’s the right time to replace it.
By implementing a new authentication option, businesses kill two birds with one stone: they increase the security of their apps (if done right, they also improve the user experience), and they completely bypass the risk of SMS AIT fraud.
Globally, companies have started to realize this.
One of the latest reports released by Juniper Research predicts that SMS will lose $2.8 billion of authentication revenue over the next five years to OTT channels such as WhatsApp or Viber.
This means that it will be crucial for businesses to implement better authentication solutions to stay competitive in the market, keep their users secure, win user trust on one side, and keep their authentication processes cost-effective on the other. So it’s a matter of increasing revenue and cutting unnecessary costs at the same time.
At IPification, we believe mobile network operators to be the most logical managers of mobile identity. On their side, offering additional authentication solutions that rely on their network infrastructure will ensure they stay a trusted leader in the mobile identity space.
The existing mobile network operator tech is one of the most powerful infrastructures globally, and it’s just one of the reasons we have designed IPification to work on top of it.
It generates a unique Mobile ID key for each user using the user’s device, SIM card, and mobile network data. On the user’s side, all it takes is one click to send the authentication request, after which the user’s identity is verified within milliseconds — and without actually transferring any sensitive data over the network.
It’s based on the three principles of bank-grade security, seamless user experience, and maximum data privacy. It’s also passwordless, phishing-resistant, and compatible with multi-factor authentication systems — and a great way to go around AIT fraud.
With that said, considering the unique requirements of each organization, our team of specialists provides complimentary consultations. During these sessions, we collaborate to determine how IPification can integrate into your system. Our aim is to find the right balance between security, user experience, and cost-effectiveness that aligns precisely with your needs.
Just contact us to schedule a session. We’re looking forward to getting to know you!
