How banks can better protect their customer’s identity with GMS Check IMSI
As the use of e-commerce and online banking increases, so too do incidents of fraud. And as more customers use a company’s online service the opportunity for fraud – the “threat surface” – also increases. Mobile is becoming drawn into this more and more, as companies begin to use customers’ mobile phones as a means of confirming their identity.
Solutions like two-factor authentication (2FA) – or even simply calling a customer to confirm a transaction – can in principle help reduce the chance of fraud. However, they also make the mobile platform another target, and another vulnerability.
Say a fraudster steals someone’s credit card details. They now know that if they make a large transaction the customer will be prompted for a second code, like a one-time password (OTP) delivered by 2FA to that customer’s mobile. So the fraudster will attempt what is called a SIM swap: they will gather information about their victim allowing them to impersonate said victim. This lets them request a new SIM card from the victim’s mobile network operator, likely claiming the original has been lost or damaged, and ask them to transfer the victim’s mobile phone number to this new SIM card. The
fraudster can then insert the “replacement” SIM into a phone and receive all the messages their victim would have – including identity verification checks and 2FA messages.
Increasing identity protection
So, is 2FA useless for securing a bank’s customers? No. Like all cyber security efforts, it is one of many layers, and here we will explain how to harden identity verification with another, invisible layer of protection.
What we are interested in here is actually contained within the SIM card itself, and is referred to as an International Mobile Subscriber Identity, or IMSI. This is a number of 14-15 digits which identifies a mobile subscriber by their SIM card. In other words, the IMSI is a unique code stored on and associated with the SIM card, not the mobile phone number (or MSISDN). If the phone number is transferred to a new SIM, for whatever reason, the IMSI is not. This means there is a potential counter to SIM swap fraud, because security-conscious businesses can check the IMSI of a mobile subscriber, verifying their identity, before sending sensitive information like OTPs.
How does Check IMSI work?
When a customer accesses the bank’s systems – usually when they enter a password, initiating a 2FA check, but potentially also when they make a payment or use e-commerce on their mobile – the bank can request GMS to check the IMSI number associated with the customer’s account.
Before authorizing any interaction, the bank requests the IMSI from the SIM currently linked with the customer’s phone number, which GMS retrieves from the customer’s network operator. GMS then passes this to the bank, which then checks the IMSI retrieved from the network against the IMSI registered in its database.
If that number does not match the registered IMSI, the phone number has been swapped – transferred to another SIM, very possibly by someone looking to access the real customer’s finances. The bank can then contact their customer using some other channel (say email or a landline phone call) to verify their identity and alert them to a possible fraud.
Protecting your customers, securing your business
Incidents of fraud are on the rise, and mobile-related fraud such as SIM swapping has grown over the last few years. Criminals are employing a sophisticated mix of malware, social engineering, and identity theft to access accounts and financial information. Banks and brands need to respond with a similarly multi-faceted security response, or risk reputational damage when customers decide they haven’t been given enough protection.
Check IMSI by Global Message Services is another powerful tool in the cybersecurity arsenal, one that works in the background without the customer having to lift a finger. Find out how GMS can enhance your security through automatic, unobtrusive identity verification