Home
 » ISP News » 
Sponsored Links

UK Mobile Operators Launch NumberVerify to Combat Fraud UPDATE

Wednesday, Nov 18th, 2020 (12:01 am) - Score 3,888
Error message concept. Alert, attention notification. Important reminder

Mobile network operators including EE (BT), O2, Three UK and Vodafone have today collaborated to launch a new service called NumberVerify (NV), which is a new consumer safety solution that aims to make it both easier and more secure to authenticate a user’s identity for online transactions.

At present a lot of online transactions (e.g. logging into a website or bank account) include a system that attempts to verify users – often as part of a two-factor authentication (2FA) process with a login/password (or other method) – by sending a one-time passcode to the consumer’s mobile phone. The customer then inputs that code into an app or website and are then able to complete the login.

NOTE: NV is available now via accredited partners: Prove, Boku and Tru.id.

By comparison the new NV solution simplifies this process by verifying customers through matching phone numbers used in a website or app session, which ensures the details being provided are the same registered on the customer’s account (this method is also PSD2 SCA – Strong Customer Authentication – compliant).

Advertisement

The NV system works directly on the mobile device in-app or in-mobile-browser with “no need to enter additional information (other than their phone number at registration) or remember additional passwords or passcodes“, although it may still be best to use this in combination with those for better security.

Gareth Elliott, Head of Policy and Communications at Mobile UK, said:

“In a world of increasing digital transactions, the launch of Number Verify is an evolution in how customers can be protected against cybercrime and social engineering attacks. Working collaboratively, as an industry the four operators can offer service providers, and app developers, reach that covers 65m mobile data connections, which is a powerful weapon in the fight against fraud.”

The NV technology may be new to the UK, but it’s already being offered by the major US carriers and many service providers (i.e. proven at scale with billions of transactions secured on a monthly basis).

UPDATE 12:21pm

We asked a few questions about how the new system works and have received the following responses. We should add that, according to Mobile UK, Number Verify will work even if the device is connected to WiFi (at home, work, coffee shop etc.), as long as it has a mobile data connection which will be true for most customers most of the time.

Advertisement

What happens under the hood?

One way to think about this is you don’t need to login to your mobile network to use its services, e.g. make a call, send a text, browse BBC news or Asos or use your banking app. The reason you don’t is that the mobile network is talking to your SIM card all the time and authenticating you (the SIM card) are who you say you are and have rights and permissions to use those services. Of course we don’t notice this because it happens all the time behind the scenes, seamlessly and securely. Its how a mobile network works!

What the mobile industry is now offering is for service providers to benefit from this same “no need to login” mobile network capability, via Number Verify, using the mobile network capabilities, tied to the SIM card.

What’s the user experience?

When a service provider (such as a bank, retailer, travel provider etc) deploys Number Verify, it will mean that their customer will enter their details when they first register for that app – specifically their mobile number. When the customer then next completes a transaction on the app, at this point the service provider can do a quick check to match the mobile number in the mobile network using Number Verify, thus authenticating the user via possession of the device (SIM card). The user won’t notice much as this all happens securely behind the scenes in a few seconds between the app, the service provider and the mobile network.

Once customers are already logged in to their service provider’s account (e.g. to send a payment in banking mobile app or buy a sofa from a homeware store) Number Verify can also authenticate the customer from their sign up registration details that will be used when they log in. Since the mobile number is already registered the login can be totally seamless.

What about Dual SIM phones?

Dual SIM phones are supported just like any other mobile device with a SIM card. However, it should be noted the user must use the correct mobile number linked to the SIM card using for mobile data browsing on the device and must use this same number used to benefit from Number Verify for supported service providers.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and .
Search ISP News
Search ISP Listings
Search ISP Reviews
Comments
24 Responses

Advertisement

  1. Avatar photo Mml says:

    I just don’t get how it’s going to work. I suppose it means when I’m accessing a website or an app using mobile data, the website will be automatically told what my phone number is?

