Global regulators expect improved fintech security
In February 2021, the Reserve Bank of India (RBI) published ‘Master Direction on Digital Payment Security Controls’ – an important piece of guidance for regulated businesses in FinTech, banking, payments and crypto.
The guidance mandates that when authorising and processing payment transactions, apps must use at least one additional authentication method to validate the user’s action.
Specifically, it is necessary to be certain of the mobile device being used, to associate that device with the correct user, and finally with their bank account.
The guidelines recommend stronger alternatives to SMS OTPs, which have been shown to be vulnerable to account fraud, and that the multi-factor authentication (MFA) method must be ‘generally dynamic or non-replicable’, such as ‘device binding and SIM’.
This is in line with similar recommendations made around the world, such as the UK’s Strong Customer Authentication (SCA) and the EU’s PSD2.
SIM-based authentication – secure, compliant, and easier for customers
SIM-based authentication uses the existing cryptographic security built into a SIM card to authenticate the mobile number of the device being used, and link that to the customer’s account.
As this approach does not use SMS PIN codes, it’s not vulnerable to man-in-the-middle attacks, social engineering or SIM swap fraud. It also makes life easier for the customer, as it’s a seamless and invisible experience.
The authentication works by using a secure, encrypted connection from the mobile device to the mobile network operator, which then verifies the associated mobile number.
Once verified, the mobile phone number can be compared with the device previously registered against that user’s bank account. If there is a match, the transaction can proceed.
The whole process is simple for the customer but highly secure, requiring no work from the customer (other than typing their mobile number), which allows no room for malicious actors.
Built on the same simple and secure technology in bank cards
Inside every SIM card is the same cryptographically secure, tamper-resistant authentication technology that exists inside every bank card.
When used in a mobile phone, it has a unique identifier – the International Mobile Subscriber Identifier, or IMSI.
The pairing of this IMSI with a mobile phone number creates a unique combination that, using the SIM card’s strong cryptographic security, ensures an active binding of the transacting mobile device with the customer and their bank account.
This SIM-based approach to device binding leverages the advanced security technology built into every SIM card, and avoids the pitfalls of alternative approaches:
- PIN code free: With no passcodes to be intercepted, man-in-the-middle attacks are impossible.
- Tamper-resistant: Cryptographic keys are stored in a solid-state storage within the SIM card.
- Hardware-based: SIM security is impervious to attacks against physical mobile handset, OS, and apps – there’s no risk of compromise via rooting, hacking, or malware.
- Effectively unclonable: Modern SIM cards incorporate advanced cryptographic algorithms which restrict access to stored secret data and prevent cloning of the card.
How to get started
tru.ID’s technology is quick and easy to deploy and available for all mobile operating systems.
Book your free 30-minute demo today to see it in action and discuss how tru.ID can help you deliver a secure, frictionless mobile device binding solution for your customers.