Skip to main content

SIM Binding

Overview

SIM binding is a new feature available on the BlockID app that enables customers to link their account only to a phone number registered with an institution. This feature is particularly valuable to customers using the BlockID app to generate OTP codes when performing sensitive transactions. During registration on the BlockID app, customers will be challenged to verify their phone number. A combination of SIM detection and SMS verification is used by the BlockID platform to allow validation of the number against registered phone numbers. This gated entry mechanism prevents bad actors from being able to register an unauthorized device or phone number.

This feature was developed in accordance with the Reserve Bank of India (RBI) mandate to protect retail banking customers from OTP-related fraud. The device binding feature is set to roll out with one of India's most popular financial institutions in early 2022 as a means to deter online banking-related fraud.

Background

The RBI, equivalent to the Federal Reserve in the United States, released an advisory on October 13, 2021, to expeditie the implementation of SIM binding as means to avoid fraud in internet retail banking applications. The controls were prescibed in light of an incident involving a fraudster carrying out transactions after obtaining credentials and registering a MFA app linked to a bank on an unregistered phone number.

The Incident

A gullible customer was tricked into sharing their Internet banking application credentials including the registered mobile number and the OTP. This enabled the fraudster to change the internet banking password and also register the authenticator application used for generating OTP codes. With access to the first factor (username and password) and the authenticator app OTP (second factor), the fraudster was able to conduct all banking transactions on behalf of the user.

Why is it important?

SIM binding is a new feature available on the BlockID app that allows customers to link their account only to a phone number registered with an enterprise.

Authenticator apps like BlockID provide TOTP codes that are used as a second factor during authentication or performing secure transactions. Only an authorized user must be allowed to have access to the app. It helps:

  1. Protect customers against fraud
  2. Prevent lawsuits for enterprises
  3. Prevents the registration of multiple devices for a single user
  4. Protects against financial/reputation loss

Demo

Watch the demo here

How it works

  1. Customers receive an email with a magic link (or a QR code) generated by the administrator using APIs or the Admin portal.
  2. Customers click on the magic link (or scan the QR code) which opens the BlockID app.
  3. The app initiates a process to detect the presence of a single or dual SIM.
  4. Customers are prompted to choose the SIM that is registered with the enterprise.
  5. Upon choosing, permission to open the SMS composer app is requested.
  6. A prefilled text message with a code is sent to a designated phone number (verification service) from the user's device. This is a Sessions service URL which is encoded as a base 64 string. It keeps polling for a response.
  7. Once received, the response carries the phone number from which the SMS was sent.
  8. This phone number is passed on through a webhook to the enterprise for validation against the registered phone number.
  9. If validated, then the account is linked. An entry is creted on BlockID linking the user with the device.
  10. Customers will be able to see a new persona on their app. They can scan a QR code to login or use TOTPs for transactions. Note: BlockID will no longer retain the phone number of the user.

Event Logs

The following events will be logged:

  1. Mobile app
    • Device binding invite
    • New device onboarded
  2. Admin Console
    • Phone number verified

Error Scenarios

  1. SMS could not be sent due to low balance or carrier issues
  2. SIM not detected
  3. Incorrect phone number
  4. This account is already registered with a device

FAQs

What happens when a user changes their registered phone number?

The RBI mandate clearly states that the enterprise must take responsibility to communicate changes to the registered phone number to the customer using multiple channels - phone call, SMS, and e-mail. This omnichannel communication keeps customers informed about changes to their phone number and prevents fraud.

BlockID can help administrators manage changes to the registered phone number. Here's how:

  • Unlink an existing account
    Use the admin portal or APIs to unlink a registered device. This will allow an existing device to no longer be used.
  • Trigger New SIM Binding request
    Send a request to the user again to bind the registered number with the new device.

Do we protect against SIM Swapping?

In scenarios where a SIM is physically removed from a device, the BlockID app registered on the device will continue to act as an MFA app. Continuous verification of the phone number will be implemented in our roadmap to prevent this.

This solution does not prevent SIM Swapping/SIM hijack and needs additional controls in place.