Email a colleague    

October 2019

“Moments Matter” in Blocking Identity Fraud: Why Number Porting Data is a Vital Tool in Stopping Account Takeovers

“Moments Matter” in Blocking Identity Fraud: Why Number Porting Data is a Vital Tool in Stopping Account Takeovers

Local (and mobile) phone number portability (LNP) is one of great drivers of telecom competition across the globe.

In the U.S. market, the LNP program is administered through a national database called the NPAC (National Portability Administration Center) which contains the routing information for over 800 million ported and pooled numbers.

Since the late 90s, the NPAC was run by Neustar, under a contract managed by a consortium of Telecommunications Services Providers and overseen by the FCC.  Then, in 2018, administration of the NPAC shifted to iconectiv, the former Telcordia Technologies, a subsidiary of Ericsson.

Today the main mission of the NPAC data remains as it has always been: to port numbers and keep track of the “carrier of record” — the telecom who currently provides the service for a phone number.  And that includes provisioning side tracking.  In addition, when a carrier moves numbers from one switch to another inside its own network, the NPAC keeps track of those changes, too.

Over two decades, the scope and capabilities of the U.S. LNP service have steadily grown.  In the beginning, LNP was a wireline-only service mandated in large metropolitan areas.  Over time, mobile portability was added and the service was extended to rural areas.  Customer service has improved too: the maximum time allowed to complete porting was 3 days; today carriers must port within only 1 day.

Over time, the NPAC has also become the database of record for certain “ancillary” or specialized services, for example:

  • Law Enforcement accesses historical and current carrier of record data from the NPAC to assist agencies when they need to do subpoena processing; and,
  • To help Businesses comply with wireless do-not-call laws, the NPAC informs them when a phone number has been ported from wireline to wireless phone — and vice versa.

And now, a new risk assessment and fraud mitigation service has been added to the NPAC service portfolio.  It’s called PortData Validate and it’s used by large enterprises and “identity aggregators” — credit bureaus and other service bureaus — who create a risk score or help other businesses create one.

Today the porting history of a number and the matching of that phone number to a particular carrier has become crucial to financial, healthcare, and other firms — anyone who needs to validate identity.

Joining us to explain the value of PortData Validate is Kathy Timko, Head of LNPA Services at iconectiv.  Kathy also gives details on how fraud and account takeover threats are making historical porting data and carrier of record information more vital than ever.

Dan Baker Editor, Black Swan Telecom Journal: Kathy, when the iPhone came to market in 2007, who knew that number porting intelligence would become a critical identity and fraud data source to banks, healthcare firms, and enterprises?

Kathy Timko: It’s true, Dan.  Not many people could foresee the popularity of smartphones or that telephone numbers would become key identifiers.  But today, businesses rely heavily on the telephone number as an ID to protect consumers.

Mobile numbers have become personal numbers as well since people carry their phones with them all the time.  In the U.S., children of 7-years and older increasingly have personal phones.

The advent of number portability has also contributed to turning phone numbers into IDs: the NPAC has enabled people to have a phone number for life.  I’ve had one number for over 20 years, and people know me by that number.

Now, the porting history of a particular phone number is just one element of creating a reliable risk score but it is an important one.  As part of our PortData Validate service, we also provide the aggregator information regarding the carrier of record from whom they can obtain further intelligence on the device to further determine the credit risk of the person associated with the number.

What are some of the data points the aggregators collect from the NPAC or carrier of record to do a credit check?

Well, a key red flag for financial institutions is any phone number that is frequently ported to new carriers.  For example, people who want to avoid paying their current bill may port their number to another carrier.  Frequent number porting may also indicate a number is being used for robo-calling.  The porting history will identity these “carrier-hopping” risks.

Another key risk point to know is: “What is the account’s credit status?” And it’s not merely knowing whether telecom charges are being paid.  These days many customers charge video games, media, and other products/services to their phone number account, so late payments on those bills may also raise a red flag.

Now, the PortData Validate service is not just used for credit checks.  It is first and foremost an identity check: it determines, “Is the person behind this phone number who they say they are?”

Often, financial or credit info is not needed at all.  In healthcare, for instance, the risk point may be a patient’s right to privacy or: “Is this person authorized to access a certain patient’s records?”

Other firms sell second-hand porting data on U.S. phone numbers, so why is it important to go directly to the source?

It’s because there’s no substitute for timeliness and accuracy.

In the past, identity aggregators were forced to use relatively “stale” NPAC data from those second- or third-hand sources.  That’s a problem because it jeopardizes the ability to reach the carrier of record in real-time.  Remember, there are 1,400 telecom service providers operating in the U.S.