  2. Avatar photo Tom J says:

    I think the way that this works is that when you enter a number, or the app already knows your number – something is silently sent off to the mobile network in the background asking if this number is currently being used in this device and the network is responding either yes or no.

    So supposedly if you entered phone number 07700000123 for example but the phone actually had a SIM with the number 0700000456 then the check would fail.

    I often have two SIMs in my phone though so it could be interesting what would happen in these circumstances.

    Prove also mention they can do ownership proof on their website so the MNOs may even be allowing companies to check if our names/addresses etc. match also.

    Bit invasive if you ask me.

    1. Avatar photo Tom J says:

      Just to add: I watched the Barclays use case – when you enter your mobile number it seems instead of sending an SMS out to verify, it just verifies itself somehow within a few seconds using this NV technology.

      Very worrying for me if there’s no fallback to SMS or something else because I use an entirely different phone number for all that sort of thing and it’s a VoIP number.

  3. Avatar photo Mark says:

    My problem is I can’t receive SMS because of Bad signal , so assuming this doesn’t require a signal I’m happy about it.

  4. Avatar photo Chris Hills says:

    My number does not match the number in the SIM card so does this mean I am suddenly going to be locked out of websites?

    1. Avatar photo ianh says:

      The majority of 2 factor methods are selection based, i.e. you pick SMS over an authentication app…..this will be just be another choice for most sites.

      No need to panic 🙂

  5. Avatar photo Optimist says:

    Surely that puts us all at risk from criminals using other people’s numbers to set up accounts to steal money?

    1. Avatar photo Mml says:

      I think it’s the other way round, up until now it was rather easy to spoof someone else’s number, now it will be more challenging with these extra checks introduced.

  6. Avatar photo Buggerlugz says:

    So if I’m using my three 4g router (with a phone number) on firefox and I buy something, are you saying Paypal can see my routers actual sim card phone number somehow?

    Very worrying if that’s the case, especially with so many texting scams about currently.

  7. Avatar photo Mike says:

    This explains how it works:

    https://tru.id/docs/phonecheck-workflow

    Basically the ID provider 302 redirects to a URL on your mobile operator’s network, which then checks that the number you have entered is the same device as that which you are connected to their network using. (presumably just checking the client IP matches)

    Whether this will work with ported or MVNO’d numbers is an interesting question.

    It requires you to be on mobile data rather than wifi for the MNO to be able to correctly authenticate you, which is a pretty hilarious failing. “Turn off your wifi to log in” is a rubbish user experience.

  8. Avatar photo Buggerlugz says:

    Also if you use a VPN it won’t know your mobile operator.

    1. Avatar photo EndlessWaves says:

      It will, because you’ve just entered your phone number which provides that information.

      Being VPN’d into another network will likely cause the authentication to fail though.

  9. Avatar photo Jim says:

    So websites will soon be able to harvest numbers?

    1. Avatar photo EndlessWaves says:

      I suppose an unscrupulous website could submit loads of verification requests and eventually hit it lucky, matching a number with a visitor.

      But you’d expect the hit rate to be low and this service to cost money and contain anti-abuse measures to flag up any such suspicious activity patterns.

      It seems unlikely to be a viable attack. Did you have some other method in mind?

  10. Avatar photo Goodnight says:

    better let them launch support for the utopia ecosystem.

  11. Avatar photo Phil Leggetter says:

    I’m Phil Leggetter from tru.ID (https://tru.ID), one of the companies mentioned in this article. Some great questions so I’ll do my best to address them.

    First, an overview of our use of NumberVerify in our Phone Check product and how we’re making it available for businesses to integrate into their mobile applications:

    The tru.ID Phone Check product confirms the ownership of a mobile phone number by verifying the possession of an active SIM card with the same number. A mobile data session is created to a unique **Check URL** for the purpose of this verification. tru.ID then resolves a **match** between the phone number that the mobile network operator identifies as the owner of the mobile data session and the phone number being verified.

