Prove's Approach to Evolving Phone Number Fraud using OTPs

There is a recent trend of increased "rented phone number fraud," a type of attack where fraudsters exploit the age (tenure) of a phone number to bypass SMS 2FA/OTP. This should be "It's a simple concept, but it's proving to be effective against legacy verification methods, and it's increasing risk for all organizations that use OTPs.. 

The core issue is this: bad actors are using seemingly legitimate, tenured phone numbers – numbers with a verifiable history but either no longer associated with their original owners or restricted to SMS only – to circumvent security measures and commit fraud. This poses a significant risk because it undermines the fundamental trust placed in phone number-based authentication. By leveraging tenured numbers that appear legitimate, fraudsters bypass security measures designed to verify identity. These numbers, despite their history, are essentially compromised, as they are no longer controlled by the original, verified user. 

The end game for fraudsters is that it allows them to impersonate legitimate individuals, gain unauthorized access to sensitive accounts, and execute fraudulent transactions. The very attribute that was once a signal of reliability – phone number age – becomes a vulnerability.

Legacy solutions are inadequate at solving this growing threat, and to effectively solve it, a more comprehensive approach to phone number verification is required. Prove addresses this by going beyond simple tenure checks. Our identity verification solutions analyze a phone number's multifaceted reputation, verify phone ownership, and identify an identity’s “primary phone number.” This comprehensive, real-time strategy allows us to identify and flag fraudulent activity even when fraudsters use numbers that appear clean on the surface.

Prove is the only company that can offer a truly comprehensive and accurate solution to phone number fraud, thanks to our 12+ years of longitudinal phone evidence in the U.S. and more than six years’ worth of data from 50 countries. Our multi-faceted approach analyzes a phone number's reputation, verifies ownership, and identifies primary phone numbers, providing a level of protection that others simply cannot match. 

Let’s look more closely at how this issue manifests and how companies can deal with it.

The Anatomy of the Attack

The threat landscape is rapidly evolving, with fraudsters now exploiting phone number tenure to circumvent security measures. They are renting “tenured” numbers – those with a historical record but no current, verified owner – to bypass SMS 2FA. This 'rented phone number fraud' poses a significant risk to banks, fintech companies, crypto platforms, and P2P networks, demanding a shift towards more robust verification. We will delve into the specific vulnerabilities, assess the associated risks, and outline practical strategies for building more resilient identity verification processes

Let's break down the specific vulnerabilities exploited through the misuse of tenured phone numbers, examine the associated risks to financial institutions and e-commerce platforms, and discuss actionable strategies for building more resilient identity verification processes.

The Core Problem: Over-Reliance on Tenure

Traditional identity verification leans heavily on phone number tenure as a primary trust signal. The assumption is that long-standing numbers are inherently linked to legitimate users. But that's a dangerous assumption in today's environment.

Here's how the scam typically unfolds (in 5 steps):

1. Renting the Number: Fraudsters rent a tenured phone number from services like TextVerified (it’s been popping up a lot lately). They use a debit or credit card to load money, which can later be used to rent phone numbers. Often the charge shows up as “TXVRFY” and these can be compromised cards.
2. Selective Routing: TextVerified rents these phone numbers out either (1) limited only to one particular website, or (2) the phone number could be rented across unlimited websites. The rental for one website is cheaper, and will only display text messages from the website that it was rented for. For example, if you purchased a phone number for Acme Company, only text messages from Acme Company would be displayed. Two separate bad actors could rent and use the same phone number concurrently.
3. Creating Fraudulent Accounts: Because these numbers have history, they often bypass basic fraud checks designed to look for new or inactive numbers.
4. Exploiting the Accounts: Whether it's synthetic identity fraud, account takeovers, or money laundering, the fraudster can operate with less risk of being flagged.
5. Disappearing Act: Once the rental expires, the number goes back into circulation, leaving minimal trace of the fraudster.

Where are the Attacks Happening?

