Prevent or mitigate telephony-based fraud
International revenue sharing fraud (IRSF) or toll fraud is the use of a telecommunications product or service without the intent to pay for it. Such frauds often involve attackers who use a phone system to generate a high volume of international calls on expensive routes. Toll fraud can be costly and interfere with business operations.
People involved in a toll fraud attack make calls to premium-rate numbers and take a cut of the revenue generated from these calls. The telecommunications provider charges the costs associated with this fraudulent activity to the customer. Therefore, it's important to take steps to prevent or minimize the chances of such attacks.
Before you begin
Review these recommendations and best practices if any of the following apply to your org:
- You use voice or SMS OTP for multifactor authentication.
- You have enabled self-service registration on one or more of your Okta orgs.
- You use an Okta-hosted or a custom Sign-In Widget for any of your Okta orgs.
- You use the Okta Authentication or Factors API for telephony use cases.
- You have enabled a custom user provisioning or self-service registration solution.
How vulnerable is my Okta org to toll fraud?
Your Okta org might be vulnerable to toll fraud attacks if the org allows certain activities:
- You allow users to self-register without requiring strong proof of their identity. For example, you have custom user provisioning or self-service registration solutions enabled on your org.
- You allow voice or SMS as authentication factors for registration or sign-in activity.
Okta enforces back-end voice MFA security measures. However, Okta doesn't impose business logic for account creation to give your org flexibility. Okta doesn't enforce identity proofing or the deactivation of potentially malicious users by default.
Why should you protect your organization from toll fraud attacks?
There are many practical reasons that you should try to protect your org from toll fraud attacks. For example, toll fraud attacks create fake accounts on your service. A proliferation of fake accounts might result in one of the following issues:
- Higher operational costs required to identify and remove fake accounts
- Devaluation of your user base and the reliability of your user information
- Fraudulent selling activity, if applicable
- Blocking of legitimate traffic by providers if sender numbers are identified as generating low engagement communications
The results of a toll fraud attack can lead to negative consequences, such as:
- High volumes of toll traffic might result in delaying or preventing the delivery of voice and SMS messages for legitimate users.
- Providers blocking numbers from certain countries might result in blocking SMS and voice delivery to legitimate accounts.
- Increased costs for use above the purchased contract and for using telephony APIs
How Okta mitigates toll fraud on your behalf
Okta has implemented the following measures to mitigate the impact of toll fraud:
- Service cap for SMS and voice traffic: If your Okta org hits the service cap limit, all voice and SMS MFA traffic is blocked for 24 hours. If this occurs, the recipients making the requests receive an HTTP 429 error message.
- Per-user voice and SMS rate limits: Enrollment rate limits are enforced to prevent a single user from flooding your org with malicious calls.
- Alerts during an active attack: The Okta support team notifies you if there's an active toll fraud attack on your Okta org.
Steps you can take to mitigate toll fraud
Okta recommends the following steps to protect your org from toll fraud activity and mitigate its effects.
Use network zones to block malicious traffic pre-authentication
If you know malicious IP addresses are attempting to access your Okta org, use network zones to block traffic before authentication. This prevents attackers from accessing your Okta sign-in and registration pages. See Create zones for IP addresses.
Disable voice MFA or control voice MFA per group
Deactivate voice MFA in your Okta org if you don't need it.
See Configure the phone authenticator.
If you need voice MFA, don't allow enrollment for new accounts until identity proofing is complete to ensure that the account isn't fraudulent.
Check your user provisioning methods
Reevaluate how you create and provision user accounts to determine if more security measures might prevent the creation of fake accounts. Add the following security methods to your existing account creation and provisioning methods:
- Block account creation from known or potentially malicious geographic locations.
- Validate user registration using email-based verification.
- Integrate with identity proofing tools to determine if the email address is coming from a fake domain.
- Implement rate limiting on custom registration pages to stop fraudsters from generating fake accounts in large volumes.
- Deactivate fake users on your org to prevent fraudsters from rotating through the fake accounts to generate calls.
Monitor malicious activity and deactivate bad actors
You can use the following query to monitor suspicious voice activity in the System Log.
event_type="system.voice.send_phone_verification_call"
stats count values(client_geographical_context_country)
as Country dc(target1_alternate_id)
as unique_count_phone_numbers
by actor_alternate_id, client_ip_address, client_user_agent_raw_user_agent
where count > 20
table actor_alternate_id, client_ip_address, client_user_agent_raw_user_agent, Country, unique_count_phone_numbersThese fields are also available when using the Okta Identity Cloud add-on for Splunk.
This query checks the field system.voice.send_phone_verification_call and analyzes if the count of the combination of user, IP Address, and user Agent is greater than the defined threshold. In this example, 20. You can set the threshold depending on the time frame of the search. If the search is run every hour, you can set the threshold to a value that's higher than the benign activity during the hour.
This sample query uses the following fields:
| Field | Description |
|---|---|
| event_type | An event recorded by Okta based on the user action. The event indicates that phone call verification was initiated. |
| actor_alternate_id | The email address of the user. |
| client_ip_address |
The IP address of the user. |
| client_user_agent_raw_user_agent | The user agent identifying string. |
| target1_alternate_id | The mobile phone number to which the verification call was sent. |
| client_geographical_context_country | The geolocation of the user's IP address. |
Based on the output returned by the query, you can identify and delete any bad actors or fake users in your org.
Contact Support to receive a list of allowed countries
If you're confident in the specific list of countries servicing your customers, block voice MFA calls to all other countries. You can also modify the rate limits on your org.
If you're experiencing increased toll fraud attacks or fake accounts, create strict rate limits on voice and SMS enrollment endpoints. This decreases the frequency of new accounts that are created on your org.
Integrate with identity proofing solutions for new account creation
You can enable user self-verification through document-based or knowledge-based proofs to improve identity confidence and approve access for authorized individuals. See Identity Proofing to learn more.