April 12, 2023

How does SIM-based device binding prevent phishing and fraud?

Paul McGuire
Co-founder, CEO at tru.ID
Curious?

Discover how SIM-based authentication can help you with a free 30 min consultation

Follow us on

When cybercriminals ‘phish’, they send fraudulent emails that aim to trick a recipient into clicking on a malicious link, in order to steal someone's personal data.

‘Smishing’ (SMS phishing) is much the same, but uses text messages instead of email – taking advantage of how often we receive legitimate links and OTP (one-time password) codes via SMS. 

Any business that is prone to cyber-attacks on either its customers or employees – especially those that deal in payments, such as banks, FinTechs, and cryptocurrency wallets – can now implement strong user authentication with device binding. 

Using the cryptographic security built into a SIM card, a simple and secure API can now silently confirm that the device is owned by the actual person.

This service from tru.ID makes it possible to quickly and securely check the SIM card in the user’s phone, check the mobile number associated with that SIM card, and confirm that they match without user input. 

Using SIM authentication for mobile device binding is highly secure, very easy for the user, and does not use vulnerable PIN codes sent by email or SMS.

PIN codes sent by SMS can cause problems

Historically, PIN codes sent by SMS (also known as OTPs, or one-time passwords) have been used to verify a mobile number. 

But this approach is now recognised as insecure, because PIN codes are vulnerable to several different types of fraud attacks:

  • MITM (‘man-in-the-middle’) attacks: Social engineering methods are used by criminals to trick users into forwarding a code to the attacker, or entering it into a fraudulent web form.

  • SIM swap fraud: Bad actors can fraudulently convince a mobile network to assign the victim’s mobile number to a new SIM card, letting them steal incoming codes directly.

 

As well as being insecure, PIN codes delivered by SMS cause customer support challenges:

  • SMS delivery problems: Often SMS messages arrive late, or not at all, prompting customers to request a resend. This can then create confusion when messages arrive out of sequence.

  • User difficulties: Having to retrieve and retype PIN codes can lead to errors and confusion, and often provides a frustrating user experience, with the customer forced to close the app and look through a different inbox.

 

For these reasons, many regulators now recommend investigating and implementing alternatives to SMS OTP.

Global regulators now expect better security to catch phishing attempts. (Photo by Trophy Technology on Unsplash)

Global regulators expect improved fintech security 

In February 2021, the Reserve Bank of India (RBI) published ‘Master Direction on Digital Payment Security Controls’ – an important piece of guidance for regulated businesses in FinTech, banking, payments and crypto. 

The guidance mandates that when authorising and processing payment transactions, apps must use at least one additional authentication method to validate the user’s action. 

Specifically, it is necessary to be certain of the mobile device being used, to associate that device with the correct user, and finally with their bank account. 

The guidelines recommend stronger alternatives to SMS OTPs, which have been shown to be vulnerable to account fraud, and that the multi-factor authentication (MFA) method must be ‘generally dynamic or non-replicable’, such as ‘device binding and SIM’.‍

This is in line with similar recommendations made around the world, such as the UK’s Strong Customer Authentication (SCA) and the EU’s PSD2. 

SIM-based authentication – secure, compliant, and easier for customers

SIM-based authentication uses the existing cryptographic security built into a SIM card to authenticate the mobile number of the device being used, and link that to the customer’s account. 

As this approach does not use SMS PIN codes, it’s not vulnerable to man-in-the-middle attacks, social engineering or SIM swap fraud. It also makes life easier for the customer, as it’s a seamless and invisible experience.

The authentication works by using a secure, encrypted connection from the mobile device to the mobile network operator, which then verifies the associated mobile number. 

Once verified, the mobile phone number can be compared with the device previously registered against that user’s bank account. If there is a match, the transaction can proceed.

The whole process is simple for the customer but highly secure, requiring no work from the customer (other than typing their mobile number), which allows no room for malicious actors.

Built on the same simple and secure technology in bank cards

Inside every SIM card is the same cryptographically secure, tamper-resistant authentication technology that exists inside every bank card. 

When used in a mobile phone, it has a unique identifier – the International Mobile Subscriber Identifier, or IMSI. 

The pairing of this IMSI with a mobile phone number creates a unique combination that, using the SIM card’s strong cryptographic security, ensures an active binding of the transacting mobile device with the customer and their bank account.

This SIM-based approach to device binding leverages the advanced security technology built into every SIM card, and avoids the pitfalls of alternative approaches:

  • PIN code free: With no passcodes to be intercepted, man-in-the-middle attacks are impossible.

  • Tamper-resistant: Cryptographic keys are stored in a solid-state storage within the SIM card.

  • Hardware-based: SIM security is impervious to attacks against physical mobile handset, OS, and apps – there’s no risk of compromise via rooting, hacking, or malware.

  • Effectively unclonable: Modern SIM cards incorporate advanced cryptographic algorithms which restrict access to stored secret data and prevent cloning of the card.

How to get started 

tru.ID’s technology is quick and easy to deploy and available for all mobile operating systems.

Book your free 30-minute demo today to see it in action and discuss how tru.ID can help you deliver a secure, frictionless mobile device binding solution for your customers.