Let’s dissect the mechanics of these exploits so we can understand how fraudsters leverage readily available, tenured phone numbers to circumvent traditional security measures. From compromising existing accounts through credential stuffing and phishing, followed by SMS-based OTP bypass, to the creation of synthetic identities bolstered by seemingly legitimate, rented numbers, we'll explore the sophisticated tactics employed and the significant risks they pose to digital marketplaces and financial institutions.

Looking more closely, we can see how these attacks happen:

• Account Takeover (ATO) with Rented Phone Numbers: Fraudsters are using rented numbers to compromise existing accounts. They might buy credentials on the dark web or use phishing. Then, they use the rented number to get past SMS-based OTP checks. Once in, they change account details, add new payees (Zelle is a common target), or start fraudulent transactions. They might even try a SIM swap/port to take over the real customer's number.
• New Account Fraud with Synthetic Identities and Rented Phone Numbers: Fraudsters are creating new, fake accounts using a mix of real and fake info, with the rented phone number as a key element. They get a tenured number from a service like TextVerified, making it appear like a legit, post-paid mobile account. This gets them past initial SMS OTP checks. Then they use the account for various types of fraud, including money laundering or exploiting rewards programs.

The Catch: Tenure is Not Enough

The problem is, services like TextVerified fail to account for recycled numbers, temporary services, and how easy it is for bad actors to acquire and misuse previously valid credentials. A real phone number isn't just old – it's actively used in ways that are tough for fraudsters to fake:

• Communication Patterns: Legitimate users have real call and text histories, creating networks with a defined set of contacts.
• SMS Only: For example, the TextVerifed service can only receive text messages and cannot receive calls or voice OTPs.
• Authentication & Transactional Records: Phones are used daily for authentication, account access, and payments.
• Mobility & Network Access: Real users have established patterns of network access and roaming behavior, creating digital footprints linked to physical locations.

These patterns build a behavioral profile that's difficult to replicate at scale. Traditional methods often miss these nuances, leaving us exposed.

How Does Prove Detect

Enhanced Detection is Key

Prove's strength is in our deep understanding of telecom infrastructure and its dynamics. Our solution analyzes a wide range of signals to identify recycled, rented, ported, and swapped numbers, giving us better detection capabilities.

We move beyond simple tenure-based checks with a holistic approach, assessing both tenure and real-time risk factors.

Why This is Important

Phone numbers and devices are constantly changing due to:

• Consumer Lifecycle Events: People change numbers to escape debt or for privacy.
• Device Upgrades: Replacing old, lost, or stolen devices while keeping the same number.
• Multi-Device Ownership: Managing multiple devices.
• Service Provider Changes: Switching phone companies.
• eSIM proliferation: Consumers are using multiple eSIMs, with different phone numbers assigned to a single device.

These behaviors add complexity that fraudsters exploit. 

Prove's Multi-Faceted Approach

Checking the ownership of a phone and the multiple elements of reputation offers a more refined picture of the risk involved in interacting with the phone and consumer.  

• Reputation Analysis: We analyze how a phone number has been used over time and evaluate device information in real time. We maintain a history of phone activity and data, generating a Reputation score. This score alone can often detect suspicious numbers.
• Risk Tables: Prove also obtains hundreds of thousands of phone numbers used for these types of services and checks these lists to indicate when we have a specific phone number.
• Phone Ownership Verification: Even if a number has a decent reputation score, we verify that the person using the phone can be identified as the actual owner.
• Launching in 2025: Primary Number Identification: We determine if a phone number, phone line, and device are the primary ones for a consumer, versus others associated with them via Assurance Levels.

By understanding the nuances of phone number usage, device behavior, and network-level interactions, we can mitigate the risks posed by these "new" scams using Prove’s services. Prove offers a multi-layered approach that analyzes tenure, real-time risk factors, and phone ownership ensuring robust protection against fraud while maintaining a seamless user experience. The ongoing refinement of these technologies, driven by expanding behavioral intelligence and cross-network collaboration, will be critical in staying ahead of increasingly sophisticated fraud tactics.

Contact Prove so we can show you how to address phone number fraud.