Portrait of Kathy Timko of iconectiv

When you consider the NPAC processes about 1 million porting transactions each day, then you can appreciate why using stale data often prevents a business from getting solid identity or credit information.

The other issue is that fraudsters are stepping up their game in account takeovers.  iconectiv did a study in 2017 and estimated that account takeover in the U.S. has become a $17 billion a year fraud.  I suspect that number has gone up in the two years after that study was done.

It doesn’t take long for a fraudster get a hold of your credentials associated with your phone, capture personal information, user names, and passcodes then break into your banking accounts.

It used to take 15 minutes for a fraudster to take over an account.  Data now suggests it takes less than 10 minutes and is going down to less than 5 minutes.  So time is critical, and as such, we’re fond of saying here, “Moments matter” in identity checks.

Wow, a million ports a day and 10-minute account takeover times sounds like an invitation for fraudsters to strike.

Sadly, that’s the case, which is precisely why porting history is such a valuable indicator of potential fraud.  Number porting is very often an integral part of the fraudster’s game plan.

Their most common technique is to do smartphone SIM swaps and trick telco employees to port numbers to a different device.

Once they convince a carrier employee they are the legitimate account holder, they can then change out the SIM card or port the number to a different carrier.  Those steps enable them to change the credentials back to a different device.

The consumer of the device may not notice it right away.  They may not realize it until they try to make a phone call and it doesn’t go through.  If they call their carrier to say the phone’s not working, the carrier may port the number back to the original.

However, in that 5-, 10- or 15-minute period, the fraudster can capture the credentials of your phone, get a one-time passcode to your bank account, drain your bank account, or access multiple accounts you have stored on your phone.

Then a few minutes later, when the customer calls to complain, the carrier restores the original settings.  Everything is seemingly fine again, except the fraudsters have already done their damage.

Now, before all that happens, by accessing the NPAC data, the identity aggregator is notified of any recent porting activity, and also learns who the carrier of record is and can then go to that carrier and determine if there was a recent SIM swap or device change — a big red flag.

That’s the beauty of PortData Validate.  It puts up-to-the-minute intelligence into the hands of the identity aggregators.  In a situation where moments really matter, they can reliably reach the carrier of record and do their checks.

The power of number porting

 

Well, it’s an impressive service, Kathy.  And I can appreciate how hard it must be to gain regulatory approvals and build such a reliable, real-time service.  But it’s that $17 billion account takeover fraud that really pops out at you.  Businesses and consumers need all the help they can get.

Thanks, Dan.  Just as the NPAC data has become the database of record for law enforcement and marketing uses, we aim to make it the “gold standard for assisting companies” for gathering identity, credit, and fraud control intelligence related to phone numbers.

Since winning the contract as the administrator, iconectiv has poured considerable investment into the NPAC.  The current U.S. NPAC system was built with totally brand new software and hardware.  But all the time and effort it took to create the PortData Validate service was worthwhile since there’s a great need to protect businesses and consumers.

We also took advantage of iconectiv’s 20+ years of experience building number porting systems for countries around the globe.  Our first client was the country of Greece in 1999, and our number portability systems now serve more than a dozen countries.

We’re proud that we can give the industry a secure and reliable solution that eliminates the need for identity aggregators to use stale data and instead gives them fresh up-to-the-minute carrier of record information.  That’s our commitment.

So in the fraud control world, if you need accurate, real-time info on the carrier of record, the place to come is the NPAC.  It’s the only place you can get it because we are the last stop before that info is downloaded to the carrier networks when a phone number is switched from one service provider to another.

Copyright 2019 Black Swan Telecom Journal

 

About the Experts

Kathy Timko

Kathy Timko

Kathy Timko, Head of the Local Number Portability Administration (LNPA) Services at iconectiv, is responsible for the U.S. Number Portability business for the company.  In this position, she oversees all aspects of developing, transitioning, launching, and operating iconectiv’s LNPA service as the number portability provider for the US Telecommunications industry.

Kathy has more than 25 years of experience in telecom and tech companies.  She holds several Advisory Board roles, including Rutgers CX, and served as an Executive in Residence at Columbia University’s Technology Ventures group.  In 2009, Timko was appointed Chief Operating Officer of Canoe Ventures, LLC, a joint venture of the six largest cable firms, and became interim CEO in 2011.

Before joining Canoe, she held several senior management positions at IDT Telecom, including COO and CTO.  She was appointed to the IDT Telecom Board of Directors in 2001 and served as an independent director on the board of Motionbox from 2006 to 2010.

Timko holds a Bachelor of Science degree in Mechanical Engineering from Virginia Tech and a Master of Science degree in Computer Science from Boston University.

Recent Articles