An international mobile subscriber identity (IMSI) number uniquely identifies a mobile phone subscriber and is usually stored within a SIM card. A mobile subscriber integrated services digital network (MSISDN) number is a mobile's phone number. The IMSI is used internally within mobile phone systems to identify a phone. Most users don't know their IMSI, while the MSISDN can be dialed to reach the phone.
As the mobile phone continues its dominance in the e-commerce space, many applications have begun to use the mobile number to send a security code via an SMS to authenticate their users. The most common of these is through the adoption of a two-factor authentication method which uses secure customer authentication (SCA) to validate a user based on the factors of knowledge, possession and inherence. An SMS in this case can be classified as a possession factor if the user’s SIM card has been validated prior to the sending of the message.
The reliance on using the mobile phone number to authenticate users has made the number itself (MSISDN) vulnerable to malicious attacks. The mobile device therefore becomes more vulnerable to fraudsters who can intercept SMS PIN codes and other sensitive information with increasing ease.
When a fraudster transfers their victim’s mobile number onto a device in their possession, the serial number, the IMSI, also changes.
To compliantly authenticate a user efficiently and seamlessly, a company must validate their user’s mobile phone number against their SIM card. This must be validated at the mobile phone network level. As cited in the ‘Opinion of the European Banking authority on the elements of strong customer authentication under PSD2’, the possession element ‘would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number’. Link
Phonovation’s FinTech solution, known as Mobile ID, enables banks to be PSD2 compliant by providing real-time data on the status of a mobile SIM via a secure connection into the mobile network.