Unveiling the future: Redefining user authentication and fraud mitigation

Unveiling the future: Redefining user authentication and fraud mitigation

As the fraud landscape evolves, how we think about user authentication and identity has changed dramatically. A shift from legacy methods, like SMS one-time passwords (OTPs), brings new opportunities to verify users securely. 

There are also many new tactics fraudsters can employ, such as SMS pumping fraud, to exploit vulnerabilities costing businesses millions of dollars annually. According to Twilio’s State of SMS Pumping Fraud, 5.4% of all international traffic (excluding US/CA) was SMS pumping-related.

During a webinar with Liminal, the leading market intelligence and strategy firm in digital identity, we discuss the future of digital authentication and how you can do more with less to protect your bottom line. 

Sebastian Del Aguila Fiocco, product marketing specialist at Twilio, and Adam Elboim, director of product management for user authentication and identity at Twilio, sat down with Cameron D'Ambrosi, senior principal at Liminal and host of the State of Identity podcast. D'Ambrosi supports Liminal’s advisory services platform by offering clients key insights into the companies and technologies shaping digital identity today.

How has user authentication evolved?

About 30 years ago, when the internet was just getting started, it didn't really have a digital identity layer. So companies were left trying to figure out how to identify users coming onto their platform and then how to get rid of bad actors doing fraudulent things.

“The easiest thing back in those days was to create a username and password combination that the user would register at and then provide later on,” said Elboim. “It was really simple and cheap to administer.” 

However, over the years companies found that users were often using the same username and password across all the different sites they signed up for. Businesses began to realize the pitfalls of only using a username and password, so many added a layer of two-factor authentication (2FA) such as SMS OTPs.

“15 years ago, companies like Twilio made it really easy to send an SMS with an OTP to authenticate a user,” said Elboim. “Over the last five years, advancements in mobile phone technologies built into operating systems and high-definition phone cameras have added even more ways to authenticate a user.” 

Essentially, there are many more tools available to identify users. But at the same time, it's become much more complex for companies to understand those technologies and what happens if the technology isn't always available. 

How should we adjust our understanding of fraud prevention strategies?

For every advancement companies make in defending their platforms from fraud, expect fraudsters to advance their techniques in response.

“Increasingly, the fraudsters that you are facing off against as a business are not individual threat actors,” said D'Ambrosi. “They are extremely well organized, financed, trained and educated fraud rings. Not run like individual operators, but as an enterprise business with budgets, trainings, and fraud sales quotas for individual fraudsters.” 

This sophistication means that fraudsters are extremely efficient and adept at identifying vulnerabilities, because it's an entire call center full of people. Ultimately, this explains the rapidity with which fraudsters are able to exploit identified vulnerabilities and the efficiency with which they're able to capitalize on those identified weaknesses.

“Given how opportunistic these fraud rings are, if you can make your platform not impossible to penetrate but marginally more difficult to penetrate than your peers or competitors, that will help keep you out of the firing line,” said D'Ambrosi. “If you are more difficult to breach, that's really going to start steering a lot of traffic to other places.”

How have technological advancements both helped and complicated the fight against fraud?

Although technologies are fundamentally agnostic, they can be used just as easily to perpetrate fraud, especially when it comes to the intersectionality between technology and the social engineering of users. 

“There is never going to be a technology that's really ever going to stop a social engineering attack because, by definition, the user is being socially engineered,” said D'Ambrosi. “If you put a million locks on a door, but the bad guy gets those keys, there's no amount of locks that's going to change that dynamic.” 

It all comes down to consumer education, awareness, and behavioral authentication vectors.

“There are technologies that can help us understand the motive or risk level of certain behaviors independent of the question of whether they are authorized to be on a platform,” said D'Ambrosi. 

For example, if you challenge an account holder looking to do a bank wire that they're being socially engineered about with just a password, they're going to be able to respond to that prompt. But if the bank can detect that it’s 2 a.m., then it's a highly suspicious transaction that’s going to a high risk jurisdiction. The bank can then decide to put a 24-hour hold on this transaction until they can get a phone call in place to speak with the account holder and really understand why they're participating in this transaction. 

