Zurich, Switzerland – 10 May 2017 – Myriad Group AG (SIX Swiss Exchange: MYRN), in the wake of recent reports of Mobile Identity fraud costing the European economy millions, is pioneering out-of-band authentication services to validate online transactions and help counter the growing threat of Mobile Identity fraud.
Recent cases of mobile identity theft in Europe have seen customers lose substantial amounts of money; most notably in Germany , where individual customers have lost hundreds of 1 thousands of Euros to these fraudsters. Criminals are exploiting a security vulnerability which exists within global telecom networks that allows the interception of SMS communication between a customer and their bank. This SMS communication is used by banks and financial institutions to authenticate online transactions, by sending their customers a One Time Password (OTP) via SMS. OTP via SMS is used by banks as part of a two-factor authentication (2FA) process to strengthen the security around online transactions. However, by intercepting this communication through manipulating the mobile networking protocol (SS7), as seen in Germany recently, criminals are able to gain access to customer’s bank accounts and validate the removal of funds from them.
SIM Swap fraud is the most well known example of mobile identity theft, which has plagued financial institutions and network operators for some time in Europe. However, it is clear that Mobile Identity fraud has evolved beyond SIM Swap, with criminals now deploying more sophisticated methods to intercept OTP via SMS over the networks. The principles for detecting the fraud remain the same, however. The mobile device has to be verified as a trusted source and the appropriate questions asked, at the appropriate time, by an independent source, to validate a transaction. Under the upcoming European Banking Association’s Revised Payments Services Directive (PSD2), 2FA will be required for all digital transactions and it will be important that true out of band, independent channels are used for 2FA.
Myriad’s service can help to reduce Mobile Identity theft and SIM-Swap fraud by providing a real time check on the SIM directly, which cannot be tampered with via compromised third parties within an operator or bank. Using USSD (Unstructured Supplementary Service Data) authentication, a direct link between the known unique identity of a SIM card and a response to a 2FA challenge can be established and validated. Furthermore, no persistent data is held with any third party, providing a more secure service than current two factor authentication services, like SMS, where data is stored and therefore vulnerable to being intercepted. The service opens up a point-to-point session between the bank and the customer, avoiding man-in-the-middle attacks. A clear audit trail is also established, where the user’s identity is verified by a party external to the transaction. This results in a technology that will greatly enhance the security of transactions vulnerable to Mobile Identity fraud.
“Even the National Institute of Standards and Technology in the US has identified that SMS is a risk 2,” explains Paul Kingsbury, VP Business Development at Myriad’s Connect Division. “It is not fit to secure financial services as it can be vulnerable to man-in-the-middle attacks. It poses a challenge for operators as there is no audit trail, opening a door to large scale fraud through a single point of failure.” These cases shows the urgent requirement for banks and financial institutions to move away from SMS-based authentication, in favour of true out of band solutions like Myriad Connect’s service.
1The Hacker News. 2017. Real World SS7 Attack – Hackers are Stealing Money from Bank Accounts.
2 Tech Crunch. 2016. NIST declares the age of SMS-based 2-factor authentication over.