    Some of the following questions have been generally addressed in the post update but I’ll try to directly address some questions and possible add some further clarification:

    > I suppose it means when I’m accessing a website or an app using mobile data, the website will be automatically told what my phone number is?

    The application will only know your phone number if you have previously provided it. Otherwise you will need to manually enter it. Phone Check on the tru.ID platform doesn’t know your phone number until you provide it and we do not store mobile phone numbers.

    > My problem is I can’t receive SMS because of Bad signal , so assuming this doesn’t require a signal I’m happy about it.

    You will need a mobile data signal for NumberVerify (Phone Check on the tru.ID platform) to work because the verification requires web requests to be made over a mobile data connection.

    > Surely that puts us all at risk from criminals using other people’s numbers to set up accounts to steal money?

    Your secure connection to the mobile network has been established via a SIM card. That SIM card has a phone number associated with it. The only way that the verification can succeed is if the phone number being checked is associated with that SIM card. So the security depends on a combination of SIM card, mobile data connection and Phone Number and is much more secure than SMS or Voice-based phone 2FA solutions.

    We do have an upcoming product that will also provide information on when the SIM card was last changed so that companies can detect attempted SIM swap and better secure their customers. This can be used in combination with NumberVerify/Phone Check for additional security.

    > Basically the ID provider 302 redirects to a URL on your mobile operator’s network, which then checks that the number you have entered is the same device as that which you are connected to their network using. (presumably just checking the client IP matches)

    The URL the device first requests is the tru.ID check URL. We then return a 302 to the mobile operators check URL – a URL that has been provided by the mobile operator for the given phone number so they know which number should be associated with the device (the SIM card) that eventually accesses that URL. This requires the URL to be accessed using the authenticated mobile data connection.

    > Whether this will work with ported or MVNO’d numbers is an interesting question.

    If the mobile operator is EE (BT), O2, Three UK or Vodafone then the solution will work with ported numbers. Whether it will work with other M(V)NOs depends on whether they support NumberVerify.

    We’ve found that most MVNOs run on O2 and O2 does support NumberVerify (and thus tru.ID Phone Check). For example, GiffGaff and Tesco Mobile.

    We (tru.ID) do support connectivity with other carriers and are actively growing the number of networks we support.

    > It requires you to be on mobile data rather than wifi for the MNO to be able to correctly authenticate you, which is a pretty hilarious failing. “Turn off your wifi to log in” is a rubbish user experience.

    The tru.ID Phone Check solution does require a mobile data connection to work. On native mobile applications (Android and iOS) you can force a connection to be made over the “cellular” network even if the device is connected to WiFi. For the mobile web (e.g. Safari for iOS and Chrome for Android) the user would need to disable WiFi. This isn’t a great user experience for mobile web users and we’re working toward providing a better UX in this scenario. Right now, from our perspective, native mobile apps are the target for this technology.

    > I often have two SIMs in my phone though so it could be interesting what would happen in these circumstances.

    The verification is between the SIM card that has been used to establish the mobile data connection with the MNO (Mobile Network Operator) and the phone number associated with the SIM Card. So, for the verification to succeed the phone number used with the check has to be the one associated with the SIM card that has established the mobile data connection.

    > Also if you use a VPN it won’t know your mobile operator.

    > Being VPN’d into another network will likely cause the authentication to fail though.

    The check uses a combination of:

    SIM card
    Mobile data connection established using the SIM card
    A phone number associated with the SIM card

    So, as long as the mobile data connection used to perform the check was created with a SIM card that’s associated with the phone number being checked, the check will fail. The VPN will make no difference.

    1. Avatar photo Phil Leggetter says:

      > So, as long as the mobile data connection used to perform the check was created with a SIM card that’s associated with the phone number being checked, the check will fail. The VPN will make no difference.

      Correction: the check will PASS.

