Protecting Enterprises From Global Online Fraud: Nine Best Practices

by Chris Preimesberger

Sales of fake Internet accounts continue to increase. These are accounts created in bulk using phony information (name, email, address, etc.) simply for the purpose of abusing good users online. Just about any type of fake account can be purchased: email, blogging, social networking or auction/classifieds. Fraudsters use these fake accounts for various forms of nefarious activities, including spamming, phishing attempts, affiliate fraud and e-commerce fraud; their primary motivation, of course, is taking your money.

For the crooks to make money, they need to perform a high number of illicit transactions. To do that, fraudsters need to automate their schemes. Some variables in a repeatable process can be easily randomized. Name, address, email address, mother’s maiden name and birthday can be randomly generated by products such as FakeNameGenerator. It’s not too hard for them to get through email verification, but telephony introduces factors that are hard to fake and leave a data trail.

Valid phones must comply with each country’s numbering space. They must be allocated by a numbering authority; they cannot be created from nothing. A valid mobile number must terminate to a mobile device, and mobile devices are usually unique to each person. These properties make randomization of the data very difficult.

International revenue fraud is one of the telecom industry’s most persistent problems. During this type of attack, fraudsters obtain phone numbers that pay them a small amount for each inbound call generated to the number (similar to 900 numbers found in the U.S.). Fraudsters then find ways to pump as many calls as possible to these phones, generating income for themselves. If this type of traffic is not caught and shut down, the cost to the caller—which can be a Website, a user with a compromised handset or a company with a compromised PBX—can be enormous. Leading hotspots for telecom-related fraud are Pakistan and Latvia.

Thailand, Brazil, Colombia, Ecuador, Egypt, Ghana and Indonesia are currently producing significantly higher-than-average volumes of attacks on large Web properties. These attacks include attempts to create millions of fake accounts, attempts to take over accounts and account fraud. Latin America leads the world in attempted Web fraud with 14 times as many fraud attempts.

Automated attacks occur when a script or program is used to send automated requests to a Website or telecom network. Fraudsters use automated attacks to create thousands of accounts, make purchases, send malware or send premium-rate SMS messages. Companies must be able to detect abnormal patterns in global delivery of messages and voice traffic.

In another example of abnormal behavior that indicates an automated attack, fraudsters attempt to use one phone number to create many accounts in a short period of time. If the accounts are successfully opened, they will be used by the fraudster for spamming, phishing or some similar undesirable activity. Attacks like this can occur so quickly—with fraudsters attempting to create more than one account per second in some cases—that they can be difficult to detect on a distributed network.

Keeping fake accounts off a Website’s ecosystem is critical. An effective way for Websites to block the creation of fake accounts is to require users to attach a verified phone number to each account. Requiring phone verification during account creation significantly slows the rate at which fraudsters can create fake accounts and increases the fraudster’s cost for each account created. Typically, phone-verified accounts cost at least 160 times more on the black market than accounts that are not phone-verified.

Phone-based verification is the standard for large digital companies to secure hundreds of thousands of accounts, but it is not enough. Fraudsters are persistently looking for ways to circumvent security. The unique properties that make the phone such a great tool for identifying users also reveal trends in the data. Phone-based verification is one of the best ways to protect a globally distributed user base, but an enterprise should rigorously monitor large volumes of traffic to shut down harmful traffic.