Banks, financial services companies and other banks know they are especially vulnerable to cyberattacks that target their business and customers.
Multi-factor authentication (MFA), as well as Strong Customer Authentication, are very effective defenses. However, there are some that are more effective than others. This is especially true for mobile authentication solutions.
Many customers expect the same seamless experience as they get with their mobile applications. These apps must be secure, regardless of how convenient.
Numerous mobile authentication options are available with serious security flaws
These flaws are caused by solutions that use secure code, also known to be one-time Passwords (OTPs), sent by SMS directly to customers’ mobile phones.
This method, which has been in use for many years, is extremely vulnerable. For customers and organizations to be protected, they must be aware of their vulnerabilities. They should also be able to identify how to make mobile authentication and transactions signing secure.
Understanding What’s at Stake
There are many attack vectors that hackers can use to redirect people’s text messages in order to gain access their accounts.
ReadWrite reported on May 2021, how FluBot malware collected all passwords and sent them back to their source company. It was even worse — the bot was sending messages and collecting all the contacts from the victim’s account.
An attack on 16,000 virtual mobile phones was also carried out a year ago. The attackers then intercepted SMS OTPs.
Ars Technica covered the massive fraud operation by IBM Trusteer Researchers. It involved a network a mobile device emulators that was used to defraud millions of dollars from various mobile banking apps in just a few short days.
The increasing reliance of digital transaction channels
Due to increased reliance on online transaction channels, cyberattacks have increased dramatically.
Peter Daisyme (ReadWrite contributor) pointed out in his 5 Tips to Optimize and Improve Your Company’s Data Security Program: The April 2022 Block Cash App Data Breach may have exposed the data of more than 8 million customers.
Crypto.com acknowledged that close to 500 users had $30+ million collectively stolen in a serious breach at the start of 2022.
Hackers continue to use compromised user credentials to launch their attacks.
Hackers took cryptocurrency from around 6,000 Coinbase accounts by exploiting a multi-factor authentication flaw. The flaw enabled hackers to retrieve account information by entering an OTP via SMS.
Mobile authentication security can be used to solve these problems. Users can use different capabilities of their mobile devices to verify their identity before they are able to access an app or make a transaction.
How Mobile Authentication Security Works
While it is ideal to convert the ubiquitous smartphone to an easy-to use, ubiquitous authenticator, it is not easy to secure mobile authentication.
Through the non profit Open Web Application Security Project (OWASP), the industry has developed baseline security standards for mobile authentication. These standards are different from those designed for web applications.
Mobile apps provide more options for data storage and can leverage the security features built into a device to authenticate their users. As a result, even small design choices can have a larger-than-anticipated impact on a solution’s overall security.
One option for mobile authentication is SMS verification. HID Global studied 2021 and found this to be the most trusted method of authentication among financial institutions. Ponemon Institute found that SMS OTP was used by around one-third mobile users, despite significant security risks.
A secure alternative to push notifications is authentication solutions that combine push notification with an out of-band channel.
Out-of–band provides greater security, flexibility, usability, and increased usability. This channel-based and secure authentication approach uses cryptographic techniques for the task of linking a specific device with its owner’s identity.
The attacker cannot impersonate someone without physical access to their device. Additionally, it is more secure than SMS authentication as the service provider is not required to send sensitive data to a customer’s device over a network with weak security.
Push notifications offer a much simpler user experience than SMS systems.
Push notifications are sent to users via push notification. Users must validate the request, making a binary selection of whether they want to “Approve” the transaction or “Decline”. This contrasts with the SMS OTP that can be re-typed into the phone.
Users rarely see much of the authentication process. The majority of it takes place in the background.
The entire mobile authentication cycle begins with the registration of and recognizing the user’s phone and then providing secure credentials to that user.
Also, the solution must secure user credentials as well as all communications between users, backend servers, and app.
It must secure sensitive data requests as the organization’s application runs, protect the customer’s information throughout their lifecycle, prevent brute force attacks, and keep the customer safe. Each step has its own challenges.
Seven Biggest Customer Authentication Challenges Solved
Mobile authentication security can be complicated due to many factors. There are seven key categories of challenges throughout the mobile authentication lifecycle.
Recognizing User Devices and Authenticating them
The best way to authenticate someone’s digital identity, is to detect if and how they are using the device. Attackers can take the identity of an attacker by using the device’s data to transfer their information into a virtual or physical clone.
This is why anti-cloning technology is used to prevent anyone from gaining access to this fraudulent device.
Anti-cloning techniques work best when they use the secure element (SE), included in nearly all modern smartphones.
In the case iOS, this refers to the Secure Enclave Dedicated Secure Subsystem integrated into Apple Systems on Chips (SoCs).
TEE (Trusted Execution Environment) is available for Android devices. Secure elements in Android devices can be used to enable authentication solutions that take advantage of the hardware security protections.
The most secure authentication solutions also stop potential cloners from using multiple layers on cryptographic security and lock individual keys with a unique device-key. This unique key is generated during the initial device provisioning process. Even if breached, it ensures that no attacker can access any other keys or impersonate the device.
Provisioning User Devices so They are Secure and Safe From Cyberattacks
Secure and protected from cyberattacks, users must be able manage their identities and issue credentials to mobile devices.
Mobile authentication solutions can activate user devices by using public-key encryption (based on a mathematically connected private/public secret key pair). Within this public/private couple, the private keys generated from the customer’s device will be considered secret.