    2. Avatar photo Mark says:

      As this becomes widespread, there will a choice of selection? You can still use methods commonly used now? Remember there are still blackspots!

    3. Avatar photo Phil Leggetter says:

      > As this becomes widespread, there will a choice of selection? You can still use methods commonly used now? Remember there are still blackspots!

      Since, as you say, there are areas of poor mobile data coverage it would make sense for any company with an applications that uses Phone Check/NumberVerify for user verification to also consider offering fallback; Phone Check with SMS fallback, Phone Check with email code fallback or a combination of these and others. Or user preference. What those options are depend on the company building the application that users are logging in to.

    4. Avatar photo Leex says:

      Unless 1 week sim swap 2fa block is Enforced this product is useless (should have been added from the start) as it doesn’t prevent sim swap abuse from the sound of it and it sounds optional that the bank or website can choose not to use

    5. Avatar photo Phil Leggetter says:

      @Leex – Phone Check/NumberVerify is more secure and reliable than the ubiquitous SMS-based 2FA. It’s a step in the right direction to make applications far more secure than they currently are.

      SIM swap detection isn’t offered as part of the NV solution. From tru.ID’s perspective we’ll likely offer SIM swap detection as a standalone additional product as well as one that combines both NV and SIM Swap detection. Of course, it’s up to either the individual business (e.g. a bank) to decide which technology to use. Or a regulatory body to enforce.

    6. Avatar photo Hello GCHQ says:

      Hi, I am not sure if you’ll ever read this message, but I dislike this for a very simple reason: The mobile network is being monitored constantly by the government and removes any hope of privacy at all.

      Seriously, do a GDPR to Voxi or ANY mobile network, the information you get back is quite frankly scary, and it’s why it’s a perfect vector for the government to force verification.

      By using an SMS code or this application they get SO. Much. Information. Every time you even turn *on* mobile data/mobile networking, your device is sending huge amounts of ‘metadata’ which are stored for at least 12 months (cell tower ID/location, who you call, location of both parties, exact bytes downloaded/uploaded, time stamps…)

      I no longer use SMS/telephones for any reason, at all. The government and society are increasingly wanting people to not just *have* a phone number, but use the same number for the rest of time (what if I switch numbers 1 per month, probably best for privacy but I imagine a bunch of hassle).

      Forcing people into having to accept meta-data leakage (especially when people use VPNs, proxies and TOR) is not an acceptable solution, and renders me unable to use ANY service which stupidly relies on SMS/phone connectivity.

      This app is pointless and a complete waste of time. I can verify myself quite well with TOTP via apps like AndOTP which I believe to be far, far, far more secure than using an internet/telephony based service (namely, AndOTP works offline and does not ‘leak’ any amount of data, and requires an unlocked device (first security) plus the pin to the app itself (second)).

      I am sad to see society moving in this direction, but it doesn’t surprise me, the government wants this data (especially the GCHQ) so it’s being pushed in a big way (PayPal also wants your mobile number, as does the EU with its regulation)

  12. Avatar photo Mark says:

    No good for me. Struggling now with bad signal 2G only With online banking. Mast never upgraded. Still it’s what the Nimbys wanted. Shame we all suffer, don’t know what the solution will be, hopefully some sort of op out!

  13. Avatar photo geoff says:

    you can use a disposable phone number for phone verification with https://textita.com

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £26.99
132Mbps
Gift: None
Sky UK ISP Logo
Sky £27.00
145Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £19.00
300Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (6053)
  2. BT (3649)
  3. Politics (2729)
  4. Business (2444)
  5. Openreach (2412)
  6. Building Digital UK (2336)
  7. Mobile Broadband (2157)
  8. FTTC (2086)
  9. Statistics (1914)
  10. 4G (1827)
  11. Virgin Media (1776)
  12. Ofcom Regulation (1591)
  13. Fibre Optic (1471)
  14. Wireless Internet (1464)
  15. 5G (1417)
Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact
Mastodon