A new service from tru.ID now makes it easy for any bank or business to implement strong user authentication for device binding, using the cryptographic security of the SIM card and a simple and secure API.
This service makes it possible to quickly and securely check the SIM card in the user’s phone, check the mobile number associated with that SIM card, and then confirm with the bank that the mobile number of the SIM card matches the RMN (Registered Mobile Number) that was previously registered for that user’s account.
This new approach to device binding improves on existing solutions in several ways:
We’ll explain the RBI’s guidance on why device binding is necessary, what it is, and why these improvements are so important.
When the Reserve Bank of India (RBI) published ‘Master Direction on Digital Payment Security Controls’ in February 2021, regulated businesses in FinTech, banking, payments and crypto had to take note. The guidance mandates that when authorising and processing payment transactions, apps must use at least one additional authentication method to validate the user’s action, and the MFA method must be ‘generally dynamic or non-replicable’, such as ‘device binding and SIM’. These important guidelines are designed to prevent fraud, including social engineering and other attack methods.
Specifically, it is necessary to be certain of the mobile device being used, then to associate that device with the correct user and with their bank account. Of particular note is that the guidelines recommend investigating and implementing stronger alternatives to SMS OTP (one-time passwords), which have been shown to be vulnerable to account fraud.
To avoid fraud, it is important that only the registered account owner can spend money from a specific bank account. When a transaction happens in a physical bank, it is possible to use identity documents to verify that user’s identity. But when the transaction happens online, that is no longer possible, so a different verification process is required to reliably associate the online payment transaction with the user and their bank account.
Mobile numbers are unique, making them ideal for use as digital user identity. However, the challenge is how to verify that mobile phone number in a way that is secure – cannot be compromised by fraudsters – and also easy for the user.
Historically, PIN codes sent by SMS (also known as OTPs, or one-time passwords) have been used as a way to try and verify a mobile number. But this approach has now been recognised as insecure, because SMS PIN codes are vulnerable to several different types of fraud attack:
In addition, PIN codes delivered by SMS can cause challenges for users and consequently for customer support teams:
For these reasons, many regulators, including the RBI, now recommend investigating and implementing alternatives to SMS OTP.
SIM-based authentication leverages the existing cryptographic security of the SIM card to authenticate the mobile number of the transacting device and link that to the user’s bank account. This approach does not use SMS PIN codes and so is not vulnerable to man-in-the-middle attacks, social engineering or SIM swap fraud. It also provides a far simpler user experience.
The authentication uses a secure, encrypted connection from the mobile device to the mobile network operator, who verifies the associated mobile number. Once verified, the mobile phone number can be compared with the RMN previously registered against that user’s bank account. If there is a match, the transaction can proceed.
The whole process is transparent to the user but highly secure, requiring no user input (other than typing their mobile number), which allows no room for malicious actors.
Inside the SIM card is the same cryptographically secure, tamper-resistant authentication technology that is inside every bank card. When deployed in a mobile phone, it has a unique identifier – the International Mobile Subscriber Identifier, or IMSI. The pairing of an IMSI with a mobile phone number is a unique combination which, together with the SIM card’s strong cryptographic security, ensures an active binding of the transacting mobile device with the user and their bank account.
This SIM-based approach to device binding leverages the advanced security technology built into every SIM card, and avoids the pitfalls of alternative approaches:
tru.ID can support all types of mobile apps, with a rich set of tutorials available for Android, iOS, React Native, and many other implementations. Our online platform is developer-first, with a sandbox for easy testing.
Book your free 30-minute demo today to see it in action and discuss how tru.ID can make device binding simple.