top of page
  • Writer's pictureORNA

Can SIM-Based Possession Factor Security Authentication Help Eliminate Phishing?

If the secrets of your smartphone ever fell into the hands of a threat actor, that’s a big, resounding “game over.” Think about it. We use smartphones as though they were appendages.

It's almost like walking around with our wallets in our hands. And some people do make a habit of carrying their social security cards with them, too. All of these are potential recipes for disaster if any worst-case scenario were ever to unfold.

If you change phone numbers, but forget to cancel or change the phone number you use to log in to apps and for authentication, anyone who ends up obtaining that phone number after you will be able to authenticate as you.

That happened to me once. I obtained a phone number and downloaded the Facebook app, and immediately logged in as someone else by accident. That’s happened a lot with messenger apps as well.

Authentication under attack

What if that was your banking app or something equally sensitive? As a former black hat and threat actor, when it came to investigating possible threat vectors for exploring attack options, compromising a smartphone or smart device would be the equivalent of accessing the innermost sanctum of an internet user.

While physical security is paramount, other user security forms are just as critical. That being said, I am surprised how many people I know personally do not know or make use of 2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA).

I mention this because recently I was contacted by a novice scammer who was social engineering Facebook disguised as a damsel in distress, trying to recover her Facebook account and luring good Samaritans into offering their phone numbers and 2FA code so the scammer could assume control over those accounts.

Victims would think the person was going to temporarily use their number to recover the account. However, that wouldn’t be the case at all.

Authentication has been under attack for as long as people have wanted illicit access. The problem with passwords is that by nature they create a vulnerability, either with the system they were designed to protect or the person who knows it.

As long as credentials have to be sent for authentication, they can be intercepted. Because these authentication factors are often dependent upon knowledge factors like password resets and OTP codes, they remain vulnerable at some level and wouldn’t necessarily take a skilled hacker the ability to compromise them.

Either way, its very existence offers attackers a variety of options for retrieving it either through social engineering, attacking the server, or through a range of other attacks like phishing. Since most users practice the convenience of using one master password to rule their entire digital lives, the chain effect of account hijacking is potentially exhaustive.

Can possession-factor authentication eliminate phishing attacks?

Possession-factor security should be the security context of all authentication schemes, in conjunction with verification security forms like biometric authentication. This means that knowledge-based credentials must phase out as an obsolete authentication form entirely.

A new possession-factor API hopes to offer a solution. By leveraging the cryptographic microchip within a SIM card, combined with a mobile phone number, assigned to the SIM card identity, these two components aim to reduce phishing attacks, which are largely caused by the exploitability of human nature through social engineering campaigns.

Routinely, mobile networks audit a user’s SIM card to verify the phone number with their SIM card. By design, this allows the network to certify the user, as well as send SMS messages, make phone calls, and use mobile data all of which are made possible through real-time authentication that does not require a user to provide a login.

Let’s put this into perspective. Imagine an app that contains the authentication infrastructure of a mobile network. The reality of such an infrastructure is no longer confined to musings, because tru.ID now makes strong proof of possession authentication a reality.

One of the important functions of possession-factor security is that authentication doesn’t necessitate any user input. Additionally, the act of authentication is invisible, which means that there are no SMS codes accessible to threat actors.

The tru.ID SDK verifies the status of the SIM card beneath the scenes in real-time. It audits the phone number assigned to the SIM card to make sure that it isn’t assigned to another SIM, and determines if there have been any SIM changes, which helps to leverage against SIM swap fraud.

Phishing-based attacks are prevalent due to the easy exploitability of human nature. Therefore, by eliminating the susceptibility of human nature from handling knowledge-based credential verification forms, that proverbial door that is always shut but never truly locked remains locked indeed. Threat actors will need to probe for new techniques if they hope to circumvent this strong security standard.

An article by

Jesse McGraw

Edited by

Anne Caminer




Rome wasn't built in a day, but your SOC might be.


Weekly cyber insights

Thanks for submitting!

bottom of page