Fighting Fraud with SMS Verification
Table of Contents
- What is SMS verification?
- Why use SMS verification?
- What are the drawbacks of SMS verification?
- How does SMS verification fit into a fraud prevention strategy?
- Prevent fraud, prevent chargebacks
- Can SMS verification be bypassed?
Most methods of identity verification are based on an idea called “the three factors of authentication.” The premise is that you can verify someone’s identity by using three different factors: Something they know, something they are, and something they have. “Something you know” could be a login password. “Something you are” could be biometric data, like a fingerprint. And “something you have” could be a smartphone.
For a long time, many merchants relied solely on single-factor authentication in the form of a login password. Unfortunately, many users choose simple passwords that are easy to guess or crack. Passwords can also be compromised in data breaches, and since most customers have one or two passwords they re-use for everything, a data breach anywhere can compromise user accounts everywhere. Biometric authentication can be difficult to implement, although there are some emerging developments in that area, such as Apple and Android allowing apps to ask the user for a fingerprint. For many merchants, the next best thing is to employ two-factor authentication by sending a unique, single-use code to something they have: Their phone.
What is SMS verification?
SMS verification is easy enough to set up. When a customer creates an account, the merchant can require them to provide a phone number. The merchant can then request two-factor authentication when they want to make a purchase, change their account information, or log in.
After the customer has logged in with their password, the merchant’s SMS verification system can send a one-time code as a text message to the phone number the customer provided. Once the customer reads the code on their phone, they can enter it into the merchant’s app or website to complete the second authentication step and proceed.
SMS verification codes are usually designed to expire after a few minutes. If the customer doesn’t enter the code before it expires, they will have to submit a new request and try again.
Typically, websites using two-factor authentication allow the user to request that their device be remembered, so logging in from the same device in the future won't require SMS verification.
Why use SMS verification?
The main benefit of SMS verification is that it can stop fraudsters who have obtained a customer’s username and password and are attempting to conduct an account takeover.
Since the fraudster will almost certainly not have access to their victim’s personal smartphone, two-factor authentication can stop them from logging in, making purchases, or altering the account details.
One of the most effective ways to use SMS verification is in conjunction with automated fraud tools that use machine learning and artificial intelligence to “score” transactions based on what signs of potential fraud that they carry. Transactions that are assigned a high score can be red flagged for manual review.
Rather than manually review these potentially risky transactions and make a subjective judgment call about whether or not to approve them, merchants can instead employ an automated process that asks for SMS verification on flagged orders. If the customer is able to pass this second authentication step, the chances are very good that they are who they say they are, and the merchant can feel confident that the transaction probably won’t come back to bite them as a true fraud chargeback.
What are the drawbacks of SMS verification?
The most common downside of SMS verification is that it adds a layer of friction to the purchasing process, which means there’s a chance that customers will get annoyed, have second thoughts, and abandon their shopping cart.
This becomes less likely as consumers achieve greater awareness of the dangers of online fraud and encounter two-factor authentication more frequently, but it is something to consider. In order to minimize this downside, merchants might choose to only require SMS verification on orders that get flagged by their anti-fraud tools, meaning most customers won't experience this friction at all. However, this does come with an increase risk of fraud, so individual merchants should balance these decisions based on their fraud exposure and customer behavior.
The other negative aspect of SMS verification is that it isn’t a guaranteed defense, and can provide a false sense of security if you rely on it completely. With tactics like social engineering and SIM swapping fraud, it is possible for cyber-criminals to gain access to a victim’s phone number or text messages.
While it is rare for fraudsters to breach two-factor authentication, it’s not unheard of, especially if the victim has been specifically targeted. In addition, SMS verification is quickly spreading across much of the internet, which means there's more and more incentive for fraudsters to come up with schemes to get around it. In the endlessly escalating war between fraudsters and fraud prevention, there are no perfect solutions.
How does SMS verification fit into a fraud prevention strategy?
SMS verification works best within the context of a thorough anti-fraud strategy that employs basic countermeasures such as strong password requirements, velocity checking, blacklists, AVS and CVV verification, the aforementioned risk-scoring anti-fraud tools, and other best practices for identifying and blocking fraud.
Unfortunately, there are plenty of clever and resourceful fraudsters out there, and no single solution is going to stop them all.
A varied mix of methods, providing overlapping coverage against the different forms of fraud that you expect to encounter, provides you the best change of preventing as much of it as possible.
No merchant can prepare for every individual method of fraud and every trick to bypass anti-fraud measures, especially since fraudsters are always coming up with new methods and tactics and sharing them with others online. Since it's impossible to know what angle the next attack might come from, having a variety of anti-fraud tools in place is the best way to protect your business. While newer tools like SMS verification provide the best defense against certain types of fraud, there are other attacks that might only be stopped by "old-fashioned" verification methods like AVS and CVV matching.
Prevent fraud, prevent chargebacks
Merchants must remember that they are the ones who end up paying for the fraud that victimizes their customers, in the form of chargebacks that cannot be fought or avoided after the fact. When you receive a true fraud chargeback, all you can do is accept it—and try to figure out how the fraud slipped past your defenses so you can stop similar attacks from succeeding in the future.
While some merchants may be understandably adverse to the expense and friction of adding new authentication steps designed to catch fraud, there’s no denying that fraud is constantly evolving and adapting to counter new threats is a necessity. A robust anti-fraud strategy backed up by the right tools for the job is a worthy investment that can protect your customers and prevent costly chargebacks.
Can SMS verification be bypassed?