Accessability Links

Securing Mobile Channel


ValidSoft's Multi-Factor Authentication Platform SMART™ 100% Configurable Using the Mobile Channel


ValidSoft’s SMART™ platform, standing for Secure Mobile Architecture for Real-time Transactions, is designed to cater for the disparity in mobile networks, mobile devices, use-cases and the corresponding transactional risk intrinsic in mobile payment applications.

SMART™ achieves this by providing a layered architecture of voice and mobile network-based security protocols and technologies, both visible and invisible, to protect mobile payment and M-banking transactions alike. The techniques can be implemented singularly or in any combination, depending on the physical constraints of mobile networks and devices, as well as the individual transactional risk and jurisdictional factors.

Obviously a payment system based on a 2G network and 2G handsets may have less scope for additional security layers than a 4G network using smart-phone technology. There will always be a lowest common denominator, however, and SMART™ is designed to protect any network or system, regardless of the context.

Please see below for SMART™ demo




SIM-Swap and Call Forward

Mobile payment systems, depending on their nature, may also be susceptible to some of these. However, there are two attack vectors that can compromise any mobile based system where actual transmission of information, either voice or SMS, is involved. These are SIM Swap and CFU (Call-Forward-Unconditional), both of which are forms of Pseudo Device Theft. A third vector, CLI (Caller Line Identification) Spoofing is also a threat where the inbound number (the CLI) is relied upon as a primary form of identification.

In most countries CFU affects only voice calls whilst SIM Swap, the more damaging of the two, affects both voice calls and SMS. In effect, they allow a fraudster to seize control of the phone’s transmissions, both inbound and outbound. Therefore, calls or SMS messages sent to or received from a genuine customer may in fact be sent to or received from a fraudster who has taken possession of the customer’s mobile phone number. Whilst SIM Swap and CFU detection form two layers of invisible protection by SMART™, these are not guaranteed to be available in all countries and all networks, depending on the network architectures supported by individual Mobile Network Operators. Where SIM Swap detection, in particular, cannot be deployed, any other authentication method reliant on the veracity of the mobile phone number is effectively rendered single-factor or weak authentication and therefore at risk. Where previously the attributes of uniqueness and possession enabled the mobile’s SIM to be considered a genuine second factor, Pseudo Device Theft compromises this proposition. Where the MNO networks do allow SMART™ to detect Pseudo Device Theft then the SIM, or terminating number, can be trusted as a genuine second-factor.

              

SMART™, therefore, caters for both scenarios. Any mobile based security architecture needs to be based on the fundamental questions of:

1. Does the security of the model rely partially or fully on the sacrosanctity of the mobile phone number?

2. If so, can potential compromises of the mobile phone number be detected in the country/region where the model is deployed?

Mobile Payments and Mobile banking

The nature and architecture of a mobile payments system or mobile application, along with any existing security measures, determines which fraud vectors the system or application may be susceptible to. In the case of M-banking, for instance, these will typically include all of the traditional Internet banking attack vectors such as Phishing, Man-in-the-Middle/Browser and Trojans. ValidSoft successfully demoed live at FinovateFall 2012 (please click on the link below) how it's SMART™ platform secures mobile banking and mobile wallet transactions. (enrollment, activation and transaction)

 

ValidSofts multi-factor approach can protect M-banking transactions from all of the attacks that affect internet banking. Given that modern smart phones contain both voice and date channels,  the concept of channel separation, critical for the detection of manipulated transactions caused by Man-in-the-Mobile-Browser or phone resident Trojans, is fully supported. Please click on the link below to view the full demo.

 

Voice Biometrics


If the model in question does rely on the integrity of the phone number and Pseudo Device Theft cannot be detected due to network constraints, then SMART™ natively provides the lowest common denominator for a mobile model, being Voice Biometrics. The biometric engine used by SMART™ is ValidSoft’s proprietary VALid-SVP, a leading edge voice verification platform providing text-dependent, text independent and conversational voice verification. Because VALid- SVP is a layer within the SMART™ platform it also benefits from context awareness; providing the ability to dynamically adjust thresholds and workflows based on contextual information. The SMART™ biometric voice verification works on any network, on any mobile device and is extremely easy to enrol with and use. It is tuned specifically for use with mobile devices and short-duration speech. A typical mobile payment deployment, for example, would use a simple text-dependent model comprising of a prompted short phrase or random number.

Voice biometrics is not only the lowest common denominator that will overcome Pseudo Device Theft and work on any mobile phone, but also the strongest form of authentication available. Where Pseudo Device Theft can be detected, Voice Biometrics can obviously still be used, though other layers within SMART™ are also available in conjunction or as an alternative. Because the mobile’s SIM can now be considered sacrosanct, assuming no Pseudo Device Theft detected, Out-of-band (OOB) authentication, with or without Voice Biometrics is a strong authentication solution. The SMART™ model supports OOB Knowledge Based Authentication (KBA), simple challenge response, e.g. PIN or no challenge at all.

Additionally, voice-based Transaction Verification can be utilised to overcome fraud vectors such as Man-in-the-Middle and Man-in-the Browser. This is totally configurable, including options for “Corporate Voice”, Text-to-Speech or a combination of both. In conjunction with any or all of these other layers, SMART™ can also perform various levels of proximity checking, where local networks allow. This can range from country level analysis, i.e. what country is the mobile device in, through to far more granular correlations but in a totally privacy sensitive manner, such as real-time context awareness; essential for, e.g. mobile present transactions at the ATM or Point of Sale (POS). Likewise, where smart-phones are used, using either browsers or apps, SMART™ can also perform device recognition, another layer of invisible authentication that could, for instance, provide contextual information into the Voice Biometrics engine or alternatively operate as a standalone authentication layer.
Contact us
† Please provide your name and email address and/or telephone number if you would like us to reply using these details