The problem with recycled numbers
Another consequence of the separation of MSISDN and IMSI is what happens when a mobile number gets recycled. There’s only so many mobile numbers available in each country, so there is always a pressure to free up more, as MNOs can go through them quickly.
For example, MNOs will often send out prepaid SIM cards to attract customers to their network as a marketing tactic, and as each of those SIMs has a phone number assigned to it; even if it’s not activated, no one else can use that number for a period of time.
But if it hasn’t been used after a period of time, a mobile operator will recycle the MSISDN and put it back into the pool of available numbers.
The length of time varies by network. It can generally take between 90 days and a year before an unused number becomes available again in the UK, but it can be a matter of weeks or even days in some countries. This means a new user may inadvertently access a previous user’s login information when trying to register for accounts — or even receive messages, calls, and two-factor authentication codes intended for the previous user.
At best, this might simply lead to a confused stranger accidentally viewing your social media profile. At worst, it could mean a malicious individual deliberately accessing your online accounts, taking your money, and stealing your identity.
Is MSISDN alone ever secure?
The short answer is no — anything that just relies on your MSISDN, such as an SMS code or voice message, should not be your only security method, as it can be intercepted in several different ways.
However, alternative security methods tend to come with their own problems. Codes sent via email can also be stolen via phishing or social engineering attacks. On-device biometrics such as thumbprints may feel more secure, but are just a shorthand way of confirming a stored password – notice you can always opt to enter a password instead, which a malicious actor will choose to do.
And external software or hardware, such as authenticator apps and security dongles, involve user effort and potentially cost that is prohibitive.
The right level of authentication for an app or service has generally been a headscratcher for security teams, involving a balance between the level of risk and whether adding more complexity to the user experience is worth it.
Using the IMSI for security – it’s now possible
There’s no need to compromise now. The key to authenticating a mobile user quickly, securely and reliably is to use their mobile number, but perform the verification using the unclonable SIM card in the mobile phone.
Mobile networks already do it every second – now businesses can take advantage of the same technology. It’s the strong security that mobile phones already use, as well as the simplest solution for the user.
Unrivalled security: Mobile phone numbers are uniquely tied to an individual SIM card. At any one time, this pairing of mobile number + SIM card is entirely unique and cryptographically secure.
Prevents SIM swap: Authenticating both the mobile number and SIM card works against SIM swap fraud by ensuring that the number hasn’t been recently reassigned.
Solves recycled numbers: Identifying users based on a combination of mobile number + SIM card removes the risk of account details being compromised by a reassigned number, keeping users secure.
Seamless UX: For a user, the security is silent and effortless: just type your number and it will be verified in seconds, with no extra action required.
tru.ID uses the cryptographic security of the SIM card to unlock a whole new way of doing business online. The company’s products allow developers to completely re-engineer the mobile user experience, helping to increase revenues and reduce fake accounts and fraud.
The tru.ID API platform is self-service, with mobile SDKs and tooling that supports a modern development workflow from initial integration through to deployment at scale.
tru.ID is already live in 23 markets covering over 2bn mobile accounts.
To learn more about tru.ID visit our website, or talk to Sales for your personalised demo.