Fraud Prevention
Account takeover prevention with telecom signals
Account takeover attacks exploit phone-based authentication. A telecom signal layer of carrier lookup, number type detection, active status and SIM swap detection gives fraud teams a real-time view of the phone number behind each session before a password reset or OTP is issued. This page covers which signals catch which attack types and where in the authentication flow each one belongs.
Why phone numbers are the weak point in ATO defence
Most account takeover defences are designed to stop a remote attacker who does not control the victim's phone number. Password resets require a known email or phone. Step-up authentication sends an OTP. Session tokens expire and force re-login. These controls all assume the phone number is a reliable proxy for the legitimate account holder.
Two attack patterns break that assumption. The first is credential stuffing combined with a pre-registered number: the attacker already has the credentials and can pass basic authentication without touching the phone. The second is SIM swap: the attacker takes control of the phone number itself, so every SMS-based control routes to them rather than the victim.
Telecom signals address both. Number type and active status add friction to accounts registered with disposable numbers. SIM swap detection catches the specific case where the attacker has taken the number.
The signal stack and what each catches
Non-fixed VoIP numbers are generated programmatically and require no identity verification. They are used at scale by fraud rings to register accounts. Detecting non-fixed VoIP at onboarding removes the cheapest account-creation vector. Catching this at registration costs $0.03 per query and stops a class of attack before any authentication flow is needed.
An inactive number cannot receive an OTP. Sending to an inactive number wastes SMS cost and indicates the account may have been registered with a number no longer in service, a pattern common in synthetic identity fraud. Check active status before OTP dispatch and at step-up authentication.
A consumer account served by a wholesale MVNO or a foreign carrier, particularly when combined with other signals, is worth additional review. Fraud rings use SIM cards from low-scrutiny operators precisely because they offer less resistance during a SIM swap attempt. The carrier field exposes this without any customer interaction.
The highest-value signal for ATO prevention. A recent SIM swap means the number is controlled by whoever executed the swap. If a login attempt, password reset or high-value transaction occurs within hours of a SIM change, the probability of fraud is high. The check happens before the OTP is sent, not after. See how to check for a SIM swap before sending an OTP for the specific integration pattern.
Where in the flow to apply each signal
Integration points by signal
- At registration / onboarding: number type (block nonFixedVoip), active status (flag inactive), carrier (flag anomalous MVNOs). These run once per account and set the baseline.
- Before OTP dispatch: active status (confirm still reachable), SIM swap check (confirm no recent swap). These run per-session at each authentication event.
- At account recovery: SIM swap check (a swap immediately before recovery is a high-confidence ATO signal). Number type re-check if the customer has updated their number.
- Before high-value actions: SIM swap check as part of the pre-transaction risk score. Withdrawal, payment authorisation and account detail changes are the end goal of most ATO attacks.
What a Telebase lookup returns
curl -s 'https://telebase.fatcatremote.com/api/lookup?phone=%2B447700900000' \ -H 'Authorization: Bearer tb_live_xxxxxxxxxxxxxxxxxxxxxxxx'
{
"phoneNumber": "+447700900000",
"active": true,
"carrier": "EE",
"country": "GB",
"numberType": "mobile",
"simSwap": "UNKNOWN", // launching for GB, DE, NL and FR
"simSwapAt": null,
"_meta": { "activeSource": "LINE_STATUS" }
}
All signals are returned in a single call. No separate requests for carrier, type and active status.
Fitting telecom signals into an existing ATO stack
Telecom signals are a complement to device fingerprinting, behavioural analytics and IP reputation, not a replacement. The value is that they query a layer most ATO stacks do not touch: the carrier network. Device signals can be spoofed. Behavioural baselines take time to build. A network-level SIM swap query returns the current state of the number at the moment of the authentication attempt, sourced from carrier records rather than anything the user's device presents.
The practical integration is a pre-OTP API call that takes the phone number the customer is authenticating with, returns the signal set, and passes a flag into the session risk score. If simSwap is SWAPPED or numberType is nonFixedVoip, step up. Otherwise, continue normally. The overhead is one HTTP call per authentication event.