A recent LinkedIn post by Johnny Ayers of Socure is shedding light on a new attack vector that bypasses banks identity checks.
This is a warning banks, fintechs and lenders should be well aware of because it threatens the heart of their fraud control systems.
The post shares an email he received from a customer that explains how fraudsters are using a service called TextVerified to pass phone verification and reputational checks.
TextVerified – The Service That Loans Tenured Phone Numbers To People
“The wild thing is, TextVerifed numbers have tenure, and show up as clean post-paid mobile accounts. That is, they don’t look risky AT ALL according to the ‘best in class phone vendors”, writes the customer to Johnny Ayers.
The customer reports that TextVerified allows fraudsters to gain access to phone numbers that have tenure and show up as clean “post-paid” mobile accounts. Post paid mobile accounts are generally considered more secure than pre-paid plans that have been favored by fraudsters in the past.
The service which is touted to help customers protect their privacy and their data touts that there phone numbers are “Real US mobile numbers backed by physical SIMs”.
These phone numbers will not trigger the traditional fraud checks such as VOIP phones which are used to perpetrate a variety of synthetic identity schemes.
How TextVerified Works – Phone Renting
TextVerified advises that they can help a person bypass any text or voice verification. The only thing a customer has to do during the application process is provide the TextVerified phone number and not their own.
The reviews for the service are glowing by customers. “It literally took me 2 minutes to create a bunch of anonymous accounts for Twitter and Discord using your temporary phone service. Good Job Guys”
Another customer agrees, “This is hands down the best tool to bypass 2-Factor OTP codes.
The service is popular on Telegram Fraud Channels
A search of TextVerified on Telegram fraud channels is revealing. Fraudsters promote and sell the service and even give instructions on how to use it.
The Full Post
This isn’t an advertisement of course, but apparently Socure does a pretty good job of identifying those TextVerified accounts by providing alternative signals that are clues to when this service is being used.
