How does SIM binding work?

Why don’t your finance apps work when you travel abroad?

As soon as a traveler lands in a foreign country, they replace their exciting SIM card with a foreign SIM card for better mobile network services. In the case of dual SIM phones also, users generally try to use the SIM1 slot for better internet accessibility. They may or may not keep the 2nd SIM in the phone.

It asks for re-validation.

You panic, reinsert your SIM and wait for OTP.

But wait, you are not in India, you can’t receive OTP.

Or worse, you have lost your card. After the sudden panic, you want to lock your card, but no you can’t do that.

If it’s such a pain, why do banks do it?

1. Creates a “something you have” factor in multi-factor authentication
2. Enhanced security: your account can be accessed only from your device
3. Mitigating SIM Swap Fraud

How Does it work?

Initial setup:-

1. The Bank app’s or bank’s SDK installed in your fintech app sends an SMS from your selected mobile number along with a unique code to the bank’s device registration service.
2. Along with this, the app asks for ‘Send SMS’ permission from the user to send the same things via SMS to the device registration service.
3. If the mobile number received in function and unique text matches the received SMS, matches, then banking services bind the app with the SIM of the device.
4. This unique code can be system generated or it can be device specific such as IMEI code, SIM number, Mac id or something else.

SIM binding flow

Continous validation :-

So now, whenever a user tries to perform an action on the app, the system will look for such unique codes in the device, if it exists then proceed but if it doesn’t then the device will ask for re-validation.

Only cases re-validation is not applicable when during the login SIM is available in the designated slot.

What it affects?

In this case, most of the financial services will become inaccessible to them and it would become a very poor user experience for users.

But what few of them does is, they would like active users to access the 3 major services even if they remove the registered SIM card from their mobile phone:

1. View the account balance and fetch the updated balance:

Once a transaction is successfully completed, and the available balance is updated in the app then it’ll help users monitor their budget while they stay abroad. With the help of view balance, users can decide whether they need to load more money in the account or not at that point of time.

2. View transactions, apply filters and generate a statement:

When a user is traveling abroad with the intent to make some expense, they would like to keep track of their expenditure. As users won’t be receiving any SMSs when a transaction is successful, the best way to keep transactions of these expenses will be to be able to monitor them in the app itself. Monitoring transactions will help them not just to keep track of legit transactions but also to be able to be aware of any fraud if it occurs.

3. Access to card controls:

Options like Card or Channel Lock/Unlock, Card Txn Limit Controls, Reset ATM PIN, View card details and Card Block/Hotlist give users a sense of more security and controls. There can be a situation where they want to Lock the card or just ‘Tap and Pay’ if they feel the card can be misused. Or They would need to increase/decrease the Pos Limits or maybe change the ATM PIN if they identify suspicious activities or forget the same. In case a card is Lost, one-touch Block would secure us against any Fraudulent Claims and View details would help them with e-commerce transactions for Online Ticket Booking, Food Ordering or Cab booking during the trip.

Problem Statement:-

If the registered SIM is not in the phone, the user won’t be able to use banking services in a foreign land.

Bank’s current declaration-based Process:-

1. Declare which country the user is traveling to
2. Declare their traveling dates — a few weeks in advance
3. Declare their international mobile number to receive OTP (optional)
4. Confirm details

Solution:-

If the identified user’s device is the same, SIM is different and the location is not in India, then perform email validation.

1. Basic:- Send the user an email OTP. If verified successfully, then allow user to continue using the app.
2. More Secure:- Ask for till the user is in a foreign country, register those time ranges, do an email OTP verification and then let go of SIM binding validation for that duration only.

It’s a very specific use case but there are a lot of Indian travel abroad, especially students. Even for travelers, you don’t want to be clueless in a situation if you lose your NFC-enabled card in a foreign land, loaded with money and a locked mobile app.