Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

9/27/2016
10:00 AM
Steve Maloney
Steve Maloney
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Mobile Fraud Changes Outlook for Multifactor Authentication

SMS one-time passcodes just won't cut it anymore. We need new approaches that people will actually use.

The writing is on the wall — and the Dark Web: SMS one-time passcodes are on their way out. As malware aimed at mobile banking and payment apps becomes more prevalent, authentication by SMS has proven to be too vulnerable. Cell networks are under attack, and mobile phones can be compromised in myriad ways: loss, physical theft, account hijacking, and crimeware (such as banking Trojans, adware, spyware, ransomware, etc.). If you want to see how bad it can get, read about Brazil's ongoing nightmare with banking crimeware. In addition to a rash of banking Trojans, malware aimed at the country's Boleto system for money orders has netted nearly $4 billion in the last two years.

Plenty of evidence shows that mobile malware is increasing in the US and globally: Kaspersky Lab research, a Nokia study of 100 million devices, FBI and Federal Financial Institutions Examination Council warnings, IBM experts, and other sources show this. Much of the malware is designed to commit banking or transaction fraud by spying on consumers' credentials or intercepting SMS passcodes. To make it official, the National Institute of Standards and Technology (NIST) has issued draft national recommendations that discourage use of SMS-based two-factor authentication and recommend the use of alternative authentication factors.

We've had a hard enough time convincing consumers and companies that password protection is woefully insufficient by itself, and that two-factor authentication should be required for all sensitive authentication scenarios. Now we have to find an appealing alternative to the fairly easy-to-use SMS one-time passcode scheme. The primary problem with SMS methods (in addition to hacking vulnerability) is that they verify only the device, not the person holding it.

There are many options for next-generation authentication; the challenge lies in creating implementations that are efficient for the authenticator and seamless for the user. True multifactor authentication processes should use something you have, something you know, and something you are. For example: your phone or hardware token, a password, and a unique biometric characteristic.

The Consumer Factor
It's easy to see how true multifactor authentication is both more secure and more cumbersome. Consumers who prefer to pay by waving their phone in front of a scanner won't be pleased with a three-step process and will circumvent it if possible. More work needs to be done figuring out how customers want to use their mobile wallets and banking apps, and what types of security measures they will comply with. The NIST guidelines encourage moving toward biometric authentication methods, if they are used in combination with other factors (e.g., strong passwords). While biometric applications such as facial-recognition technology have been employed by law enforcement and government agencies for some time, they have only recently become practical for widespread commercial use. Likewise, smartphones are now prevalent enough that most consumers can complete biometric authentication processes on the go.

With the proper attention to the details of user experience, biometric authentication can be easy-to-use (nothing to remember or carry), virtually tamper-proof (more difficult and labor-intensive to spoof a retina, voice, or facial symmetry), and more secure (can't be cyber-hijacked). Moreover, there are several biometric methods that could be used in various combinations or layers to better thwart hacker workarounds. Innovative companies are developing enterprise-ready versions of hardware and software for matching validated records to scans of faces, voices, fingerprints, hands, retinas, and even ear shapes.

The best solutions will take advantage of behaviors users find natural and simple, such as taking selfies, validating government-issued identity credentials, scanning fingerprints, and repeating voice prompts. HSBC now permits customers to use selfies to access their accounts; other major banks have implemented voice and fingerprint-recognition options. Such methods will become increasingly common

As cyber currency, blockchain technologies, and other innovations become more mainstream, millions of people around the world will use banking and lending services for the first time, and the vast majority of them will do so primarily through mobile devices. Even in developed economies, mobile payment ecosystems are still being established, and there are many challenges to be addressed. Security and privacy are top concerns for traditional financial institutions, financial technology innovators, and consumers. Cybercriminals, crimeware developers, hacktivists, and black market syndicates will move rapidly from one opportunity to the next, exploiting every opening that aids them in their quest to defraud, steal, blackmail, and expose.

True protection of institutions and individuals means developing a variety of methods, using them in layers, and discontinuing the use of approaches that are outdated. An example can be to validate a government-issued identity document that is highly likely to be authentic and then match a selfie to the photo on that document in addition to password protection. Developing simple, modular mechanisms for securing sensitive mobile transactions is essential as the digital economy continues to rapidly develop. Failure to provide the ability to transact securely will impact all industries, including the currently booming sharing economy businesses such as Uber and Airbnb.

Related Content:

Stephen Maloney joined Acuant from AssureTec where he was president and chief operating officer. He has more than 25 years of wide-ranging experience as a senior operating executive in technology. Prior to AssureTec, Mr. Maloney was cofounder, director and president of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18986
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
CVE-2019-18981
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.
CVE-2019-18982
PUBLISHED: 2019-11-15
bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.
CVE-2019-18985
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks brute force protection for the 2FA token.
CVE-2019-18928
PUBLISHED: 2019-11-15
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.