Fraud Prevention with Twilio User Authentication & Identity
Time to read: 4 minutes
January 05, 2023
Written by
Twilio helps a variety of customers in combating fraud. From banks to dating apps, customer use-cases and approaches to addressing fraud can vary, but there are certain best practices that are almost universal. Below are a few of the suggestions we make when engaging with customers.
Number Format Standardization
There are a number of ways phone numbers can be formatted. But in order to ensure that each device has a globally unique number, you’ll want to save them in a format referred to as E.164. You can check if the number is valid as well as correctly formatted with the basic Lookup API call.
Using basic Lookup is a free, programmatic way to prevent obviously fake and invalid numbers from signing up to your service.
|
E.164 Format |
Country Code |
Country |
Subscriber Number |
|
+14155552671 |
1 |
US |
4155552671 |
|
+442071838750 |
44 |
GB |
2071838750 |
|
+551155256325 |
55 |
BR |
1155256325 |
Line Type
One common practice among customers is to use our Line Type Intelligence Lookup API to detect VOIP numbers and prevent them from signing up. Using a VOIP number to sign up for service may indicate illicit intent.
The line type may also be used to determine if a phone number is a landline. The Twilio Verify API supports sending a code via a voice call, allowing support for landlines. If a customer is signing up for 2FA with a landline, you may want to prompt them to use a mobile number instead.
First Line Type, Then Verification
Once you’ve detected a customer’s line-type, the next step is to verify that they actually have possession of the phone number they are claiming. You can use Twilio Verify to easily generate and send a security code anywhere on the globe. Additionally, verifying ownership also prevents spoofed numbers from signing up to your service.
Below is our best practice workflow for on-boarding new phone numbers. We recommend a maximum of 3 SMS requests and 2 voice calls when attempting to Verify a user.
If you end up implementing the above flow, you’ll want to think about a couple of UI/UX issues.
- Make sure the number is legitimate via Twilio Lookup before allowing the user to start a Verification.
- Don’t allow users to smash out multiple SMS/Voice requests. Add an exponentially growing delay between requests.
e.g., 30s, 60s, 120s - If a mobile user, allow them to try a maximum of 3 times then allow the user to select voice delivery of an OTP.
- Limit OTP requests to a maximum of 5 per 10 minutes.
- Voice is more expensive. Use it as a backup unless your customers are using landlines to sign-up.
- Adjust the #2, #3, #4 values for your specific use-case.
1 Number, 1 Account
Fraudsters will commonly use a single number to create multiple accounts. It is generally a good idea to limit the number of accounts associated with a single phone number. When onboarding a new user, you may want to add a quick database query to see how many accounts are associated with their phone number. If excessive, you may want to block that number from signing up or reach out to the customer.
There are certain use-cases, however, where a single phone number may be associated with multiple accounts. In these situations, we suggest limiting the number of accounts created within a specific time frame, for example, 1 new account every 6 months with a maximum of 3 live accounts at any time.
Lastly, if you have a preexisting database of phone numbers, it would be insightful to learn what kind of line types users have signed up with. You can develop your own approach with our REST API or use our Bulk Lookup tool.
Existing Accounts and Grace Logins
Preventing fraudsters from signing up is just one account security best practice. You’ll also want to review your current accounts to look for any active fraudsters or even fraud sleeper cells. As with account signup, users with multiple accounts and VOIP numbers are potential signals of fraudulent intent.
If you do detect a VOIP number, it may be more secure to have that person convert to a non-VOIP phone number. You can do this by prompting the user on login to register with a mobile or landline number with 3 grace logins. After 3 grace logins, you’ll require a non-VOIP number before allowing the user to use your service.
Carrier - MCC/MNC Information
MCC (mobile country code) and MNC (mobile network code) along with the carrier name are additional data items which may provide value when detecting fraudulent actors.
If your company has a predominately country-specific user-base, you can also use Lookup to detect possible fraudsters attempting to set up accounts from non-standard locations. The MCC and MNCs are useful to determine this correlation.
Fraudsters may also acquire blocks of phone numbers from collaborators at carriers. Identifying these groups of numbers via MCC/MNC codes can help you combat large scale fraud operations.
Conclusion
Nearly every company faces challenges with fraud and account security nowadays. Fraudsters are continually innovating on ways they can rip off, scam, or spam you. But by using some of the best practices we have learned from our customers, you can greatly reduce the risk of fraud, and improve security for your users’ accounts.
Reference these resources for more verification best practices:
Related Resources
Twilio Docs
From APIs to SDKs to sample apps
API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
Resource Center
The latest ebooks, industry reports, and webinars
Learn from customer engagement experts to improve your own communication.
Ahoy
Twilio's developer community hub
Best practices, code samples, and inspiration to build communications and digital engagement experiences.