July 16, 2019
Balancing security with a frictionless online experience is now a key business imperative, particularly in a landscape of increased online transactions and evolving regulatory requirements. Consumers demand an experience that works seamlessly irrespective of the devices they use, their locations, and the channels they choose.
Businesses need a solution that is secure and persists across device resets and software updates, and works for both browser transactions and mobile app-based transactions.
The ThreatMetrix Approach to Device Binding
Device binding allows users to transact on trusted devices without repetitive authentications. This can occur through reliable and consistent verification of the transacting device by registering the device and binding it with a user credential. This then helps validate the returning device on subsequent interactions. ThreatMetrix Device Binding incorporates:
- Strong Device ID: Securely links an authorized user to their device by leveraging secure keys for mobile and non-mobile devices.
- Carrier ID: Leverages SIM card hardware for mobile devices and links the user device and user context with it.
Strong Device ID
Several regulations like the Revised Payment Services Directive (PSD2) mandate Strong Customer Authentication (SCA) based on the risk associated with transactions. However, businesses need to make sure that the increased level of security does not affect the consumer experience by introducing unnecessary friction.
The ThreatMetrix approach combines risk-based authentication with Strong Customer Authentication for optimized customer experience. ThreatMetrix can reliably and consistently verify the transacting device, including first registering the device and binding it with a user credential, then validate the returning device on subsequent interactions. Once this assurance is established, it becomes simple to positively identify trusted devices and eliminate friction. ThreatMetrix uses Public Key Cryptography to establish a cryptographically-backed strong device identifier.
This feature for mobile devices is facilitated using ‘Strong ID for Mobile’. The secure keys, used as a basis for device identification, are stored in the secure element of supported mobile devices, ensuring they are kept secret and tamper-resistant and preventing an attacker from impersonating a trusted device. However, a large population of consumers still use non-mobile devices, requiring businesses to also establish a similar level of assurance for web transactions. This is provided using ‘Strong ID for Web’, which leverages the WebCrypto API.
ThreatMetrix Carrier ID is tied to the SIM card and is a unique persistent identifier representing a mobile subscriber. Carrier ID is derived from three key pieces of information – the mobile number, the carrier that the number belongs to, and the subscriber’s account with the carrier. ThreatMetrix uses this information and works with Mobile Network Operator (MNO) data aggregators to get the Carrier ID.
The service is enabled via the ThreatMetrix Integration Hub. In the case of a trusted transaction, a user’s device is registered along with user context (such as account name or account email) and a carrier ID obtained from the MNO aggregator. If future transactions reveal increased risk, an additional authentication assurance can be provided by invoking the Carrier ID service via an API.
Given a transaction, ThreatMetrix with its API can compare and verify whether a Carrier ID from a transacting device matches with the one registered, providing assurance that it’s a trusted device and user.
Carrier ID is extremely effective in detecting anomalous activities like Device cloning, SIM swapping and Device wiping.
- The cloned device will contain a different SIM than the original device, which will therefore return a different Carrier ID
- Detects fraudsters attempting to takeover accounts by impersonating a device
- If a new SIM associated with a different mobile number is inserted into a device, ThreatMetrix will return a different Carrier ID than the original SIM
- Identifies scenarios where fraudsters deliberately switch between multiple SIM cards on the same device to perpetrate fraud
- The same Carrier ID will be returned even if device is wiped, restored to factory settings / earlier backup
- Identifies fraudsters attempting to bypass device identification
The ThreatMetrix Advantage
- Promoting a frictionless online authentication experience: Strong Device ID and Carrier ID provide assurance to ThreatMetrix customers by identifying returning users. This avoids unnecessary step-ups ensuring a frictionless experience for genuine users.
- An unparalleled Network: The ThreatMetrix Digital Identity Network protects 1.4 billion unique online accounts using intelligence harnessed from 2 billion monthly transactions.
- Privacy by design: ThreatMetrix is unique in its ability to solve the challenge of providing dynamic risk assessment of identities while maintaining data privacy through the use of tokenization and encryption.
- Advanced behavioral analytics and a clear-box approach to machine learning: ThreatMetrix Smart Analytics analyzes dynamic user behavior to build more accurate, yet simpler, risk models. The result is a competitive edge in customer experience with reduced false positives, while maintaining the lowest possible fraud levels.