This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
“As more of your personal life moves online, having a single way to identify yourself matters. It helps you find people, helps people find you, and helps keeps you safe.”
Source: Wired, August 2017
Phone Numbers Are Becoming the Modern Way to Identify Consumers & Small Businesses
First UK customer – Barclays• Engaged with client against a backdrop of a growing awareness of the risks / vulnerabilities of SMS and incoming PSD2. • Ask:
– Improving the mobile banking activation experience by replacing SMS OTP with a more convenient and secure alternative– SS7 independent – data must come directly from the MNO
– Help meet SCA requirements of PSD2• Solution:
– Instant Auth (incl SDK) + Sim Swap to provide secure verification of the SIM card of the mobile account overlaid with a behavior check to identify possible account takeover attacks
• Process:
– Extensive engagement with bank’s security team to get them comfortable with technology• SIM card encryption• SS7 vs. direct APIs• Coverage, limitations, risks
How it works?Mobile authentication is based on a three-call flow, two of which are handled in a server to server environment, and one of which occurs on the phone
< MOBILE NUMBER >
< UNIQUE URL >
< TOKEN >
Bank App Bank Server Prove
1▪ Authentication must occur over the
mobile data channel since interaction with the Mobile Network Operator is a critical part of the process.
▪ Prove has developed an SDK to force cellular data channel use while a user is connected to Wi-Fi. SDK binary and source code available on request.
▪ This works on both Android and iOS and is live and at scale within Tier-1 mobile banking apps (UK & US)