What is a Porting Attack?

Porting attacks have earned their place on Prove’s list of 8 major fraud vectors because they are both quite common and extremely harmful to the victim.
‍

What is a porting attack? 

A porting attack refers to a type of fraud where fraudsters use call porting to take over the online accounts (banking, crypto, etc.) of victims. Hence, porting attacks (similar to SIM swap fraud) fall under the umbrella category of Account Takeover Fraud.
‍

What is call porting?

To understand how a porting attack works, you need to understand the purpose of legitimate call porting first. With call porting, consumers can switch service providers while keeping their phone numbers. If you have ever switched from AT&T to Verizon or vice versa to take advantage of a compelling offer, for instance, but still kept your phone number the same, you have used call porting.
‍

Because ensuring access to call porting is critical to maintaining a healthy and competitive telecommunications marketplace, the FCC requires service providers to port numbers within one business day. Unfortunately, the speed and ease of porting paired with the widespread adoption of 2FA and OTPs, have given criminals a relatively easy way to commit widespread fraud at scale.
‍

What is 2-factor authentication (2FA) and how does it fuel porting attacks? 

2-factor authentication (2FA) pairs two forms of credentials with the goal of making digital interactions more secure. For example, 2FA might pair ‘something you know’ (your username & password) with ‘something you have’ (your phone). To complete a possession check, companies might send out a one-time passcode or OTP. For companies that choose this method of 2FA, this is the step that is vulnerable to a porting attack.
‍

What is a one-time passcode (OTP) and why do fraudsters steal it?

Today, the one-time passcode (OTP) is a commonly used credential that verifies a user’s identity using something you have (a phone). At Prove, we call this ‘running a possession check.’ When a customer first creates an account, they enter their phone number. Later, when they log in or complete a high-risk transaction, a series of random digits is texted to their phone. This is an OTP. To continue, the customer must enter the OTP that was texted to them. With porting attacks, fraudsters can intercept the OTP and gain access to the victim’s account.
‍

How do porting attacks work?

To take over a victim’s online bank account, a fraudster will need to reset the account’s password. In many cases, resetting passwords is not possible without completing the possession check. To access the victim’s OTP, the fraudster may use a porting attack.
‍

During a porting attack, the fraudster will sign up for a new cellular carrier under the victim’s name and provide some basic information. In his article for Medium, (“SIM-swap and number porting attacks: should you be concerned?”), Luc Delorme explains the basics:
‍

“It’s also deceptively simple to steal someone’s service by porting it to a new plan at a new carrier. All a scammer needs to do is sign up for a new phone line and provide your name, phone number, and your wireless account number. The new carrier will set up the line and port in your number. This usually happens in minutes.”

By the time the victim realizes their phone is no longer connected to a service provider, the fraudster has intercepted the OTP, gained access to the victim’s bank account, and often stolen their life savings.
‍

What is the difference between porting attacks and SIM swap fraud?

While porting attacks involve switching a phone number from one carrier to another, SIM swap fraud involves changing devices within one carrier.
‍

How do porting attacks negatively impact the victim? 

Victims of porting attacks describe the experience as traumatizing. Losing access to your phone number, bank accounts, and ultimately, your money in short succession is terrifying.
‍

How can consumers prevent porting attacks? 

An important step consumers can take today to protect themselves from porting attacks is to set up a SIM transfer PIN. Of course, more advanced solutions that don’t require additional PINs and customer intervention would ultimately be preferable from both a security and customer experience perspective. 
‍

How can companies stop porting attacks?

Companies play an integral role in preventing fraudsters from stealing OTPs and accessing victims’ accounts. Today, leading banks, financial institutions, and companies from almost every industry are leveraging Prove’s Trust Score to avoid sending vulnerable OTPs to bad actors. Here’s how it works: 
‍

Prove’s Trust Score™ is a real-time measure of phone number reputation that can be leveraged for identity verification and authentication purposes. Trust Score analyzes behavioral and Phone-Centric Identity™ signals from authoritative sources at the time of a potential transaction to mitigate fraud such as SIM swap fraud and other account takeover schemes. Trust Score can be utilized to secure the customer experience in a number of different scenarios from digital onboarding to digital servicing and existing customer authentication.

In short, a phone number that has recently undergone a porting attack will have a lower Trust Score and not be eligible to receive OTPs. Today, Trust Score is widely considered a must-have for any organization that issues OTPs.
‍

Companies are also beginning to phase out passwords and OTPs together in favor of passwordless technology.
‍

Conclusion

The rise of 2FA has contributed to the significant surge in porting attacks. Porting attacks leverage vulnerabilities in our telecommunications system to take over the accounts of victims. To prevent porting attacks from compromising your customer’s accounts, leverage Trust Score before sending out an OTP.

‍