Despite the widespread adoption of one-time passcodes (OTP) for authentication, few fraud prevention decision makers are confident in their organization’s ability to detect or stop OTP fraud from happening. The majority of respondents are exploring less popular authentication alternatives while searching for technologies and partners to proactively address OTP fraud, according to the findings of a commissioned study conducted by Forrester Consulting on behalf of Neustar.
The in-depth survey of 300 North American fraud prevention decision makers showed that customer authentication fraud is a major concern. To protect themselves and their customers, 60% of respondents currently use OTPs as part of their customer authentication strategy. This is in large part due to the positive reputation it has with consumers: 72% of respondents say customers perceive OTP authentication as secure and 71% of respondents say that OTP authentication is user friendly.
Unfortunately, the vulnerability of the mobile channel is weakening OTP effectiveness. Fraudsters have developed many ways to compromise phones and almost every respondent dealt with some type of mobile fraud in the past year. SMS OTP fraud attacks were commonplace, averaging in the double digits, even though one of the main reported challenges from fraud prevention decision makers is that they lack technology to detect and measure OTP fraud.
To stop SMS OTP fraud, most respondents want alternatives that do not negatively impact the customer experience and are looking for technology and partners to help them achieve that. Nearly seven in 10 respondents have begun investing in technology to help prevent OTP incidents. The most important capabilities to prevent SMS OTP fraud identified by respondents are the ability to identify high risk phone numbers (83%), the ability to detect a scam in progress before sending the OTP message (82%), and the use of decisioning techniques to determine the best OTP channel for use (78%).
"Identity theft and fraudulent sign-ups are a growing problem for firms with customer-facing services. You want to make sure that users who sign up are who they claim to be and are authorized to interact with your organization," according to a recent report authored by Forrester vice president and principal analyst Andras Cser and former Forrester senior analyst Sean Ryan. A separate Forrester report authored by Cser and Ryan states, "Regardless of what authenticator method is used, the most important thing is that the process be secure end to end and that the user experience does not hinder productivity…Invest in risk-based, contextual authentication to identify anomalous access. Risk scoring, based on input signals such as time of day, geolocation, or IP address, adds intelligence and makes it possible to apply graduated responses."