ValidSoft's Multi-Factor Authentication Platform SMART™ 100% Configurable Using the Mobile Channel
ValidSoft’s SMART™ platform, standing for Secure Mobile Architecture for
Real-time Transactions, is designed to cater for the disparity in mobile
networks, mobile devices, use-cases and the corresponding transactional
risk intrinsic in mobile payment applications.
SMART™ achieves this by providing a layered architecture of voice and
mobile network-based security protocols and technologies, both visible
and invisible, to protect mobile payment and M-banking transactions
alike. The techniques can be implemented singularly or in any
combination, depending on the physical constraints of mobile networks
and devices, as well as the individual transactional risk and
Obviously a payment system based on a 2G network and 2G handsets may
have less scope for additional security layers than a 4G network using
smart-phone technology. There will always be a lowest common
denominator, however, and SMART™ is designed to protect any network or
system, regardless of the context.
Please see below for SMART™ demo
SIM-Swap and Call Forward
Mobile payment systems, depending on their nature, may also be
susceptible to some of these. However, there are two attack vectors that
can compromise any mobile based system where actual transmission of
information, either voice or SMS, is involved. These are SIM Swap and
CFU (Call-Forward-Unconditional), both of which are forms of Pseudo
Device Theft. A third vector, CLI (Caller Line Identification) Spoofing
is also a threat where the inbound number (the CLI) is relied upon as a
primary form of identification.
In most countries CFU affects only voice calls whilst SIM Swap, the more
damaging of the two, affects both voice calls and SMS. In effect, they
allow a fraudster to seize control of the phone’s transmissions, both
inbound and outbound. Therefore, calls or SMS messages sent to or
received from a genuine customer may in fact be sent to or received from
a fraudster who has taken possession of the customer’s mobile phone
number. Whilst SIM Swap and CFU detection form two layers of invisible
protection by SMART™, these are not guaranteed to be available in all
countries and all networks, depending on the network architectures
supported by individual Mobile Network Operators. Where SIM Swap
detection, in particular, cannot be deployed, any other authentication
method reliant on the veracity of the mobile phone number is effectively
rendered single-factor or weak authentication and therefore at risk.
Where previously the attributes of uniqueness and possession enabled the
mobile’s SIM to be considered a genuine second factor, Pseudo Device
Theft compromises this proposition. Where the MNO networks do allow
SMART™ to detect Pseudo Device Theft then the SIM, or terminating number,
can be trusted as a genuine second-factor.
SMART™, therefore, caters for both scenarios. Any mobile based security
architecture needs to be based on the fundamental questions of:
1. Does the security of the model rely partially or fully on the sacrosanctity of the mobile phone number?
2. If so, can potential compromises of the mobile phone
number be detected in the country/region where the model is deployed?
Mobile Payments and Mobile banking
The nature and architecture of a mobile payments system or mobile
application, along with any existing security measures, determines which
fraud vectors the system or application may be susceptible to. In the
case of M-banking, for instance, these will typically include all of the
traditional Internet banking attack vectors such as Phishing,
Man-in-the-Middle/Browser and Trojans. ValidSoft successfully demoed
live at FinovateFall 2012 (please click on the link below) how it's
SMART™ platform secures mobile banking and mobile wallet transactions.
(enrollment, activation and transaction)
ValidSofts multi-factor approach can protect M-banking transactions
from all of the attacks that affect internet banking. Given that modern
smart phones contain both voice and date channels, the concept of
channel separation, critical for the detection
of manipulated transactions caused by Man-in-the-Mobile-Browser or
phone resident Trojans, is fully supported. Please click on the link
below to view the full demo.
If the model in question does rely on the integrity of the phone number
and Pseudo Device Theft cannot be detected due to network constraints,
then SMART™ natively provides the lowest common denominator for a mobile
model, being Voice Biometrics. The biometric engine used by SMART™ is
ValidSoft’s proprietary VALid-SVP, a leading edge voice verification
platform providing text-dependent, text independent and conversational
voice verification. Because VALid- SVP is a layer within the SMART™
platform it also benefits from context awareness; providing the ability
to dynamically adjust thresholds and workflows based on contextual
information. The SMART™ biometric voice verification works on any
network, on any mobile device and is extremely easy to enrol with and
use. It is tuned specifically for use with mobile devices and
short-duration speech. A typical mobile payment deployment, for example,
would use a simple text-dependent model comprising of a prompted short
phrase or random number.
Voice biometrics is not only the lowest common denominator that will
overcome Pseudo Device Theft and work on any mobile phone, but also the
strongest form of authentication available. Where Pseudo Device Theft
can be detected, Voice Biometrics can obviously still be used, though
other layers within SMART™ are also available in conjunction or as an
alternative. Because the mobile’s SIM can now be considered sacrosanct,
assuming no Pseudo Device Theft detected, Out-of-band (OOB)
authentication, with or without Voice Biometrics is a strong
authentication solution. The SMART™ model supports OOB Knowledge Based
Authentication (KBA), simple challenge response, e.g. PIN or no
challenge at all.
Additionally, voice-based Transaction Verification can be utilised to
overcome fraud vectors such as Man-in-the-Middle and Man-in-the Browser.
This is totally configurable, including options for
“Corporate Voice”, Text-to-Speech or a combination of both. In
conjunction with any or all of these other layers, SMART™ can also
perform various levels of proximity checking, where local networks
allow. This can range from country level analysis, i.e. what country is
the mobile device in, through to far more granular correlations but in a
totally privacy sensitive manner, such as real-time context awareness;
essential for, e.g. mobile present transactions at the ATM or Point of
Sale (POS). Likewise, where smart-phones are used, using either
browsers or apps, SMART™ can also perform device recognition, another
layer of invisible authentication that could, for instance, provide
contextual information into the Voice Biometrics engine or alternatively
operate as a standalone authentication layer.