The rise of AIT scams: how fraudsters are undermining text passcodes

And to ensure the integrity of SMS communications and protect against AIT scams, CISOs and CSOs should prioritize the security of their companies’ mobile channels by implementing strong controls, monitoring systems, and user verification processes, according to Albrecht. And they need to improve the collaboration with app developers and MNOs to share information, best practices, and countermeasures to combat AIT scams collectively.

Awareness is the first step in combatting AIT scams

“By staying informed about emerging threats, such as AIT scams, CISOs and CSOs can proactively assess risks, implement appropriate controls, and allocate resources to mitigate the financial and reputational impacts of these scams,” Albrecht says.

Mandy Andress, chief information security officer at Elastic NV, agrees that CISOs should be concerned about these types of scams. Traffic pumping isn’t taking advantage of a security flaw, per se, but it is concerned with taking advantage of how easy it is to create new accounts, she says. And attackers could leverage that process for different types of malicious activities, depending on the service availability.

“From a security perspective, the focus would be on the authentication and the new account creation process and not relying solely on SMS — which has been proven to be the most insecure — and instead use multifactor authentication or other approaches,” Andress says. “This would take away the ability for this type of scam to be successful and at the same time help to improve the security for your customers in their accounts.”

Best practices for reducing SMS AIT fraud

This is often a complex process that requires a multifaceted approach that involves detection, prevention, and response strategies, Gibbons says. No single strategy is completely foolproof — the key is to build a strong, multilayered defense that includes:

  • Regular audits: Companies should conduct regular audits of their mobile traffic and advertising campaigns and look for any inconsistencies or irregularities in their data.
  • Skills and awareness: Ensure that teams understand the risks and signs of AIT scams. An educated team is better equipped to spot potential fraud and take action.
  • User behavior analysis: Understand the behavior of legitimate users to better spot when something is out of the ordinary. This will help distinguish between genuine and fraudulent traffic. The challenge for businesses here is their maturity, as few have this granular level of certainty. 
  • Trustworthy ad networks: For businesses engaged in digital advertising, it’s crucial to partner with ad networks known for taking proactive measures against fraud. These networks have strong systems in place to identify and mitigate AIT scams.

Yale Fox, a member of the Institute of Electrical and Electronics Engineers, offers these best practices to mitigate mobile SMS AIT fraud:

  • Blocking bots: Bots are often used in fraudulent activities to mimic human behavior and generate fake traffic. Blocking bots by default, particularly those that do not identify themselves, can effectively reduce fraudulent traffic. Organizations should maintain lists of user-agents that are allowed to crawl their sites and actively update those lists as new, legitimate bots emerge.
  • reCAPTCHAv2: This service can help distinguish between human users and bots. It presents tasks that are easy for humans but difficult for bots. Implementing reCAPTCHAv2 on mobile apps, particularly on forms and other interactive elements, can drastically reduce bot activity.
  • Rate limiting: This involves setting a limit on the number of requests a user or IP address can make within a certain timeframe. If the limit is exceeded, the user or IP is temporarily blocked. This technique can slow down or halt fraudulent traffic, especially from bots performing high-frequency activities.
  • Device fingerprinting: This technique identifies and tracks devices based on their unique configurations, such as the operating system, browser version, installed fonts, etc. By doing this, companies can identify suspicious patterns or recurring fraudulent activity coming from the same device, even if they change their IP addresses or use VPNs.
  • Honeypots: Honeypots are decoy systems or traps that appear as part of an organization’s network but are actually isolated and monitored. They are designed to lure in attackers, who waste their time and resources on the decoy while their actions are recorded and used to improve security measures.
  • Switch to passkeys: This is the new standard that many major companies have adopted. It solves a number of problems, one of which is that there is no real password to leak as the password is always changing.

As technology continues to evolve and new forms of AIT fraud emerge, staying informed and up to date is fundamental, according to Gibbons. Continuous learning, adaptability, and vigilance are key to staying one step ahead of the fraudsters. 

“AIT fraud is a complex, pervasive issue that poses significant challenges for businesses, consumers, and society as a whole,” Gibbons says. “However, by understanding the risks, taking proactive measures, and working together, these risks can be mitigated to create a safer, more trustworthy digital environment.”

Leave a Reply

Your email address will not be published. Required fields are marked *