Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

9/27/2016
10:00 AM
Steve Maloney
Steve Maloney
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Mobile Fraud Changes Outlook for Multifactor Authentication

SMS one-time passcodes just won't cut it anymore. We need new approaches that people will actually use.

The writing is on the wall — and the Dark Web: SMS one-time passcodes are on their way out. As malware aimed at mobile banking and payment apps becomes more prevalent, authentication by SMS has proven to be too vulnerable. Cell networks are under attack, and mobile phones can be compromised in myriad ways: loss, physical theft, account hijacking, and crimeware (such as banking Trojans, adware, spyware, ransomware, etc.). If you want to see how bad it can get, read about Brazil's ongoing nightmare with banking crimeware. In addition to a rash of banking Trojans, malware aimed at the country's Boleto system for money orders has netted nearly $4 billion in the last two years.

Plenty of evidence shows that mobile malware is increasing in the US and globally: Kaspersky Lab research, a Nokia study of 100 million devices, FBI and Federal Financial Institutions Examination Council warnings, IBM experts, and other sources show this. Much of the malware is designed to commit banking or transaction fraud by spying on consumers' credentials or intercepting SMS passcodes. To make it official, the National Institute of Standards and Technology (NIST) has issued draft national recommendations that discourage use of SMS-based two-factor authentication and recommend the use of alternative authentication factors.

We've had a hard enough time convincing consumers and companies that password protection is woefully insufficient by itself, and that two-factor authentication should be required for all sensitive authentication scenarios. Now we have to find an appealing alternative to the fairly easy-to-use SMS one-time passcode scheme. The primary problem with SMS methods (in addition to hacking vulnerability) is that they verify only the device, not the person holding it.

There are many options for next-generation authentication; the challenge lies in creating implementations that are efficient for the authenticator and seamless for the user. True multifactor authentication processes should use something you have, something you know, and something you are. For example: your phone or hardware token, a password, and a unique biometric characteristic.

The Consumer Factor
It's easy to see how true multifactor authentication is both more secure and more cumbersome. Consumers who prefer to pay by waving their phone in front of a scanner won't be pleased with a three-step process and will circumvent it if possible. More work needs to be done figuring out how customers want to use their mobile wallets and banking apps, and what types of security measures they will comply with. The NIST guidelines encourage moving toward biometric authentication methods, if they are used in combination with other factors (e.g., strong passwords). While biometric applications such as facial-recognition technology have been employed by law enforcement and government agencies for some time, they have only recently become practical for widespread commercial use. Likewise, smartphones are now prevalent enough that most consumers can complete biometric authentication processes on the go.

With the proper attention to the details of user experience, biometric authentication can be easy-to-use (nothing to remember or carry), virtually tamper-proof (more difficult and labor-intensive to spoof a retina, voice, or facial symmetry), and more secure (can't be cyber-hijacked). Moreover, there are several biometric methods that could be used in various combinations or layers to better thwart hacker workarounds. Innovative companies are developing enterprise-ready versions of hardware and software for matching validated records to scans of faces, voices, fingerprints, hands, retinas, and even ear shapes.

The best solutions will take advantage of behaviors users find natural and simple, such as taking selfies, validating government-issued identity credentials, scanning fingerprints, and repeating voice prompts. HSBC now permits customers to use selfies to access their accounts; other major banks have implemented voice and fingerprint-recognition options. Such methods will become increasingly common

As cyber currency, blockchain technologies, and other innovations become more mainstream, millions of people around the world will use banking and lending services for the first time, and the vast majority of them will do so primarily through mobile devices. Even in developed economies, mobile payment ecosystems are still being established, and there are many challenges to be addressed. Security and privacy are top concerns for traditional financial institutions, financial technology innovators, and consumers. Cybercriminals, crimeware developers, hacktivists, and black market syndicates will move rapidly from one opportunity to the next, exploiting every opening that aids them in their quest to defraud, steal, blackmail, and expose.

True protection of institutions and individuals means developing a variety of methods, using them in layers, and discontinuing the use of approaches that are outdated. An example can be to validate a government-issued identity document that is highly likely to be authentic and then match a selfie to the photo on that document in addition to password protection. Developing simple, modular mechanisms for securing sensitive mobile transactions is essential as the digital economy continues to rapidly develop. Failure to provide the ability to transact securely will impact all industries, including the currently booming sharing economy businesses such as Uber and Airbnb.

Related Content:

Stephen Maloney joined Acuant from AssureTec where he was president and chief operating officer. He has more than 25 years of wide-ranging experience as a senior operating executive in technology. Prior to AssureTec, Mr. Maloney was cofounder, director and president of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2729
PUBLISHED: 2019-06-19
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise ...
CVE-2019-3737
PUBLISHED: 2019-06-19
Dell EMC Avamar ADMe Web Interface 1.0.50 and 1.0.51 are affected by an LFI vulnerability which may allow a malicious user to download arbitrary files from the affected system by sending a specially crafted request to the Web Interface application.
CVE-2019-3787
PUBLISHED: 2019-06-19
Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending ?unknown.org? to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to ...
CVE-2019-12900
PUBLISHED: 2019-06-19
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
CVE-2019-12893
PUBLISHED: 2019-06-19
Alternate Pic View 2.600 has a User Mode Write AV starting at PicViewer!PerfgrapFinalize+0x00000000000a8868.