Singtel launches SingVerify, a verification service for other businesses to help verify their user's transactions and login attempts.
Today (6 March 2024), Singtel announced SingVerify, a new service for businesses to help fight against scams, fraudulent transactions or log-ins, through checks made against Singtel’s data.
What is SingVerify?
In its official statement, Singtel described SingVerify as an authentication solution for other consumer services by verifying them against telco data. This is done via Application Programming Interfaces (APIs), which businesses can choose to include in their mobile apps.
“Phishing scams continue to impact many innocent people. In today’s digital economy, technology is pervasive, and we’d like our customers to be able to enjoy the benefits of a digital lifestyle safely. That’s why we launched SingVerify - a game- changing solution that’s eliminating complicated authentication methods yet protecting consumers.We’re confident that SingVerify will play a critical role in mitigating fraud in real-time, safeguarding critical customer data, and preventing potential financial losses for many consumers,” said Mr Ng Tian Chong, Chief Executive Officer, Singtel Singapore.
Businesses can protect users by adding an additional element of user verification with SingVerify, on top of existing authentication methods. Users of these businesses can be greenlighted without any extra input from them, since they are checked against telco data upon each transaction or log-in.
For the end-user, it adds another layer of protection against phishing scams and fraudulent log-in attempts, since it’s an extra step of verification that scammers or bad actors need to overcome.
How does SingVerify protect me from fraud or scams?
SingVerify uses its own telco data from Singtel to narrow the human risk of authentication.
In a media briefing session, Singtel said it has two SingVerify APIs available. Number Verify API, available at launch, validates the end-user’s identity by matching their phone numbers with their registered account details.
How Number Verify API works with SingVerify. Even if the user enters login or OTP details on a phishing platform, the bad actor cannot access the user's account, because the phone number and/or device does not match Singtel's records.
In the example given, a hacker or scammer trying to phish for login details would fail login attempts, because the device they use does not match the device or phone number records found in the telco’s data.
The other is Device Location API, which checks whether the log-in attempts are made on the correct network in the correct country. The example below assumes that the phone is not anywhere near the hacker's laptop, nor is it using the correct network.
How Device Location API works on SingVerify. Similar in concept to the other API, but it checks against device locations instead.
In Singtel’s example, the scammers would fail because the device attempting a login is not located where it should be, even if the bad actor mirrors the user and has the correct passwords or OTPs.
These API calls are made silently and in the background, so users do not need to key in more information or provide more details to authenticate their logins to their favourite services and apps.
Currently, businesses like Tiger Brokers and IPification are integrating SingVerify into their existing security frameworks to add more security for their customers.
Since these are APIs, SingVerify is also available for implementation by other businesses. Banking apps, e-commerce apps, or social media apps can implement SingVerify to provide an extra layer of authentication for their users.
You can learn more about SingVerify here.
Wait, doesn’t that mean our telco is selling our data to other companies?
Singtel clarified that it’s not selling user data to businesses through SingVerify. Singtel sells a Yes/No answer backed by their data to verify if a log-in elsewhere is legitimate.
For example, if a bank implements SingVerify in its authentication flow, SingVerify (and other authentication methods) can become a part of its verification process. SingVerify doesn’t reveal any details of its user to the business (e.g. the bank); it only confirms whether the user is conducting legitimate log-ins by checking it against their data.
Of course, Singtel isn’t doing this out of the goodness of its heart, even if the intention is noble. Singtel charges these businesses based on the number of SingVerify API calls made.
SingVerify is not treated as the be-all and end-all solution to verifying whether users are real. In a multi-factor authentication landscape, other businesses and services can still tap on other verification methods (e.g., biometrics, emails, customer walk-ins) to augment user log-ins and use SingVerify.
Currently, M1 and Singtel are partnered for SingVerify, thanks to an earlier MoU signed that federates network-based authentication through APIs.
Singtel also added that SingVerify can verify across partnered telcos data, such as M1. For example, an M1 user can also be verified on SingVerify, since the authentication stage would forward the API call to the correct telco to confirm the legitimacy of the user logging in.
Singtel also clarified that some of these user protection methods would not necessarily work if scammers or hijackers could remotely control devices. For example, Device Location API relies on verifying that the user is in the correct location, which means it doesn’t prevent log-ins from happening after a hostile takeover of a device. This is why there are multiple SingVerify APIs for businesses to implement.
What is the technology SingVerify uses?
GSMA Open Gateway is a framework that cuts across telcos participating across the globe. The framework explores the use network-based APIs to enhance mobile connectivity and security.
An API is simply software with a specific function, allowing two services or applications to talk to each other. SingVerify APIs allow third-party apps to make backend requests to verify data against Singtel's information.
SingVerify is built upon an existing framework spearheaded by GSMA called Open Gateway APIs. In short, this initiative allows telcos worldwide to use their customer data to provide better service and experience through their networks without exposing their data to third parties.
An example would be using Open Gateway APIs with video streaming apps to enhance mobile network connectivity. Users can watch shows or livestreams with minimal disruptions. The app developer or business would only need to include the correct APIs in the app to enhance their services for users on specific telco networks.
At the time of reporting, approximately 239 mobile networks, or 65% of mobile connections worldwide, are signed up with this GSMA initiative. Most of these operators use Open Gateway APIs to authenticate transactions, combat fraud, and act against identity theft.
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.