Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

9/27/2016
10:00 AM
Steve Maloney
Steve Maloney
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Mobile Fraud Changes Outlook for Multifactor Authentication

SMS one-time passcodes just won't cut it anymore. We need new approaches that people will actually use.

The writing is on the wall — and the Dark Web: SMS one-time passcodes are on their way out. As malware aimed at mobile banking and payment apps becomes more prevalent, authentication by SMS has proven to be too vulnerable. Cell networks are under attack, and mobile phones can be compromised in myriad ways: loss, physical theft, account hijacking, and crimeware (such as banking Trojans, adware, spyware, ransomware, etc.). If you want to see how bad it can get, read about Brazil's ongoing nightmare with banking crimeware. In addition to a rash of banking Trojans, malware aimed at the country's Boleto system for money orders has netted nearly $4 billion in the last two years.

Plenty of evidence shows that mobile malware is increasing in the US and globally: Kaspersky Lab research, a Nokia study of 100 million devices, FBI and Federal Financial Institutions Examination Council warnings, IBM experts, and other sources show this. Much of the malware is designed to commit banking or transaction fraud by spying on consumers' credentials or intercepting SMS passcodes. To make it official, the National Institute of Standards and Technology (NIST) has issued draft national recommendations that discourage use of SMS-based two-factor authentication and recommend the use of alternative authentication factors.

We've had a hard enough time convincing consumers and companies that password protection is woefully insufficient by itself, and that two-factor authentication should be required for all sensitive authentication scenarios. Now we have to find an appealing alternative to the fairly easy-to-use SMS one-time passcode scheme. The primary problem with SMS methods (in addition to hacking vulnerability) is that they verify only the device, not the person holding it.

There are many options for next-generation authentication; the challenge lies in creating implementations that are efficient for the authenticator and seamless for the user. True multifactor authentication processes should use something you have, something you know, and something you are. For example: your phone or hardware token, a password, and a unique biometric characteristic.

The Consumer Factor
It's easy to see how true multifactor authentication is both more secure and more cumbersome. Consumers who prefer to pay by waving their phone in front of a scanner won't be pleased with a three-step process and will circumvent it if possible. More work needs to be done figuring out how customers want to use their mobile wallets and banking apps, and what types of security measures they will comply with. The NIST guidelines encourage moving toward biometric authentication methods, if they are used in combination with other factors (e.g., strong passwords). While biometric applications such as facial-recognition technology have been employed by law enforcement and government agencies for some time, they have only recently become practical for widespread commercial use. Likewise, smartphones are now prevalent enough that most consumers can complete biometric authentication processes on the go.

With the proper attention to the details of user experience, biometric authentication can be easy-to-use (nothing to remember or carry), virtually tamper-proof (more difficult and labor-intensive to spoof a retina, voice, or facial symmetry), and more secure (can't be cyber-hijacked). Moreover, there are several biometric methods that could be used in various combinations or layers to better thwart hacker workarounds. Innovative companies are developing enterprise-ready versions of hardware and software for matching validated records to scans of faces, voices, fingerprints, hands, retinas, and even ear shapes.

The best solutions will take advantage of behaviors users find natural and simple, such as taking selfies, validating government-issued identity credentials, scanning fingerprints, and repeating voice prompts. HSBC now permits customers to use selfies to access their accounts; other major banks have implemented voice and fingerprint-recognition options. Such methods will become increasingly common

As cyber currency, blockchain technologies, and other innovations become more mainstream, millions of people around the world will use banking and lending services for the first time, and the vast majority of them will do so primarily through mobile devices. Even in developed economies, mobile payment ecosystems are still being established, and there are many challenges to be addressed. Security and privacy are top concerns for traditional financial institutions, financial technology innovators, and consumers. Cybercriminals, crimeware developers, hacktivists, and black market syndicates will move rapidly from one opportunity to the next, exploiting every opening that aids them in their quest to defraud, steal, blackmail, and expose.

True protection of institutions and individuals means developing a variety of methods, using them in layers, and discontinuing the use of approaches that are outdated. An example can be to validate a government-issued identity document that is highly likely to be authentic and then match a selfie to the photo on that document in addition to password protection. Developing simple, modular mechanisms for securing sensitive mobile transactions is essential as the digital economy continues to rapidly develop. Failure to provide the ability to transact securely will impact all industries, including the currently booming sharing economy businesses such as Uber and Airbnb.

Related Content:

Stephen Maloney joined Acuant from AssureTec where he was president and chief operating officer. He has more than 25 years of wide-ranging experience as a senior operating executive in technology. Prior to AssureTec, Mr. Maloney was cofounder, director and president of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13777
PUBLISHED: 2020-06-04
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TL...
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.