Protect Yourself from SMS Fraud: Here’s How

We’re all accustomed to using SMS (short message service) verification when we sign on to our mobile apps and services. This method is used to prove that you possess the device during an MFA (multi-factor authentication) experience. When you attempt to access an app, it texts you a code and asks you to provide that code to prove that you are who you claim to be. After providing the code, you immediately gain access.

SMS verification is extremely popular because most people are accustomed to it and know what to expect. However, this verification method can be vulnerable to SMS fraud, which could result in costly losses for your organization if you do not take the appropriate precautions. 

SMS fraud can be executed in a variety of ways, but perhaps the most common type of fraud is known as “toll fraud,” where attackers use a third-party messaging system to send a high volume of messages to locations where SMS messages are most expensive. 

Attackers will then purchase a premium number in a country that has an expensive calling rate, make a high volume of calls to that number, and then enjoy the revenue generated by those calls. The charges that are racked up are ultimately charged back to the customer by the provider.

At Ping Identity, we provide a number of ways to protect your organization from SMS fraud. We can secure your registration and sign-on experiences, specify which geographic locations messages can be sent, and define the scenarios where SMS verification is allowed or disallowed. 

We also believe in the importance of planning. SMS verification should be appropriately planned, implemented, and monitored to be successful. Start by determining the right place and the right time to use SMS verification within your customer journeys, and by ensuring that the front door of your organization, where you greet your customers, is not only welcoming, but is also secure.

Only Use SMS Verification in the Right Place

Before you make SMS text and voice verification available to your users, consider their geographic locations. That way, you can be very specific about the locations where SMS messages can be received. 

With PingOne MFA, you can create an “Allow List, “ which lists locations that can receive SMS text and voice messages. As you create this list, consider all of the geographic locations where your users live and work. This type of list is particularly helpful if your users are primarily located in a fixed set of locations and you do not do business outside of those locations. Understand that once this list is created, messages sent to locations other than those on this list will not be received. 

You can also create a “Deny List,” which lists locations that cannot receive SMS text and voice messages. This type of list is helpful when your users are geographically dispersed, and when you want to ensure that SMS messages will not be sent to specific locations. 

Only Use SMS Verification at the Right Time

SMS verification, while easy to understand and adopt, is not a highly secure MFA method, so it shouldn’t be used in high-risk situations. Configure your MFA policies according to the perceived level of risk for each step of the user journey and use SMS verification when appropriate. 

For example, SMS might be used as a verification method when new users sign up for a newsletter because they want to make it as easy as possible to entice new readers and are not concerned with protecting sensitive information until purchases and other transactions are made. If this is the case, the MFA policy can require that SMS verification is used during the initial registration and subsequent sign-on experiences, and not require it for user profile updates. 

However, when it comes to riskier transactions, such as storing credit card information, making purchases, or changing shipping address information, the level of risk increases and we would not recommend using SMS verification as the only authentication factor. Use secure FIDO2 protocols for these types of events instead.

Secure the Front Door

Once you’ve determined when and where you’re going to implement SMS verification, ensure that your existing account registration process is secure, which can be tackled in a variety of different ways.

The first way is by using PingOne Protect to identify and mitigate high-risk individuals who might be trying to attack your organization. Use Protect’s predictors to understand the context of a new user, such as where they are located, what devices they’re using, and whether they’re a human or a bot. Then, react accordingly. This might mean that you ask users to authenticate using additional factors, or it might mean that you prevent them from creating a new account altogether. 

If high-risk transactions or sensitive information is involved, you can also require that users register by providing strong proof of who they are. For example, you can use PingOne Verify to verify the authenticity of credentials required, such as a driver’s license or a passport. Or, you can use PingOne MFA to require stronger second-factor authentication methods, such as email, to complete the registration process. In these types of scenarios, consider using other verification methods, such as email, to complete registration, as opposed to SMS and voice verification.

SMS verification, while familiar and user-friendly, requires a strategic and security-focused approach to be effective and safe. Ping Identity recognizes the challenges and vulnerabilities associated with SMS fraud and offers robust solutions to safeguard your organization. By carefully planning the implementation of SMS verification, using tools like PingOne MFA's "Allow" and "Deny" lists, and integrating additional security measures for high-risk situations, you can provide a seamless yet secure experience for your users. Remember, the goal is to balance convenience with security – ensuring your users' journey is not only welcoming but also fortified against potential threats. With Ping Identity's suite of tools and a thoughtful approach to SMS verification, you can achieve this balance, protecting both your users and your organization from the evolving landscape of digital threats.