Entersekt’s Interakt product uses push USSD for out-of-band communication between a financial institution and its customers’ mobile devices. This two-way channel enables authentication of sensitive transactions on any GSM mobile phone. Interakt is offered exclusively in Southern Africa, where Entersekt holds the necessary commercial agreements with all mobile network operators.
OUT-OF-BAND TRANSACTION AUTHENTICATION
Network-initiated unstructured supplementary service data (NI USSD or push USSD) provides session-based data communication between a service provider and a mobile device. Interakt uses this protocol to provide a true out-of-band authentication channel: authentication requests and responses are transmitted over a mobile network’s GSM channel, which is completely separate from the browser (Internet) channel used by the customer to enter their user name and password. This approach eliminates the threats posed by phishing, man-in-the-middle/browser, and keystroke logging attacks.
REAL-TIME, INTERACTIVE COMMUNICATION
Unlike SMS, which is a store-and-forward technology, push USSD allows a two-way exchange of data in real time. The customer confirms transactions by responding directly to an authentication request sent to their mobile phone, entering 1 (for Accept) or 9 (for Reject) into the entry field and clicking Reply. The transaction is not authorized by the financial institution until the customer’s confirmation is received.
PROTECTION FROM MALWARE
Interakt is not susceptible to mobile malware in the way that SMS-based authentication systems are because no session data is stored on the mobile device after an NI USSD connection is closed.
OPTIONAL SIM-SWAP CHECKING
To prevent this popular new form of spear phishing, Interakt can check whether a SIM swap (also called a SIM cloning) has occurred and alert the financial institution immediately.
UNIVERSAL MOBILE DEVICE COMPATIBILITY
Interakt works with any GSM mobile device – including phones with text-only interfaces – across all Southern African mobile networks.
EXTREME EASE OF USE
Interakt does not require an app to be installed on a registered customer’s mobile device. Authentication messages are simply pushed to their mobile phone using the NI USSD protocol. If the customer initiated a transaction using their mobile browser, this message overlays the mobile browser, avoiding their having to switch between browser and message and back again as they do with SMS one-time passwords, for example. Similarly, users can receive and respond to these messages while on a call; for example, to authenticate themselves to a call center.
FIPS 140-2 LEVEL 3 ON-PREMISE ENDPOINT
The Interakt Secure Gateway hardware appliance is the interface between the financial institution’s back-end systems and the Entersekt Message Router, responsible for switching authentication requests and responses to and from the correct mobile devices. It includes a hardware security module for certain encryption functions.
Mobile network operators charge WASP (wireless application service provider) fees for push USSD connections. Entersekt provides reverse billing to the implementing financial institution so that their customers do not pay directly.