[Written in partnership with MaGIC, but the editorial team had full control over the content.]
We live in a world that is very much still password-reliant, despite the innovations in cybersecurity. For many, typing in that string of gibberish gives us comfort knowing that our data and assets are stored securely behind it.
But that may not be the truth. IPification, a Hong Kong-based startup, wants to overhaul these processes for a passwordless future. We spoke to CEO Stefan Kostic to learn why, and how.
Towards a passwordless future
In our interview, Stefan first brought us back about 8 years ago, prior to IPification’s founding.
Before he was president and founder of IPification, Harry Cheung was having dinner with one of his oldest friends in a Hong Kong restaurant. The latter was seeking professional advice because his mobile banking app had recently gotten hacked and all his money was stolen.
At the time, Harry had been in the security industry for a long time and served on Kaspersky’s Board of Directors, hence his friend reaching out to him. Though he could only provide advice on the best mobile security practices then, Harry would eventually begin working on a mobile authentication solution some years later, to be launched as IPification.
“Here at IPification, we strongly believe in the passwordless future where users are at the centre of a secure and user-friendly mobile identity ecosystem,” Stefan explained their mission to Vulcan Post.
“When most authentication solutions sacrifice either security or user experience, we believe that you should have both.”
With that, the startup wants to do away with passwords, including one-time passwords (OTPs) and the like.
In turn, its solution generates a user’s unique mobile ID key consisting of the phone number, SIM card, and device data based on the user’s IP address. To authenticate, the user only needs to make one tap on their screen, and the unique ID key is verified in milliseconds.
According to Stefan, because this key is made up of various data, it is all but impossible to spoof.
However, he advises that regardless, one should have a code, face, or fingerprint ID as a way to unlock one’s phone for better security. If the phone gets lost or is stolen then, one should quickly contact their mobile phone operator and ask to lock their SIM card.
One flaw in security is a flaw too many
Prior to this, I’d always assumed that the cybersecurity of my data and assets would be safe and sound, so long as I never shared my OTP or password around. I mean, that’s what the news often cautions us about… right?
Wrong. Passwords in general aren’t very secure, and SMS OTPs can be compromised too, with Stefan stating that they were highly vulnerable to social engineering attacks and SMS rerouting.
“Through social engineering, cybercriminals can take over your SIM card and gain access to your account before you even notice what is known as a SIM swapping attack,” he said. In short, SIM swapping is when a scammer transfers your phone number to another device to access your accounts.
“Additionally, SMS OTP is susceptible to phishing attacks. In these attacks, criminals may serve you a compelling but fake webpage to services such as Google. They monitor you actively as you try to log into this page, and when you type in your SMS OTP, they log into and lock you out of your account.”
SMS technology also has a design flaw in the Signaling System No.7 (SS7) protocol, responsible for setting up and terminating telephone calls to enable wireless cellular and wired connectivity. This, Stefan said, hasn’t changed much since it was first introduced in the mid-70s. And it is because of this flaw that cybercriminals can intercept and reroute your SMS OTP and access your account.
When it comes to the security of our online accounts, I think we can all agree that one flaw in the authentication process is one too many flaws.
Stefan Kostic, CEO of IPification.
Capturing 3 billion users in the next 5 years
For IPification to work, it has to be in people’s smartphones, and this is only possible through working with mobile phone operators.
But what’s the incentive for mobile phone operators to pick up the startup’s solution?
“First and foremost, IPification helps them open new revenue streams by monetising their tech infrastructure in a way it wasn’t ever before,” Stefan said.
“Operators generate a fee for each successful authentication, even for prepaid users out of their credit and airtime.”
IPification also doesn’t require these operators to invest in new infrastructure, because it works on already-existing mobile network operator (MNO) technology.
To add, if IPification’s solution means overhauling that the peskiness of never receiving that OTP that was supposedly sent out, it would lead to improved customer experience and satisfaction, a win for the MNO and brands that are reliant on this technology.
Currently, the Hong Kong startup is already in the advanced stages of planning with 2 major MNOs in Malaysia and plans to officially launch its service here in Q1 2022.
For support and better insights into Malaysia’s market, IPification joined MaGIC as part of the Global Accelerator Programme’s (GAP) Cohort 5.
“It has helped us sharpen our marketing message, gave us some valuable advice on improving our financial planning, operations, and ways of communicating with investors,” Stefan shared.
With these valuable learnings and insights, IPification is confident it can leverage them to maximise its potential for growth in Malaysia.
Globally, IPification shared that it had already served 1.5 billion mobile users as of August 2021, and the new goal now is to reach 3 billion users in the next 5 years.
At the moment, 5 billion people in the world own a mobile phone, and we can expect this number to only go higher from here with the digitalisation of many services.
All these spell a huge opportunity and a massive market for IPification to change cybersecurity for the better, and it will be up to the team to ensure they can leverage their resources wisely.
Featured Image Credit: Stefan Kostic, CEO of IPification