What is a mobile possession factor – and how can it replace passwords to stop phishing?

By Paul McGuire, Co-Founder and CEO of tru.ID

We all use email, and we all use passwords – which means we are all vulnerable to phishing attacks.

The frequency and success rates of phishing attacks is skyrocketing as criminals become more effective, and opportunities for attack greatly multiplied during the pandemic. Global losses from cybercrime are now around $1 trillion – staggering amounts of money that could be better spent elsewhere.

So far, the answer has been patching extra layers of security on top of emails and password logins – Captcha forms, SMS codes, confirmation emails.

These standard multi-factor authentication (MFA) approaches are sticking plasters that don’t address the core problem. They still fall back to shareable credentials such as passwords and OTP codes, and remain vulnerable to phishing because they rely on knowledge only.

As long as credentials can be shared, they can be intercepted and misused. Stolen credentials are still the most common attack vector leading to data breaches.

What is needed is a shift from knowledge-based credentials to possession-based security – which doesn’t rely on information that can be duplicated, like passwords or codes. This can sit on top of other other strong security such as biometrics.

Now, for the first time, the possession factor security built into mobile networks is available by API – minimising the possibility for phishing and protecting your users from attack.

Why is phishing a still-growing problem?

Phishing and other types of social engineering rely on human behaviour to breach an organisation’s weaknesses. They make use of the convenient, knowledge-based email & password method most of us use to access services online, by tricking us into sharing those credentials.

Criminals use these methods because they are low-risk, scaleable, and fully remote. And they’re only getting more successful – tools available on the dark web can help attackers automate cyberattacks, and run a criminal operation as a full-scale business.

Phishing scams increased by 59% in the wake of the Covid-19 pandemic, according to INTERPOL Secretary General Jürgen Stock, who commented “Cyber-criminals are developing and boosting their attacks at an alarming pace.”

2FA codes are part of the problem

Passwords are a knowledge factor that involve a shareable credential, and so can be easily phished. This is why most services require a further step, or second-factor authentication (2FA).

Unfortunately, most 2FA methods also involve a shareable credential which can itself be phished – typically a one-time password (OTP) or PIN code, sent via SMS or email. Even worse, criminals are specifically targeting these methods: researchers found that over 1,200 phishing kits designed to steal 2FA codes are out in operation.

And while purpose-built hardware for MFA exists, it’s prohibitively expensive and not owned by the average person.

The answer, therefore, cannot lie in adding more layers of friction that kill the user experience without truly keeping out attackers.

Seamless, stronger security can only work with a possession factor that is widely available, easy to use, easy to integrate, and cost-effective. Now, for the first time, this is possible – using the SIM cards that already exist in over 5 billion mobile phones worldwide.

The new phishing-resistant possession factor

SIM authentication is the new solution that the security world has been waiting for. SIM cards are the same highly secure, proven microchip technology that is built into every credit card. There is a SIM card in every mobile phone – everyone already has this powerful hardware in their pocket.

Using the cryptographic security of the SIM card can deliver strong, multi-channel authentication that is easy to use and simple to deploy. Now, at last, there is an easy, cost-effective way to stop relying on shareable credentials and make possession-factor verification available to all.

How does SIM-based auth work better?

When we use our mobile phones (to browse the internet, make a video call, or use data on an app) we don’t need to type our email and a password to log in – the mobile network operator performs a cryptographic check of the SIM card, silently in the background, to prove it is valid. From that point forward, all communication between the device and the network is fully encrypted.

This strong, cryptographic security is built into the SIM card in every mobile phone, and it happens silently in the background every time we use our mobile device. But until recently, it wasn’t possible for businesses to program the authentication infrastructure of a mobile network into an app as easily as any other code.

Now, for the first time, this authentication capability is available as a possession factor API.  Simply add the tru.ID SDK into your existing mobile app to instantly make possession-factor security available to all your users.

Secure app registration, login, step-up checks and more…

In the past, when a new user registered for your app, you had very little data you could trust. Now, with SIM-based authentication, you can use the mobile number together with a secure SIM card possession check as a strong, trusted credential.

The same can be applied to step-up checks – when a customer is about to perform a higher risk action (for example making a payment or accessing sensitive data). You can now use a SIM check to ensure the user still has the valid SIM card in their possession before allowing the transaction to go ahead. Unlike other MFA, it happens silently, with no need for additional data entry by the customer, and can even detect potential SIM swap fraud.

Ready to learn more? 

To find out how to implement next-gen authentication and deliver high security, low friction authentication experiences to your users, simply book your free 30-minute demo or visit the tru.ID website. For developers, the tru.ID API documentation is all online: sign up and start testing for free at https://tru.id/signup.

 

About tru.ID

tru.ID helps businesses to reduce the threat of cybercrime with a range of mobile identity and authentication solutions for customers and employees. tru.ID offers passwordless authentication solutions that leverage the cryptographic security of the SIM card already present in every phone. This revolutionary approach delivers hardware-grade security at scale – delivered via API without the need for separate hardware. tru.ID is already live in 20 markets covering over 2bn mobile accounts.

About the Author

What is a mobile possession factor – and how can it replace passwords to stop phishing?Global mobile verification platform tru.ID is Paul’s third venture, building on over 20 years of entrepreneurship in telecoms, mobile and financial services. Prior to tru.ID, Paul founded Paymo Inc which was acquired by Boku, where he became a Board member and ran worldwide business development. Prior to Paymo, Paul was co-founder and COO of mBlox, pioneers of mobile messaging, building a business active in over 50 countries that was acquired by Sinch. Paul’s early career was at Booz, Allen & Hamilton. Paul holds an MBA from INSEAD and an Engineering degree from Cambridge University.

January 3, 2023

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...

X