Account takeover prevention: Why banks are choosing secure links over SMS codes

Account takeover (ATO) fraud is on the rise in Europe. In 2023, the fraud - which involves online banking apps being compromised by fraudsters - saw the finance and insurance sector account for 18.2% of all incidents. At the same time, incidents of information-stealing malware, targeting personal and financial data rose by 266%.


In particular, ATO fraud has become a major concern for banks, with recent statistics showing a 73% increase in these attacks. Some banks are facing significant financial losses, from 5-digit figures up to hundreds of thousands of euros per month. And with over 70% of customers saying they’d leave a bank after experiencing a fraud incident, the stakes have never been higher.

How to prevent account takeover?

The case against SMS two-factor authentication

Traditional SMS-based two-factor authentication (2FA) has become a popular defence against Account Takeover  fraud. But as fraudsters continue to develop more sophisticated methods, the vulnerabilities of SMS authentication have become more apparent. A text message can easily be intercepted by fraudsters, and in some cases they can bypass the security measure entirely.

Like many other types of fraud, the human element is the weakest link in ATO fraud. For example, when a customer upgrades their mobile phone, they’ll need to ‘re-bond’ their banking app to their new device. This can be a particularly vulnerable moment if it’s not handled securely. If the banking app just asks for a password, a fraudster could easily gain access. Even if it sends a code via SMS, this could still be intercepted by a sufficiently tech-savvy fraudster.

The case for secure links

To address the vulnerability of SMS codes, some banks have already begun to implement a new approach using secure link authentication (SLA).

This method involves texting or emailing a secure link, rather than a code, to the customer’s login device. The link is only valid for a short period of time, and it can only be used on the device where the login attempt is made. Additionally, the URL is intentionally complex and difficult to share, further reducing the risk of fraud.

Some banks using this approach have chosen not to develop their own secure link solutions, but instead use Netcetera’s App Takeover Prevention SDK. When integrated into the bank’s mobile app, the SDK will identify the customer’s device while a backend service will conduct a risk assessment to evaluate whether to send a secure link to the customer - for example, if a customer usually logs in from one location with a new device but a login attempt is made from another location (different country for example),

Traditionally, banks have cautioned customers against clicking on SMS and email links. But since links generated by the Banking App Takeover Prevention SDK are triggered by the customer and are received seconds after their login attempt, the customer fully expects to receive the link as part of the authentication process.

So what are the benefits of secure links?

  1. They’re much harder to exploit than SMS codes due to being device-specific and time-limited.
  2. They offer a better user experience, allowing customers to tap a single link instead of typing in a code.
  3. Banks can integrate secure link technology within weeks and with minimal development (using Netcetera’s Banking App Takeover Prevention SDK).

"Ultimately, secure links offer banks a vital upgrade in the battle against app takeover fraud. And paired with a real-time risk assessment engine, they can significantly reduce the risk of unauthorised banking app access and fraudulent transactions."

 

Matthias Mittermair
Senior Project Manager & Consultant Digital Banking

Unlike insecure SMS OTPs or cumbersome offline solutions such as letters, phone calls and in-store activations, the solution sends a secure link to the user's device, which they can simply click on. It identifies the device and performs a back-end risk assessment. This ensures that only the intended device can proceed with registration. This significantly reduces the risk of an app takeover.

The Netcetera App Takeover Fraud Prevention Module offers banks a quick and easy way to create an additional layer of security without customers having to change their behaviour. It also improves the customer experience of the mobile banking app. This shows that an enhanced customer experience with a high level of security is both possible and important. A well-functioning banking app and reliable protection against fraud are the most important decision criteria for customers when choosing a bank.

At Netcetera, all our banking clients that have moved from SMS 2FA to using secure links have reported a significant reduction in app takeover fraud. To learn more about how your bank could incorporate our Banking App Takeover Prevention SDK, visit the link or speak with our team.

 

Want to learn about app takeover fraud on the go? Listen to our podcast: How To Mitigate App Takeover Without Adding Friction?

 

Talk to our expert

Matthias Johannes Salmon

Business Development Executive

More stories

On this topic

MORE STORIES