Mobile

9/27/2016
10:00 AM
Steve Maloney
Steve Maloney
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Mobile Fraud Changes Outlook for Multifactor Authentication

SMS one-time passcodes just won't cut it anymore. We need new approaches that people will actually use.

The writing is on the wall — and the Dark Web: SMS one-time passcodes are on their way out. As malware aimed at mobile banking and payment apps becomes more prevalent, authentication by SMS has proven to be too vulnerable. Cell networks are under attack, and mobile phones can be compromised in myriad ways: loss, physical theft, account hijacking, and crimeware (such as banking Trojans, adware, spyware, ransomware, etc.). If you want to see how bad it can get, read about Brazil's ongoing nightmare with banking crimeware. In addition to a rash of banking Trojans, malware aimed at the country's Boleto system for money orders has netted nearly $4 billion in the last two years.

Plenty of evidence shows that mobile malware is increasing in the US and globally: Kaspersky Lab research, a Nokia study of 100 million devices, FBI and Federal Financial Institutions Examination Council warnings, IBM experts, and other sources show this. Much of the malware is designed to commit banking or transaction fraud by spying on consumers' credentials or intercepting SMS passcodes. To make it official, the National Institute of Standards and Technology (NIST) has issued draft national recommendations that discourage use of SMS-based two-factor authentication and recommend the use of alternative authentication factors.

We've had a hard enough time convincing consumers and companies that password protection is woefully insufficient by itself, and that two-factor authentication should be required for all sensitive authentication scenarios. Now we have to find an appealing alternative to the fairly easy-to-use SMS one-time passcode scheme. The primary problem with SMS methods (in addition to hacking vulnerability) is that they verify only the device, not the person holding it.

There are many options for next-generation authentication; the challenge lies in creating implementations that are efficient for the authenticator and seamless for the user. True multifactor authentication processes should use something you have, something you know, and something you are. For example: your phone or hardware token, a password, and a unique biometric characteristic.

The Consumer Factor
It's easy to see how true multifactor authentication is both more secure and more cumbersome. Consumers who prefer to pay by waving their phone in front of a scanner won't be pleased with a three-step process and will circumvent it if possible. More work needs to be done figuring out how customers want to use their mobile wallets and banking apps, and what types of security measures they will comply with. The NIST guidelines encourage moving toward biometric authentication methods, if they are used in combination with other factors (e.g., strong passwords). While biometric applications such as facial-recognition technology have been employed by law enforcement and government agencies for some time, they have only recently become practical for widespread commercial use. Likewise, smartphones are now prevalent enough that most consumers can complete biometric authentication processes on the go.

With the proper attention to the details of user experience, biometric authentication can be easy-to-use (nothing to remember or carry), virtually tamper-proof (more difficult and labor-intensive to spoof a retina, voice, or facial symmetry), and more secure (can't be cyber-hijacked). Moreover, there are several biometric methods that could be used in various combinations or layers to better thwart hacker workarounds. Innovative companies are developing enterprise-ready versions of hardware and software for matching validated records to scans of faces, voices, fingerprints, hands, retinas, and even ear shapes.

The best solutions will take advantage of behaviors users find natural and simple, such as taking selfies, validating government-issued identity credentials, scanning fingerprints, and repeating voice prompts. HSBC now permits customers to use selfies to access their accounts; other major banks have implemented voice and fingerprint-recognition options. Such methods will become increasingly common

As cyber currency, blockchain technologies, and other innovations become more mainstream, millions of people around the world will use banking and lending services for the first time, and the vast majority of them will do so primarily through mobile devices. Even in developed economies, mobile payment ecosystems are still being established, and there are many challenges to be addressed. Security and privacy are top concerns for traditional financial institutions, financial technology innovators, and consumers. Cybercriminals, crimeware developers, hacktivists, and black market syndicates will move rapidly from one opportunity to the next, exploiting every opening that aids them in their quest to defraud, steal, blackmail, and expose.

True protection of institutions and individuals means developing a variety of methods, using them in layers, and discontinuing the use of approaches that are outdated. An example can be to validate a government-issued identity document that is highly likely to be authentic and then match a selfie to the photo on that document in addition to password protection. Developing simple, modular mechanisms for securing sensitive mobile transactions is essential as the digital economy continues to rapidly develop. Failure to provide the ability to transact securely will impact all industries, including the currently booming sharing economy businesses such as Uber and Airbnb.

Related Content:

Stephen Maloney joined Acuant from AssureTec where he was president and chief operating officer. He has more than 25 years of wide-ranging experience as a senior operating executive in technology. Prior to AssureTec, Mr. Maloney was cofounder, director and president of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19326
PUBLISHED: 2018-11-17
Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory Traversal, as demonstrated by reading /etc/passwd.
CVE-2018-19274
PUBLISHED: 2018-11-17
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
CVE-2018-19324
PUBLISHED: 2018-11-17
kimsQ Rb 2.3.0 allows XSS via the second input field to the /?r=home&mod=mypage&page=info URI.
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...