Many companies no longer rely on static passwords alone, and use two-factor authentication to protect consumer accounts. The problem is they're using the same second factor: text messages sent to mobile devices.
The drawback of sending a single-use code via SMS
is phone numbers can be spoofed, and cellular accounts can be taken over by savvy scammers. In one recent example, a U.K. woman lost over £8,000, or about $10,600, from her bank account after fraudsters visited a branch of Three, her mobile provider, and persuaded it to transfer her number
to a new SIM.
There are multiple ways to address this problem. One is to rely on the carriers themselves to shore up their defenses.
"SMS was primarily built as a communication tool, but it became de facto for second-factor authentication," said Pavan Challa, director of product management at Verizon.
Verizon is working with other carriers on Project Verify, which is designed to "not just use SMS but use your device, use the signals that have been sent to the network … customer information, AI, machine learning and blockchain technology," he said. "We want to build this multifactor authentication into the solution that's going to eliminate most of the fraud that's going to happen today."
Project Verify, which also includes AT&T, T-Mobile and Sprint, was announced earlier in the month and is expected to go live in March 2019 as an app that the carriers preload onto customers' phones.
On the banks' side, other options can complement what the carriers are doing. These methods will become increasingly important as more banks join real-time payment networks.
"Real-time payments comes with real-time fraud," said Eric Woodward, group president of risk solutions for Early Warning, which operates the Zelle payments network.
Since Zelle is meant to be used within a bank's app, it benefits from the security that's built into those apps, including biometric authentication, PIN codes and more. But Zelle's role doesn't stop there.
"We see our customers use everything from voice to fingerprint to facial [to] eyeprints," Woodward said.