Who Is This?

Every once and awhile we get a message from a number that we don't recognize. How do we authenticate them? How do we authenticate our users?

> Hey Bro… how’s it going?

>> Who is this?

You might get something like this every once and awhile? Usually it’s because someone changed their phone, lost your contact info, or never saved your number. Of course, there are some that play stupid, but let’s not go there.

Well, this happened to me lately. I was messaging a friend letting him know I was in town. However, I was using a different number than the one he had on record. 

ProTip: Use a Google Voice for other platforms like WhatsApp and Telegram to reduce spam or minimize being added to random groups.

Here’s how it went…

> Hey Bro… how’s it going?

>> Who is this?

> Ayman

>> Ayman who?

> Ayman Elsawah

>> Oooooh

> Lol

>> Dude, did you get a new number?

> Nah, just a different number for WhatsApp

>> Security verification, send me selfie video with you face in it plz

> 😂

Yeah, this was the actual conversation! That’s what happens when you work with security people! 😁

Security Verification

Given that he was a security guy, what did he do next?

He texted me at the last known number he had on file. Here’s what he said:

> Ayman!

> Are you on WhatsApp with a different number?

>> Yup

>> That’s me messaging you. Good security confirmation!

> See you in Whatsapp!

What he did there was excellent! He verified my presence with a number he already had on file.

Had I not responded, I probably would have had to send a voice message or something to ensure it was me.

End User Security Verification

Depending on the type of application you have, you will likely have to do some sort of end user authentication.

The most basic authentication right now is email verification. Where an email will be sent to the user’s email on record where they either need to click a link or enter a code to ensure it’s the same user.

Basic events to prompt for security verification

You might have this setup during some of these conditions or events:

  • User logs in from a new device or IP

  • User logs in from a known suspected bad IP

  • User is updating something on their profile such as:

    • Email address

    • Billing address

    • Shipping address

    • Phone Number

Sensitive events to prompt for additional verification

Aside from basic authentication, there may be actions that will require additional or step-up authentication.

Step-up authentication is when you are asked for additional or re-authentication into a system at some point before completing a task or item.

Well, here are a few scenarios:

  • Update / Change bank account information

  • Transfer funds or conduct financial transactions

  • Create admin users

  • Delete users 

Btw, I have purposely left out some actions, because they should not be allowed or even possible. They include:

  • Reveal credit card numbers on file (should be encrypted, but not allowed for security reasons - prevent theft of numbers)

  • Reveal current password (should be hashed an impossible to do)

How to verify users the right way

Make sure to train your customer support teams to verify users the right way. You want to ask users for information only they would or should know.

The more sensitive the transaction, the more information they should ask for.

This may include things such as:

  • Date of Birth

  • Full SSN

  • Last deposit amount

  • PIN sent to phone number on file

  • Caller ID verification

  • Bank account information

  • 2FA Verification

If the user hesitates or gets anything wrong, this should be a red flag 🚩on the account.

Automated verification methods

I strongly encourage using automated methods for verification of users. Not only does this save customer service time, but can also reduce the threat of social engineering manipulation, and increase the authenticity of the verification.

Here are some methods:

  • Voice authentication

  • Phone number verification

  • Entering digital information on file

  • Entering 2 factor authentication information

Keep in mind, this information can be gathered BEFORE reaching a customer service rep. This way, they have an indication🚦ahead of time regarding the authenticity of a particular user.

Conclusion

Above is a just a sampling of what can be done for user authentication. The point is though, are you doing enough to verify your users to ensure they are not impersonating another user or trying to commit fraud?

Reply

or to participate.