“We're increasingly seeing platforms move to these kind of controls and policies, putting some speed bumps in place, to protect against fraud rather than a true technological defense,” said D'Ambrosi. 

How crucial are education and awareness when tackling social engineering?

Ultimately, there are two ways that fraudsters are looking at gaining access to accounts. One is by impersonating the victim or stealing something from the victim, which is what user education is centered on right now. For example, when a consumer gets an email from their bank and it says, “Hey, watch out for social engineering, here's what it looks like.”

The second way fraudsters are trying to access accounts is when they’re trying to get the user to do something. That's harder to detect by companies and financial institutions and others that use authentication technology. 

“Sometimes the user gives the fraudsters those keys because they believe they're doing the right thing and they believe the fraudster is actually helping them,” said Elboim. “Those are the types of things that companies are focused on right now, which is minimizing the impact of social engineering on the actual victims.”

However, technology is getting better at faking what fraudsters are doing. People can be inherently trusting, especially when they hear somebody on the other line saying, “Hey, I'm on your side.”

How is AI a double-edged sword in the ongoing battle with fraud?

Artificial intelligence (AI) has unleashed a whole realm of new and exciting possibilities on the fraud prevention side. But what's important to note about the intersectionality of fraud and AI is that AI is not a net new threat vector in and of itself. 

“What AI is really good at is helping people who maybe lack the skills or language ability or technical ability to achieve a fraud task,” said D'Ambrosi. “With AI, you can automate that scale very easily, very cheaply, and very effectively with a limited amount of training.”

In terms of social engineering, AI can make someone who doesn't speak very good English a great social engineer by basically deploying Chat GPT during a conversation with a potential victim. And with phishing scams, AI can help fraudsters craft a very realistic facsimile of an organization's login email to send to people.

“What makes AI so pernicious is that it is unlocking these types of fraud for people who just lack the technical chops to accomplish them previously,” said D'Ambrosi. “It makes it much cheaper and easier to achieve these kinds of fraud while scaling them and automating processes.”

For example, say you have a call center with 20 fraudsters that previously could only attempt 100 phishing attempts per day. Now, with generative AI tools, they could potentially five X that without changing their approach. 

“Theoretically, fraudsters are going to be able to up their success rate five times with these AI tools,” said D'Ambrosi. “So fraud is really going to increase the velocity of these threats. And when fraudsters get their hooks into a platform by identifying a weakness, they're going to exploit it even more quickly and ruthlessly.”

On the flip side, AI is also getting better and smarter at detecting other AI, so companies are less concerned about AI from a brute force attack. Companies can employ different types of technologies, like an anti-AI for anti-fraudster events. 

“You're going to have companies spend more time figuring out how to protect their users from social engineering, and say what's a legitimate correspondence between the company and the user, than they have in the past,” said Elboim.

The emphasis will be to focus on the behavioral metrics of users. For example, companies can ask questions like: Is it normal for this person to be doing this transaction? From this geolocation? At this time of day? With this device? 

“Piecing together normal behavior, however, is more of a probabilistic endeavor than it is deterministic,” said Elboim. “You have to really collect a lot of information on the individual before you can get to that point.”

How Twilio can help companies prevent fraud

Twilio makes it very easy for somebody to send out an SMS which contains a six digit pin in order to authenticate a user. We create purpose-built APIs for user authentication. With Twilio Verify, you can do all types of two-factor authentication through possession, including:

• Phone number possession through multiple channels like SMS, whatsapp and voice
• Device possession through passkeys, TOTP, or push.
• Email possession 

“Because Twilio sees billions of transactions go across our network, we have a lot of intelligence that we can gather from that,” said Elboim. “ Is a user a legitimate user or are they trying to use this phone number for nefarious purposes like artificially inflated traffic or stealing someone else's ID?”

Catch the rest of the webinar here to learn:

• How businesses should adapt their fraud prevention strategies
• Where user authentication will be in the next few years
• And more!