In many circumstances, it is important to verify that a mobile device is in the hands of a valid user prior to communicating with the device.
For example, as discussed in U.S. application Ser. No. 14/798,155, “SYSTEM AND METHOD FOR MOBILE NUMBER VERIFICATION,” filed Jul. 13, 2015 (commonly owned with the present application and hereby incorporated by reference), an arrangement is disclosed for confirming that the user of a mobile device user has not changed (such as by a mobile device being deactivated and the mobile number re-assigned to a different user) prior to a bank or other institution using an automatic telephone dialing system to make a call to the mobile device.
Verifying or authenticating a mobile device can be especially important when a mobile device is being used to conduct a financial transaction. For example, mobile device users conducting financial transactions are often given one-time passwords to authenticate the user and complete a transaction. A one-time password is intended to prevent a fraudster from gaining access to a user's permanent password and using it for fraudulent transactions. However, sending a one-time password may itself involve some risk, e.g., when the password (even if encrypted) is sent over a public network, such as the internet or a wireless provider network, where it can be intercepted and decrypted.
For this reason, systems have been developed for sending one-time passwords over out-of-band communications channels, such as disclosed in U.S. Pat. No. 8,806,592, “METHOD FOR SECURE USER AND TRANSACTION AUTHENTICATION AND RISK MANAGEMENT,” which is hereby incorporated by reference. Using out-of-band communications channels improve security since data is generally less accessible to hackers than data sent over a public network (e.g., where data is being entered at a website). The user receiving the one-time password can, e.g., enter the received password at a website, thus confirming that the user has in fact received the one-time password at the user's known mobile device. However, such arrangements also carry some risk, since a fraudster may hack a mobile device and control its operation, and thereby redirect or forward communications having passwords and other sensitive information to the fraudster's phone. Thus, the security of one-time passwords over out-of-band communications can also be compromised (e.g., when a fraudster attempting to access an account at an online banking website has gained control of a user's mobile device and redirected messages to the fraudster's phone, thus enabling the fraudster to receive the one-time password and enter that password at the website to gain access to the account).
There is thus arisen the need for providing enhanced security when communicating with a mobile device, such as when communicating a one-time password to complete a financial transaction.