October 27, 2017
October is Cybersecurity Awareness Month, and with the recent string of data breaches, protecting assets in an increasingly digital world is at the top of many consumers' minds. While you’ve probably heard about the importance of enabling two-factor authentication (2FA) on your accounts (you might even be familiar with some common modes of 2FA like those SMS codes your bank texts you, or 2FA apps that you need to download), did you know that there is an even easier and safer authentication method that works through your mobile phone? Called mobile identity authentication, this technology allows your phone to act as an ultra-secure way to protect yourself against cyber-fraud without having to type in a password, download an app, or fumble with annoying text passcodes. Intrigued? We were too, which is why we caught up with Rodger Desai, cybersecurity expert & CEO of mobile identity authentication company Payfone, to learn more about how mobile identity authentication works and why so many enterprises, like the top US banks and healthcare organizations, are abandoning traditional authentication methods in favor of this more secure next-generation tech.
LTP: What exactly is mobile identity authentication and how does it work? How is it different from more traditional methods of authentication like knowledge-based answers and one-time passcodes?
RD: Mobile identity authentication leverages the encryption technology that mobile networks already use every time you make a call or send a text to provide an ultra-secure and reliable way to determine whether the person trying to log into your bank, healthcare or any other type of account is really you. When we first started Payfone, we were fascinated by the fact that mobile phones solved a problem that the web wasn’t able to. When you make a call or send a text, your phone doesn’t ask you who you are or what your password is first. And when you land in another country and turn your phone on, it just knows that it’s you – even if you’re in a country where your own mobile carrier doesn’t offer coverage. It’s all done through a cryptographic sequence sent between your phone’s SIM card and your mobile network – essentially the network sends a set of complex math problems that only your SIM can answer. Payfone extends this seamless yet super-secure mobile technology to the web. When you sign in to your accounts, our technology can see that it’s really you. Likewise, we can see if it’s someone pretending to be you, and lock that person out of your accounts. And we can do this on any digital channel – mobile, web, voice, text, etc.
The main difference between mobile identity authentication and traditional 2FA methods is that traditional methods require human intervention and are therefore vulnerable to social engineering – the manipulation of individuals into divulging confidential or personal information through phishing attacks and other methods of deception. With traditional 2FA methods, the human must do something – whether it’s entering a password, typing in a one-time passcode, or answering questions like your pet’s name – and that is the weakness that hackers exploit.
What’s different about Payfone is that we fortify the process by eliminating the human from the equation – and unlike other solutions, we don’t require a separate app or a physical token to do that. Through our partnerships with mobile network operators and our sophisticated algorithms, which cannot be deceived by SIM swap fraud and intercepted SMS passcodes, we can see whether it’s you or a fraudster without having to ask you to do anything.
The market is slowly but surely recognizing the need to move away from traditional methods like hijackable one-time passcodes and knowledge-based questions that don’t fully protect customers. And it’s exciting that they’re also recognizing our way as the future.
As a fraud risk manager, I am continuously looking for tools and services that are highly effective at identifying and validating digital identities while still allowing customers the right and ability to manage their privacy. Payfone is one of the leading vendors in the Digital Identity verification space that has built into the DNA of their solution the requirement to manage the customer’s privacy, and this is one of the several differentiators it has. – David Fapohunda, Director, Financial Crimes Unit, PricewaterhouseCoopers
LTP: The last time we spoke in June, Payfone had just announced their patented SIM swap fraud prevention solution. What other kinds of attacks should consumers be on the lookout for?
RD: Last year in the US, roughly 30 million phone numbers were disconnected (and therefore subject to being reassigned to other people), 80 million consumers switched phone companies, and 130 million consumers activated new phones. That is a lot of activity – and a dream for fraudsters who try to sneak in amidst that activity. Putting this is into even more perspective, fraudsters stole a whopping $16 billion last year from consumers and companies using attacks like SIM swap fraud, porting fraud and other forms of account takeover.
Again, the common thread with all of these attacks is that they are nearly impossible to protect against using traditional authentication methods because once an attacker has control of your phone number, many of the traditional safeguards companies use (like one-time passcodes) are rendered futile. Plus, when a hacker assumes control of your phone number, your own phone goes dead. So you may not even be able to call your bank right away to shut down your accounts. It’s like keeping all of your money in a safe that burglars already have the combination to. It just doesn’t make sense.
LTP: Now that we know a little more about the different kinds of threat vectors that have been circulating, what is being done to combat these attacks?
RD: As more companies realize how easy it is for hackers to social engineer their way past traditional authentication methods, they are turning to mobile identity authentication, which is impervious to social engineering attacks. We in the mobile identity authentication industry have also been doing our part to raise awareness for the efficacy of this new and better way of doing things.
