The GSMA has announced that all four UK mobile network operators are offering a product designed to reduce fraud by verifying if phone numbers submitted via online registration forms belong to the phones being used at the time. Called ‘Number Verify’, the intention is to reduce reliance on one time passwords by offering an API that can be accessed by businesses like banks and social networks.
Number Verify is compliant with the PSD2 Strong Customer Authentication rules which have been adopted across the European Union as well as the UK. These rules have recently prompted laggard banks to start implementing enhanced controls to verify a customer’s identity, and have resulted in a marked increase in the use of SMS for multi-factor authentication. The increased reliance on SMS has occurred despite the known weaknesses of relying on messages which are vulnerable to interception and SIM swapping.
The GSMA’s press release is somewhat misleading in that it states Number Verify is a ‘new’ product. O2 started offering Number Verify to enterprise customers in 2019 and Vodafone promoted the same product earlier this year. It is likely that the GSMA’s announcement reflects the recent implementation of Number Verify by those UK mobile networks which are still not advertising it yet.
The recent RAFM survey from the Risk & Assurance Group found that subscription and identity fraud was the most common category of fraud experienced by communications providers. Binding apps to mobile phone numbers will make it harder for criminals to impersonate others by simply obtaining their personal data.
Number Verify will reduce fraud but it will likely be promoted as a way to reduce the time and effort that customers spend on registering for a new service. This is highlighted by the following marketing video produced by O2.