How does SIM-based device binding prevent phishing and fraud?

When cybercriminals ‘phish’, they send fraudulent emails that aim to trick a recipient into clicking on a malicious link, in order to steal someone’s personal data.
‘Smishing’ (SMS phishing) is much the same, but uses text messages instead of email – taking advantage of how often we receive legitimate links and OTP (one-time password) codes via SMS.
Any business that is prone to cyber-attacks on either its customers or employees – especially those that deal in payments, such as banks, FinTechs, and e-Commerce – can now implement strong user authentication with device binding.
Using the cryptographic security built into a SIM card, IDlayr makes it possible to quickly and silently check that the mobile device being used has the SIM card in, with the mobile number associated for that user, and confirm that they match without user input.
Using SIM authentication for mobile device binding is highly secure, very easy for the user, and does not use vulnerable PIN codes sent by email or SMS.
PIN codes sent by SMS can cause problems
Historically, PIN codes sent by SMS (also known as OTPs, or one-time passwords) have been used to verify a mobile number.
But this approach is now recognised as insecure, because PIN codes are vulnerable to several different types of fraud attacks:
- MITM (‘man-in-the-middle’) attacks: Social engineering methods are used by criminals to trick users into forwarding a code to the attacker, or entering it into a fraudulent web form.
- SIM swap fraud: Bad actors can fraudulently convince a mobile network to assign the victim’s mobile number to a new SIM card, letting them steal incoming codes directly.
As well as being insecure, PIN codes delivered by SMS cause customer support challenges:
- SMS delivery problems: Often SMS messages arrive late, or not at all, prompting customers to request a resend. This can then create confusion when messages arrive out of sequence.
- User difficulties: Having to retrieve and retype PIN codes can lead to errors and confusion, and often provides a frustrating user experience, with the customer forced to close the app and look through a different inbox.
For these reasons, many regulators now recommend investigating and implementing alternatives to SMS OTP.

Global regulators now expect better security to catch phishing attempts
Global regulators expect improved fintech security
Regulations such as the UK’s Strong Customer Authentication (SCA) and the EU’s PSD2, mandated that when authorising and processing payment transactions, apps must use at least one additional authentication method to validate the user’s action.
Device binding, which links a user’s account to a specific device, is a key part of Strong Customer Authentication (SCA) via Multi-Factor Authentication (MFA) under PSD2 regulations.
The guidelines also recommend stronger alternatives to SMS OTPs, which have been shown to be vulnerable to account fraud, and that the multi-factor authentication (MFA) method must be ‘generally dynamic or non-replicable’, such as ‘device binding and SIM’.
SIM-based authentication – secure, compliant, and easier for customers
SIM-based authentication uses the existing cryptographic security built into a SIM card to authenticate the mobile number of the device being used, and link that to the customer’s account.
As this approach does not use SMS PIN codes, it’s not vulnerable to man-in-the-middle attacks, social engineering or SIM swap fraud. It also makes life easier for the customer, as it’s a seamless and invisible experience.
The authentication works by using a secure, encrypted connection from the mobile device to the mobile network operator, which then verifies the associated mobile number.
Once verified, the mobile phone number can be compared with the device previously registered against that user’s bank account. If there is a match, the transaction can proceed.
The whole process is simple for the customer but highly secure, requiring no work from the customer (other than typing their mobile number), which allows no room for malicious actors.
Built on the same simple and secure technology that’s used in bank cards
Inside every SIM card is the same cryptographically secure, tamper-resistant authentication technology that exists inside every bank card.
When used in a mobile phone, it has a unique identifier – the International Mobile Subscriber Identifier, or IMSI.
The pairing of this IMSI with a mobile phone number creates a unique combination that, using the SIM card’s strong cryptographic security, ensures an active binding of the transacting mobile device with the customer and their bank account.
This SIM-based approach to device binding leverages the advanced security technology built into every SIM card, and avoids the pitfalls of alternative approaches:
- PIN code free: With no passcodes to be intercepted, man-in-the-middle attacks are impossible.
- Tamper-resistant: Cryptographic keys are stored in a solid-state storage within the SIM card.
- Hardware-based: SIM security is impervious to attacks against physical mobile handset, OS, and apps – there’s no risk of compromise via rooting, hacking, or malware.
- Effectively unclonable: Modern SIM cards incorporate advanced cryptographic algorithms which restrict access to stored secret data and prevent cloning of the card.
How to get started
IDlayr is reinventing online identity for the mobile era, helping banks and large enterprises to cut fraud, reduce operating costs and improve the user experience. IDlayr lets you use your mobile number, instead of email, to prove your identity online; because a mobile identity is more secure, easier to use, and always with you.
Book a demo today to see how IDlayr can help your business.