Kenneth Hardat, Carrier Strategy Lead, BICS
According to the FTC, consumers reported losing out on more than $12.5 billion to fraud in 2024. The methods for these crimes are constantly evolving. From account takeovers, payment and investment scams to social engineering, bad actors are constantly finding new ways to drive losses and customer harm.
With AI becoming so readily available in recent years, scammers now have more tools than ever to scale their operations and make scams harder to spot.
Financial services companies and banks are arguably leading the charge in digital identity and authentication, outpacing other industries by a significant margin. Over the past decade, frameworks like Know Your Customer (KYC) and Strong Customer Authentication (SCA) frameworks have pushed these institutions to innovate and stay ahead of the evolving threats. This proactive approach has positioned them as pioneers in safeguarding customer identities and transactions.
The key to effective digital identity and authentication lies in layering security measures. The financial services industry understands this well, having long moved beyond the limitations of traditional passwords and PINs. Instead, they’ve embraced multi-factor authentication methods, such as SMS One-Time Passwords (OTPs) rather than relying solely on passwords and pins, to add an extra layer of protection and reduce vulnerabilities.
But as threats evolve, these methods are losing ground. Rather than moving away from telecom services to authenticate users, most banks are leaning further in, with network APIs.
Time’s up for one-time passwords?
Banking and finance, ever the trailblazer in the ID and verification space, was the first to widely adopt SMS OTPs and multi-factor authentication at the turn of the century. It’s telling then that it’s also the first industry to start moving away from them. Why? Because things have moved on, and financial service companies know they can’t afford to be left behind.
SMS OTPs have several drawbacks; they come at a cost, carry a risk of delivery issues, and can create friction in the user experience. What was once an acceptable trade-off for user protection is now a significant liability. Criminals can intercept codes using malware, rogue apps, or by exploiting network vulnerabilities. OTPs are also susceptible to social engineering, where scammers posing as customer service agents trick users into revealing their codes.
Most notable of all, however, is the rise of SIM Swap Fraud. In this scheme, a fraudster transfers a customer’s phone number to a SIM card in their possession (like you might do when setting up a new phone). Once the transfer is complete, the attacker can intercept SMS messages, calls, and OTPs associated with that number, gaining access to accounts protected by SMS-based authentication. This method is dangerously effective because it turns a common security measure into the very tool used for the attack. There was a 1055% increase in SIM swap attacks in the UK alone in 2024, and it was believed to have played a role in the recent cyberattack on Marks & Spencer.
The move to network-native security
Many banks and financial institutions have already reacted to this shift. They are moving away from heavy reliance on SMS OTPs to more multi-layered security and, crucially, more network-native security features.
What does that mean? Unlike, say, a traditional OTP, which a bank sends over public networks and relies on the user to manually input them, network-native methods operate directly within the mobile operator’s network to verify identities, making it much harder for attackers to intercept or spoof.
Take silent authentication, for example. This method communicates directly with the mobile operator’s network to confirm that the user controls the SIM linked to a specific phone number. The entire process occurs within the network – no codes to enter, no risk of interception, and no friction for the user. However, as mentioned earlier, the most robust security solutions are multi-layered. If an attacker has already compromised the number through a SIM swap, silent authentication alone wouldn’t detect the breach.
That’s why it’s best to combine these features with an additional intelligence layer, like a number change or SIM Swap API, which communicates with the operator’s systems to determine if a number has been recently reassigned to a new SIM. These are just two examples of a broader suite of modern security features that don’t merely use the mobile network to deliver authentication but leverage the network itself as the authentication layer.
Seamless and secure
This sounds great, but how do you deliver it? You might assume that more advanced equals more complex, but that’s not the case here. Most of these services are delivered via telecom network APIs, so they are easy to implement and integrate into existing platforms and processes. The industry is no stranger to APIs. Just as they led the way in ID and authentication, financial organizations, particularly fintechs, were among the earliest adopters, arguably even before telcos.
But there must be a catch, right? If we’re looking for holes in network APIs, things to be aware of would-be inconsistency across the market, mainly in terms of global coverage and how standardized APIs are from different providers. This will improve over time, with standards already coming in and ‘ecosystem enablers’ who offer access to Network API capabilities making it easy to find the right solution with the coverage you need. These enablers foster trust in digital ecosystems and ultimately make fraud a thing of the past.
This evolution is happening gradually, but it is happening. Different banks and financial institutions will adopt these network-native security methods at varying speeds, but many have already started integrating them into their authentication and fraud prevention strategies. And, just as SMS OTPs in banking eventually became standard across other sectors, we can expect industries beyond finance to follow suit, leveraging network APIs to enhance security, reduce fraud, and ultimately increase trust in their digital ecosystems.