Advanced mobile authentication

October 2014 Financial (Industry)

Financial institutions are increasingly adopting mobile authentication for online/Internet banking and deploying mobile platforms that enable customers to conduct banking transactions anytime, anywhere. Defending against mobile-based threats, however, requires a more effective approach to identity assurance, as most authentication controls have documented vulnerabilities while malware specific to mobile is increasing. Simple passwords are already widely known to be compromised. Fraudsters have also effectively overcome other traditional authentication methods.

Christy Serrato
Christy Serrato

To combat simple password vulnerability, most banks have implemented strong hardware-based authentication for their commercial customers but rarely on the consumer side, thinking it costly and complicated to deploy and manage and inconvenient for users. This all changes, however, with the advent of advanced mobile security that fosters a convenient banking experience with out-of-band strong authentication.

Password authentication

The most basic mobile authentication option is delivering a One Time Password (OTP) via SMS. An online banking customer logging in to the bank’s website with username and password triggers a request to send an OTP to his or her registered mobile phone. Upon receipt of a text message with the OTP, the customer enters it into an additional field on the banking site’s login page to complete the login process.

There are drawbacks to this approach. First, it pushes extra costs onto some end users, particularly in North America, where customers must pay for the messages they receive. Second, it is subject to network coverage, network latency and SMS delivery issues, which creates uncertainty over whether SMSs will be delivered quickly, or at all. Third, it doesn’t address the Man-in-the-Middle fraud problem – an SMS is generated in the backend and sent via the network, so there’s greater chance it will be intercepted. Fraudsters have successfully launched targeted attacks using SMS-related malware. For instance, perpetrators of the Zeus Botnet Eurograbber attack stole $47 million in assets from more than 30 000 corporate and private banking customers.

Alternatively, the mobile phone can be turned into a 'soft token' by installing software that generates OTPs on the device itself. OATH-compliant HMAC-based algorithms (HTOP) or time-based OTP algorithms (TOTP) can be used. A unique combination of time and event-based algorithm is considered more secure. While not as seamless as SMS OTP from the rollout and support standpoint, mobile OTP offers advantages in terms of cost and usability and protection.

However, it is important to note that mobile OTP generators, if poorly implemented, are susceptible to fraudster attacks. Ensuring OTPs are generated securely only for intended users requires advanced technologies to mitigate key threats, such as:

Phishing: Ensure that each software token is bound to the device of the user on which the application is installed.

Keystroke logging: Preclude attacker from capturing OTPs using key-logging. Even with a captured PIN or activation code, the attacker will be unable to generate an identical (clone) mobile software token.

Static code dump/patch runtime debugging: Even if the unique device IDs are spoofed, the mobile software token must have sophisticated levels of code obfuscation and symbol stripping, as well as an additional security layer in the form of a PIN, built-in. These measures ensure that even through reverse engineering by an attacker, an OTP will not be generated.

System resource manipulation: In this type of an attack, a 'jail-broken' or rooted device is required. The mobile software token does not operate on such a device thereby circumventing such an attack.

Static code dump/patch: Sophisticated levels of anti-piracy security layers in mobile software tokens deter attackers from creating pirated and adapted mobile soft tokens and using them to obtain OTPs.

Brute force: The mobile software token must be PIN protected and designed to self-destruct after five incorrect entries entered consecutively. The mobile software token can also be protected with a layer of PIN camouflaging. In this case, an incorrect PIN will be accepted and an invalid OTP will be displayed. The attacker has no way of knowing if an input PIN is correct or incorrect.

Dynamic memory access: In this type of an attack, the device would need to be in a vulnerable state such as jail broken or rooted. The mobile software token should implement sophisticated layers of verification to determine if the device is compromised and ceases to operate.

Chosen plain text brute force: The attacker will not be able to mount this attack as it is computationally not feasible to obtain the token secret key in brute force.

Screen capturing: It should be possible to deploy the mobile software token with the configuration to generate OATH-compliant time-based OTP and Challenge/Response with a short time validity for making it ineffective to capture and relay.

Additionally, all strong authentication solutions should be implemented as part of a larger, multi-layered, context-based security strategy that also includes device profiling, malware forensics, transaction verification and mutual authentication between the user and the application. This requires an integrated, versatile authentication platform with real-time threat detection capabilities. The advanced fraud prevention seamlessly integrates with all major banking platforms and the threat detection piece is transparent, so that there is no software for the user to install. The security benefits to the financial institution are immediate and provide customers with the peace of mind that their on-line banking provider has taken steps to provide a secure environment in which to conduct their financial transactions conveniently.

For more information contact HID Global, +27 (0)82 449 9398, rtruter@hidglobal.com, www.hidglobal.com



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Proactive strategies against payment fraud
Financial (Industry) Risk Management & Resilience
Amid a spate of high-profile payment fraud cases in South Africa, the need for robust fraud payment prevention measures has never been more apparent, says Ryan Mer, CEO of eftsure Africa.

Read more...
The future of access control is mobile
HID Global Mining (Industry)
The growing popularity of trusted ecosystems of cloud-connected access control devices, applications and trusted mobile identities has made mobile access easier to adopt than ever.

Read more...
Authentic identity
HID Global Access Control & Identity Management
As the world has become global and digital, traditional means for confirming authentic identity, and understanding what is real and what is fake have become impractical.

Read more...
Understanding the power of digital identity
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
The way we perceive business flourishing is undergoing a paradigm shift, as digital identity and consumer consent redefine the dynamics of transactions, says Shanaaz Trethewey.

Read more...
Access and identity in 2024
Technews Publishing Gallagher HID Global IDEMIA Ideco Biometrics Enkulu Technologies neaMetrics Editor's Choice Access Control & Identity Management Integrated Solutions
SMART Security Solutions hosted a round table discussion with various players in the access and identity market, to find out what they experienced in the last year, as well as their expectations for 2024.

Read more...
An introduction to NIST FRVT
HID Global Access Control & Identity Management
NIST’s Face Recognition Vendor Test is the most respected industry benchmark for companies building and using face recognition technology, and its benefit for the industry is undeniable.

Read more...
The promise of mobile credentials
Technews Publishing Suprema neaMetrics HID Global Editor's Choice Access Control & Identity Management IoT & Automation
SMART Security Solutions examines the advantages and disadvantages of mobile credentials in a market dominated by cards and fobs, in which biometrics is viewed as a secure alternative.

Read more...
Protect your financial assets from unknown online threats
Products & Solutions Information Security Financial (Industry)
Malicious actors employ a myriad of sophisticated techniques, such as hacking, phishing, spamming, card theft, online fraud, vishing, and keylogging, among others, to exploit unsuspecting individuals and gain unauthorised access to their financial resources.

Read more...
Is AI the game-changer for streamlining anti-money laundering compliance?
Financial (Industry) Security Services & Risk Management
In the aftermath of South Africa's recent grey listing, companies are now confronted with the imperative to address eight identified strategic deficiencies, while simultaneously reducing their financial crime risk through anti-money laundering compliance processes.

Read more...
FutureBank and IDVerse partner to fight cybercrime
Information Security Financial (Industry)
Generative AI is breeding different fraud types, and cybercrime is predicted to become the biggest economy in the world in the next 18 months. FutureBank and IDVerse have joined forces to keep their customers safe.

Read more...