Retailers Beware, Fraudulent Account Creation with Virtual Phone Numbers
  • Table of contents

The author

user_image
Gil

Table of contents

Related Articles

Research

Facebook Hidden Friends Vulnerability (With “fb-hfc” released)

We reported the hidden friends vulnerability to Facebook; this lets attackers reconstruct the private Friends...
May 29, 2014
Learn more
Tech Talks

Welcome to The Cyber Feed

Over the past three decades, IT security solutions have developed to effectively secure most networks...
Jun 30, 2015
Learn more
Ecommerce

Retailers Beware, Fraudulent Account Creation with Virtual Phone Numbers

Apr 7, 2021

Introduction

In the last couple of decades, the retail industry has seen dramatic changes, both on the business and on the consumer side. Perhaps the most notable one is buyers’ ever-increasing shift from physical “brick-and-mortar” retailers to online e-commerce platforms. Unfortunately, this has also been accompanied by more and more fraudulent activities, which in turn required for more digital checks and balances.

One of the most common ones currently in use is user-verification, be it for account creation or order processing, via phone numbers. However, in recent years we are seeing threat actors finding various ways to bypass it. Once such method, which will be reviewed in this analysis, is the use of virtual phone numbers.

Background

In conjunction with our growing adoption and dependency on online platforms for our daily activities, so too has the need increased for a reliable method of customer verification. Cue the MFA (Multi-Factor Authentication). This was such a major shift that many, including Bill Gates at one point, claimed it to be the end of passwords.[1]

Various industries, including the retail industry, have largely adopted certain MFA features in an attempt to mitigate fraudulent activities. The preferred method of choice is the phone, or more specifically SMS-based Single Sign-On (SSO).

Perhaps one of the biggest contributors of making the phone the de-facto MFA method is its convenience: nowadays practically everyone has a smartphone. But more critically, having a phone number linked to a cell-phone provider account gives the impression of authenticity; misguided as it may be.

Recent Events

There is no denying the usefulness of using the phone for a quick, easy, and relatively secure method of user verification. But as “necessity is the mother of invention”, threat actors have found workarounds for these measures. Of note there is the tried-and-true method of using stolen phones. But that is old school, so threat actors have largely moved to SIM-jacking attacks such as SIM-swapping (using social engineering to port a victim’s number to a different SIM card), and more recently to using SMS-marketing services to intercept messages[2], bypassing phones without their users’ knowledge.

While the above methods may sound easy, they can significantly consume time, money and effort; all three of which threat actors prefer not to spend. And so, Cyberint has observed that in recent years they have started leveraging virtual phone number services, which offer users the possibility of receiving SMS messages for temporary phone numbers from practically any country you can think of. Russia? No problem. The UK? Sure thing. China? You got it, take two.

Use of virtual phone numbers for fraudulent account creation within the retail industry _1

While most of these services have paid plans for the added benefit of certain features, many are free and can be used without any subscription. This has enabled threat actors to automate the process via bots to create in-mass fraudulent retailer accounts. Subsequently it has become harder to differentiate between fake and genuine accounts, and obfuscated fraudulent activities through sheer volume.

Use of virtual phone numbers for fraudulent account creation within the retail industry _2

There are multiple fraud scams that exploit this vector, but perhaps the two most common ones are abuse of discounts, and abuse of ratings.

Regarding the former, threat actors create bulk accounts to amass “new account” or “refer a friend” discounts. Once done, they then can then use the discounts to purchase items and resell at full price. Alternatively, they can resell the actual accounts along with the accompanying discount.

Regarding the latter, threat actors often create fake reviews to promote or attack retailers or sellers. This can be used against rival sellers or to improve the ratings of the threat actors’ accounts and/or products. Further, threat actors also offer this as a paid service to unscrupulous sellers.

Consequently, this may result in revenue loss as well as customer churn due to loss of faith in the brand and its platform. And while there have been some attempts to stop fake reviews[3], progress on this front has been slow and difficult.

Recommendations

Unfortunately, there are no easy solutions. To truly curtail this trend the retail industry will have to make some difficult changes that may hamper the ease of use for their services. Changes like eliminating SMS as a mean of verification and authentication, and implementing other, more secure means of MFA such as Google or Microsoft Authenticator apps. Perhaps even via physical authentication keys that retailers can issue themselves.

Accordingly, this will have to be done together with the consumers and may take several years. But this transition will ultimately benefit both sides. In the meantime, perhaps the easiest way to fight this trend is monitor these types of virtual phone services and automate the flagging of any account that uses their numbers. Expanding on this methodology, the retail industry could also leverage industry-wide data-sharing partnerships for this purpose.

References

[1] https://www.zdnet.com/article/gates-the-password-is-dead/

[2] https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/

[3] Facebook, eBay ban users trading fake reviews after UK CMA warnings (cnbc.com)

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start