They do not leave the device so that there is less chance of a credential being compromised. This is great for mobile authenticators as they can directly exchange with the authentication servers during authentication requests. A user does not need to manually intervene, such a push authentication reply.
If a secret key exchange is necessary between a mobile authentifier and an authentication server, there are two additional steps.
This is also true for mobile authenticators, which offer an alternative (like an OTP) to the digital key. These steps enable secure sharing of secret keys between client and server.
The first authentication of the user in order to establish a secure channel.
The creation of a secure channel for exchanging shared secrets.
The most secure solutions provide unique authentication for each user. This authentication event is only used once and expires as soon as registration has been successful.
Some solutions allow organizations the ability to change specific security settings or rules. Some solutions allow organizations to modify security settings and rules, such as the length of initial authentication codes, their alphanumeric composition, or the number of retries allowed after an unsuccessful initial authentication.
The policies that govern the provisioning of devices and users should be considered by organizations.
The ideal authentication solution would allow an organization the ability to determine whether it is legal to issue credentials for old operating systems, jailbroken mobile phones, or other devices that lack a secure element.
This solution often gives organizations the ability to choose what encryption they would like. They simplify configuration beyond what has been done by the vendor.
How to Safeguard User Credentials in a Dangerous Digital World
For credentials to be protected from various attacks and phishing schemes, it is important to have strong policies. However, it can be difficult to implement strong policies for password policies that differ across organizations. These policy differences can be accommodated by mobile authentication solutions that use push notifications.
An example is a push notification that can be sent immediately after successful password entry. You may also need to ask the user to take additional steps in order to verify their identities.
Secure Communications to Protect Sensitive Information
Sensitive information can be intercepted by insecure channels. This is why encryption is required for all communications between users, mobile authentication systems, and backend server.
To ensure that the mobile authenticator solution communicates with correct servers, certificate pin must be done before sending any messages. This reduces the reliance on third-party agencies and restricts the valid certificates that can be used for that server.
Transport-level security can only be achieved by using the TLS protocol. TLS 1.2 provides security for every message sent between the authentication system and the server. This includes any notification sent to the mobile phone.
Secure tunnels should include encryption of information to ensure message security. The best authentication solutions do not require users to send sensitive data via push notifications. They create a private and secure channel between your app and the server.
This channel retrieves request context to reduce risk of exposure and compromise.
Real-Time Attacks Can Be Detected and Block
Zero-day vulnerabilities have become more common. It is therefore vital that all applications employ various real-time techniques to detect, and then stop, attacks.
Runtime Application Self Protection, or RASP, is one way to do so. RASP establishes techniques and controls that detect, block, and mitigate attacks while the application is running. RASP prevents reverse engineering and unauthorized application code modification. These functions are performed automatically by the software and do not require any human intervention.
It is essential that the solutions use a multi-layered defense.
This greatly reduces the possibility of a breach if any control is not followed closely. These layers are:
Coding obfuscation (code obfuscation): It is harder for humans to comprehend decompiled source code unless they alter the program execution.
Tamper detection is achieved by using technologies like ASLR and stack smashing as well as property list checks (also known under.plist checking), which can assure that the app’s environment and any associated functionality have not been compromised.
Jailbreak, emulator detection: This allows organizations to set and enforce policies about the types and trustworthiness of the devices they use.
Streamlining authentication lifecycle management
Cryptographic keys and certificates have a limited life span when they are issued to devices in order to lower the chance of them being compromised.
The longer the lifecycle, the more secure your key will be. This shorter critical lifecycle also means that you must follow strict key management procedures and renew your keys.
But, users shouldn’t have to keep registering for the service.
Is there a solution? The latest authentication solutions make it much easier to determine the key’s lifespan. They include mechanisms that allow the server’s to renew a device’s keys before they expire. The elimination of the need for user intervention allows organizations to adhere to security best practices while not disrupting customers’ services.
Brute Force Attacks Preventable. Login Information and Keys Encrypted
Brute force tactics use trial and error to achieve the goals. These attacks are so simple and effective that they have grown in popularity. Many different methods are used to combat mobile authentication.
It is possible to create settings that are tailored to the needs of your company. This is among the most valuable features. Examples include:
Delay locks are a way for organizations to set up a series of delays that will allow a user, after failing to enter their password or PIN, to re-enter the password.
Counter locks are used to make passwords invalid after multiple failed attempts.
Silent locks are available: Organizations may choose to lock a user off the system without any feedback if they enter the wrong pin or password.
Third-Party audits and certifications are key indicators to help make the right decision
A security strategy cannot be complete without third-party audits, certification of compliance, and other verifications. These audits ensure that your authentication solution is secure and can protect your organization against today’s ever-changing threats.
Internal reviews are necessary to validate the solution against a set security controls based upon industry standards, such as the OWASP mobile Security Project.
Certifications like the Certification de Secrite de Premier Niveau(CSPN) issued by the French National Agency for the Security of Information Systems, (ANSSI), are available to confirm the solution’s strength. These certifications can be based on a thorough intrusion test as well as a conformity assessment.
It is not an easy task to secure mobile authentication across the entire journey, from device registration, credential management, and all recommended security certifications.
It requires that organizations carefully evaluate their risks, learn how device-level security features make mobile authentication, transaction signing secure, as well as the appropriate controls and protocols.
They only have the ability to implement solutions that protect themselves and their customers in today’s rapidly changing threat landscape.