Account takeover prevention: Why banks are choosing secure links over SMS codes

In particular, ATO fraud has become a major concern for banks, with recent statistics showing a 73% increase in these attacks. Some banks are facing significant financial losses, from 5-digit figures up to hundreds of thousands of euros per month. And with over 70% of customers saying they’d leave a bank after experiencing a fraud incident, the stakes have never been higher.

Traditional SMS-based two-factor authentication (2FA) has become a popular defence against Account Takeover  fraud. But as fraudsters continue to develop more sophisticated methods, the vulnerabilities of SMS authentication have become more apparent. A text message can easily be intercepted by fraudsters, and in some cases they can bypass the security measure entirely.

Like many other types of fraud, the human element is the weakest link in ATO fraud. For example, when a customer upgrades their mobile phone, they’ll need to ‘re-bond’ their banking app to their new device. This can be a particularly vulnerable moment if it’s not handled securely. If the banking app just asks for a password, a fraudster could easily gain access. Even if it sends a code via SMS, this could still be intercepted by a sufficiently tech-savvy fraudster.

Some banks using this approach have chosen not to develop their own secure link solutions, but instead use Netcetera’s App Takeover Prevention SDK. When integrated into the bank’s mobile app, the SDK will identify the customer’s device while a backend service will conduct a risk assessment to evaluate whether to send a secure link to the customer - for example, if a customer usually logs in from one location with a new device but a login attempt is made from another location (different country for example),

Traditionally, banks have cautioned customers against clicking on SMS and email links. But since links generated by the Banking App Takeover Prevention SDK are triggered by the customer and are received seconds after their login attempt, the customer fully expects to receive the link as part of the authentication process.

So what are the benefits of secure links?

1. They’re much harder to exploit than SMS codes due to being device-specific and time-limited.
2. They offer a better user experience, allowing customers to tap a single link instead of typing in a code.
3. Banks can integrate secure link technology within weeks and with minimal development (using Netcetera’s Banking App Takeover Prevention SDK).

Unlike insecure SMS OTPs or cumbersome offline solutions such as letters, phone calls and in-store activations, the solution sends a secure link to the user's device, which they can simply click on. It identifies the device and performs a back-end risk assessment. This ensures that only the intended device can proceed with registration. This significantly reduces the risk of an app takeover.

The Netcetera App Takeover Fraud Prevention Module offers banks a quick and easy way to create an additional layer of security without customers having to change their behaviour. It also improves the customer experience of the mobile banking app. This shows that an enhanced customer experience with a high level of security is both possible and important. A well-functioning banking app and reliable protection against fraud are the most important decision criteria for customers when choosing a bank.

At Netcetera, all our banking clients that have moved from SMS 2FA to using secure links have reported a significant reduction in app takeover fraud. To learn more about how your bank could incorporate our Banking App Takeover Prevention SDK, visit the link or speak with our team.

Want to learn about app takeover fraud on the go? Listen to our podcast: How To Mitigate App Takeover Without Adding Friction?