Hong Kong mobile security will be ending this year on a great note: its bank will adopt device-based authentication in place of SMS OTPs by the end of the year!
In addition to anti-fraud measures, or more specifically anti-malware measures introduced by retail banks earlier this year, the Hong Kong Monetary Authority (HKMA), the Hong Kong Association of Banks, and the Police have now implemented additional enhanced measures, having observed new fraud strategies.
Namely, these added measures have been designed to reduce the risk of SMS OTPs being phished or intercepted, and that’s a great decision. Remember: the National Institute of Standards and Technology of the US Department of Commerce said SMS for 2FA was a deprecated solution all the way back in 2017.
But how did we get here? And what does it mean for your business? Let’s look back at this year.
Hong Kong Monetary Authority Bans SMS OTPs: How We Got Here
In February 2024, having received intelligence from law enforcement agencies, the HKMA introduced an anti-malware measure. This measure consisted of restricting customers’ access to their mBanking apps if other suspicious apps were detected on their devices.
The great news is this measure showed fruitful results: since its implementation, no new cases have been reported.
Upon observing new fraud strategies where cybercriminals tricked customers into installing malicious apps on their phones and uploading their credit card details and SMS OTPs, or even intercepting the SMS OTPs, the HKMA introduced additional mobile security measures.
SMS OTPs have now long been a topic of discussion in the cybersecurity community due to their vulnerabilities. Shortly, SMS OTPs can be phished and mind you, 94% of organizations were victims of phishing attacks at some point. Moreover, they are susceptible to SIM swapping attacks and they have the SS7 design flaw that allows fraudsters to intercept or reroute SMS messages containing the one-time password.
Together with the Hong Kong Association of Banks and the Police, the HKMA has come up with additional measures to prevent cybercriminals from phishing and using phished credentials for unauthorized transactions. mBanking users will now have to authenticate mobile transactions with device-based authentication as the new default method.
However, the banks should make sure that the device-based option they choose is compatible with different authentication protocols commonly used in online payments, eg. 3D Secure, to enable seamless integration.
The banks should roll out these enhanced measures by 31 December 2024, although a few institutions have already adopted them. What about you?
What does this mean for you?
Adopting Device-Based Authentication and What It Means For Your Business
While it may seem like a hassle, implementing device-based authentication instead of SMS OTPs is actually an amazing opportunity for your business to improve both the security and the user experience of your app. This then positively reflects on your bottom line.
What Is Device-Based Authentication?
Device-based authentication is a security method that uses a specific device, such as your smartphone, as a key to verify your identity. Usually, it’s used for apps such as mBanking or other fintech apps to make sure only authorized devices can access an account.
To enable device-based authentication, the smartphone is typically linked to the user’s identity.
This is done through device binding in which the device is registered through a secure login or identity verification step, kind of how IPification Phone Verification works when assigning the MobileID key. In the bounding process, the device is identified using unique data such as hardware ID, SIM card data, phone number data, etc.
Upon subsequent logins or transactions, the authentication system will check whether the requesting device matches the registered one. Of course, this process is welcome to be accompanied by additional authentication factors such as biometrics to further increase the security without hindering the user experience.
Device-based authentication is a great alternative to SMS OTPs because it removes vulnerabilities like phishing, SMS interception, or SIM swapping. Moreover, in comparison with SMS OTPs, device-based authentication brings a streamlined user experience, resulting in increased user acquisition, retention, and engagement rates.
Meet IPification, your #1 device-based authentication solution
IPification is a perfect match for the HKMA-mandated device-based authentication measures. The leading mobile network-based authentication solutions provider, it verifies the users’ identities securely and within milliseconds.
It works by assigning each user a MobileID key comprised of the SIM card, device, and network data. To verify their identity, a user only needs to input their phone number and click once, and they’re verified instantly. No sensitive data is ever transferred over the network.
IPification is passwordless, and phishing-resistant, and it even comes with a SIM Swap Detection tool. Upon detecting a new SIM card, this tool notifies the app developer about the change in real time, and the developer can then choose to stop any authorization request until the user confirms they’re using a new SIM.
It can be used for sign-in, sign-up, and transaction verification processes. And one thing is for sure: it’s bound to transform your app’s user experience, and ultimately help increase your revenue and build customer loyalty.
When a 1-second delay in page load time causes a 7% loss in conversions, and when 60% of users feel they are occasionally, frequently, or always slowed down or blocked from accessing services online, having a frictionless user experience is one of the biggest competitive edges you can have over your competitors.
Now, while IPification is compliant with 3D Secure, and compatible with most security environments such as Zero Trust or a continuous authentication environment, a chance exists that it may not be right for your use case.
We can help figure that out. Get in touch with us to schedule a quick consultation with our team of cybersecurity experts who can help figure out the best direction for your app.
We’re looking forward to getting to know you better.
