Press Release

SecureAuth Corp., the leader in Adaptive Access Control, today announced the addition of phone number fraud prevention capabilities to its product line. It is the latest in a continuing series of innovations that move organizations from basic two-factor authentication technologies to the new approach of modern authentication that integrates into existing security infrastructures enabling stronger security while improving user experience. These capabilities are designed to block the most common ways that phone number fraud attacks are carried out, and in turn, embraces and extends the NIST guidance to help keep SMS authentication challenges secure. The new features add an additional layer to SecureAuth’s risk-analysis adaptive authentication, helping organizations to prevent the misuse of stolen credentials.

SecureAuth’s phone number fraud prevention allows organizations to identify, block and protect against attacker attempts trying to exploit second-factor authentication delivery methods to phone numbers, and mobile devices.

• Block Recently Ported Numbers: Numbers that have been transferred without legitimate owner’s consent will be blocked from use.
• Block by Number Class: Administrators can choose what type of phone number may be used in conjunction with second-factor authentication. For example, landlines and mobile phone numbers may be allowed while virtual and toll-free numbers are blocked.
• Block by Carrier: Administrators can choose which network carriers worldwide can be used with second-factor authentication. For example, if an organization’s customers are based in North America, you can limit to carriers in that region.
• One-time passcode (OTP) Spam Prevention: This allows administrators to regulate the number of OTPs that can be sent to users, preventing them from being spammed and further mitigating any brute force attempts by attackers.

Compared to other methods of authentication, second-factor authentication methods that use ‘phone-as-a-token’ techniques are convenient, popular, and rising in use to protect organizations critical applications and data. Gartner estimates that, by 2020, 80 percent of phone-as-a-token deployments will use out-of-band push modes for the majority of users, up from less than 15 percent today*.

Supporting NIST Guidelines

Last year, the National Institute of Standards and Technology (NIST) deprecated their recommendation of using SMS as a delivery mechanism for one-time-passcodes as an out-of-band authentication method. Phone number fraud prevention supports NIST’s guidelines by adding an extra layer of security and, as a result, allows organizations to thwart suspicious access attempts. It ensures that any access for changes to the pre-registered telephone number are protected and that phones numbers are not virtual ones. If SecureAuth customers prefer alternatives to SMS for authentication, they can receive a spoken one-time-passcode via a telephone call and use more secure and user friendly forms of authentication such as push-to-accept that leverage Apple and Google end-to-end encrypted networks.

“It is often credentials themselves that are targeted, either directly or opportunistically, to be used in later breaches,” said Keith Graham, chief technology officer at SecureAuth. “Organizations are deploying adaptive access control methods to prevent the misuse of stolen credentials, but attackers are evolving to take advantage of SMS delivery methods. By performing multiple pre-authentication risk checks, including phone number fraud prevention and other techniques, organizations can determine their customer, 3rd party, and employee identities with confidence while still delivering a pain-free user experience.”