Last month, US mobile network operators announced the formation of their Mobile Authentication Taskforce to create a more secure standard of authentication that builds upon their existing technologies. The creation of this task force is a key step towards adopting a new authentication standard that will benefit our country’s consumers, and it is also strong evidence that our mobile network partners are committed to supporting us and our mission for the long haul.
At a time when online and digital services are commonplace, security and authentication are issues that affect us all, said Alex Sinclair, Chief Technology Officer, GSMA, in a release announcing the Mobile Authentication Taskforce. Through strong collaboration, the task force announced today has the potential to create impactful benefits for US customers by helping to decrease fraud and identity theft, and increase trust in online transactions. Further, we will be working closely with the task force to ensure this solution is aligned and interoperable with solutions deployed by operators.
Payfone has also been doing our part to raise awareness about how mobile identity authentication can save companies and consumers from falling victim to hackers. We frequently issue press releases, serve as conference panelists and speak with the security community and reporters. Recent examples include this CNBC article and this Yahoo! Finance piece, where we shared our insights into new types of phone fraud. There are many more articles on our website.
LTP: You mentioned that companies have been taking notice of and adopting mobile identity authentication, but how can individual consumers take advantage of Payfone’s services?
RD: While individual consumers cannot use Payfone directly, they do reap the benefits of our anti-fraud products through the banks, insurance companies and healthcare providers who use Payfone. It should be noted that each potential client must be approved by each mobile operator, and auditable end-user consent must be collected and stored for each consumer. It’s a rigorous process that assures that all of our processes are in accordance with regulations and our mission to protect consumers.
Of course, if you really want to be protected by Payfone, one thing you can do is call your bank, your health insurance company and other service providers and demand that they use Payfone! All joking aside though, one way that you can help to safeguard yourself is to check with your mobile operator to make sure that your information on file is accurate. This is a bit of an oversimplification, but what Payfone’s algorithms essentially do is to match your real information on file with the information of the person who is claiming to be you to log into your accounts. If our analytics say it’s not a match, the person claiming to be you cannot get in and needs to go through more scrutiny. So the more accurate you keep your information, the better and easier it is for us to protect you.
LTP: When you say that you match information, does that mean that you store my personal information? What does that mean in terms of data privacy?
RD: That’s a great question and one that seems to be on a lot of people’s minds, so I’m grateful to be able to answer it here. Payfone only uses personal information to match and create scores that are passed along to empower enterprise clients to make their own risk decisions. Payfone does not sell personally identifiable information. Clients must also disclose and notify, and in certain use cases, obtain explicit opt-in consent from end-users before they can make use of our cybersecurity products. Clients who have worked with us know how committed we are to data privacy.
LTP: Can you share an example of a client who uses you and what their experience has been?
RD: While we can’t give the names of our clients for security reasons, one prime example of how our technology protects both our customers and their users is a leading cryptocurrency exchange that became our client recently. Since going live with us, they have reported zero successful attacks due to SIM swap or porting fraud. We can actually see the attempted attacks happening and can actively thwart them. This client is committed to safeguarding their users with the latest anti-fraud technology and has been elated with our ability to deliver that for them.
LTP: What’s on the horizon for Payfone, and where do you see the company going from here?
RD: We’re going to be authenticating 50,000,000 transactions per day for 6 of the top 10 banks in the United States by year-end, so we are looking forward to reaching that momentous milestone. We’re also branching out further outside of the financial sphere with even more clients in the healthcare, high-tech and retail sectors going live in 2018. Geographically, we have begun moving into Europe and Asia and will be continuing our global expansion into 35 new markets. We’re excited to be sharing our services with even more companies and safeguarding more users worldwide.
As devices allow individuals to be more mobile, habits change; unfortunately, so does the cyberthreat. Mobile devices are playing an immense role in one's daily routine, becoming a gateway into the most private data across personal accounts. Slowly but surely, cross-industry stakeholders are recognizing the need to move away from traditional authentication methods in favor of more advanced authentication standard that can fully protect customers.
The next generation of security solutions will serve as a connective tissue between telcos, financial institutions, insurance companies and other critical stakeholders to ensure the utmost accuracy of information in order to facilitate the highest protection standards to the end-user.
Payfone investors include American Express, IDology, RRE Ventures, Rogers Venture Partners (RVP), Opus Capital, BlueCross BlueShield Venture Partners, Early Warning, Relay Ventures, and Verizon.
Payfone and the LTP Team have been trusted knowledge partners since 2008, building on the pioneering work between their CEOs, Rodger Desai and Aditya Khurjekar.