Banks and financial service companies are aware that cyberattacks can be very damaging to their customers and businesses.
Although multi-factor authentication (MFA), or Strong Customer Authentication solutions (SCA), are both effective defenses, some are better than others. Mobile authentication solutions are a good example of this.
Consumers expect the same experience with mobile apps. These solutions, however, should be secured properly, regardless of how convenient.
There are many mobile authentication solutions that offer significant security flaws.
These flaws can be found in solutions that use secure codes (also known as one-time passwords or OTPs) that are sent via SMS to customers’ phones.
This method has been widely used for years and is highly vulnerable to cybersecurity threats. To protect their customers and themselves, organizations must understand their risks. They must also understand how to make mobile transaction signing and authentication secure.
Understanding the Risks
There are many attack vectors available, including illegal text messaging services that hackers use in order to reroute users’ texts to gain access to their accounts.
ReadWrite, for example, reported that FluBot malware had been installed and was sending passwords back to the company they were from. The bot also collected all victims’ contact information and sent messages from their account, making it even more dangerous.
An attacker group of 16,000 mobile phones was used to attack another major attack one year prior. They then intercepted SMS One-Time Passwords (OTP) during the second attack.
Ars Technica reported that IBM Trusteer researchers discovered a massive fraud operation using a network mobile device emulators to steal millions of dollars from mobile banking applications in just a few days.
Digital transaction channels are becoming more important
Cyberattacks have increased in volume due to the increasing reliance on digital transactions channels.
Peter Daisyme, a ReadWrite contributor, pointed out that the April 2022 Block Cash App breach could have exposed data from more than eight millions customers.
Crypto.com revealed that almost 500 users had $30+ Million stolen from them collectively in the wake of a serious breach.
Hackers continue to launch attacks using compromised credentials.
Hackers used a multi-factor authentication flaw in Spring 2021 to steal cryptocurrency from approximately 6,000 Coinbase accounts. They were able to access user account information and send an OTP via SMS.
Mobile authentication security is a solution to these problems. It allows users to use various mobile device capabilities in order to verify their identities before they access an application or perform a transaction.
How mobile authentication security works
It is possible to transform the ubiquitous smartphone into a universal authenticator that is easy-to-use and intuitive. However, it is not an easy task to secure the mobile authentication process.
Through the non-profit Open Web Application Security Project Foundation (OWASP), industry developed security standards for mobile authentication. These standards are not the same as those for web applications.
Mobile apps offer more options to store data and leverage the device’s security features for authenticating users. As a result, even small design choices can have a larger-than-anticipated impact on a solution’s overall security.
The SMS verification option, also known as OTP sent via SMS, is a mobile authentication method that has seen widespread adoption. In a 2021 study, this was the most popular authentication method among financial institutions HID Global surveyed. According to the Ponemon Institute, SMS OTP is used by approximately one-third of mobile users, despite its security risks.
Alternative authentication solutions include push notifications and secure out-of band channels.
Out-of-band authentication offers greater security, flexibility, as well as improved usability. This channel-based, secure authentication method uses cryptographic techniques to link a device to its owner’s identification.
This prevents attackers from impersonating people if they do not have physical access. It is also more secure than SMS authentication, as the service provider does not need to send sensitive information over a network that’s not secure to a customer.
Push notifications make it easier for users to use than SMS systems.
When a push notification is displayed on a user’s phone, they must validate the request and make a binary decision to approve or decline the transaction. This is in contrast to referencing an OTP via SMS and then re-typing it into your phone.
Users only see a small portion of the authentication process. Most of it happens behind the scenes.
The whole mobile authentication process begins with registering the device, recognizing it and then providing secure credentials.
It must protect user credentials, as well as secure all communications between the backend servers, the app, or the user.
It must also protect sensitive data requests during the app’s operation, keep security intact throughout the customer’s lifecycle, and prevent brute-force attacks. Each step is not without its challenges.
Solving 7 Major Customer Authentication Problems
Mobile authentication security can be difficult to implement due to many factors. There are seven main categories of challenges that can be encountered during the mobile authentication lifecycle.
Recognizing and authenticating user devices
Recognizing when and where they use their device is a great way to verify a person’s digital identities. An attacker can use the stolen data to impersonate the user, or transfer it into a virtual or real clone.
Anti-cloning technology can help to combat this.
Anti-cloning methods are most effective when they rely upon the secure element (SE), which is included with almost all modern smartphones.
This is the Secure Enclave secure subsystem that has been integrated into Apple’s systems on chips (SoCs) in the case of iOS.
The Trusted Execution Environment (TEE) runs on Android devices alongside the operating system. The device’s secure element allows authentication solutions to make the most of the built-in security protections.
The strongest authentication solutions prevent would-be cloners using multiple layers cryptographic protection and protect individual keys with a unique key. This unique key is created during initial provisioning and is invulnerable to any attackers trying to access other keys or impersonate it.
Provisioning user devices so they are secure and safe from cyberattacks
Cyberattacks must not be able to compromise the security and privacy of users’ identities or credentials.
Mobile authentication solutions that activate users’ devices with public-key cryptography (based upon a mathematically linked private/public keys pair) are available. The private keys generated by the customer are kept secret within this public/private pairing.
Because they never leave the device, there’s less chance that a credential could be compromised. Mobile authenticators can use this feature to make direct exchanges with their authentication server during authentication requests. Users don’t need to do any manual intervention such as a push response.
Two additional steps are required when secret key material must be exchanged between the mobile authenticator (authentication server) and the mobile authenticator.
Mobile authenticators with an OTP (or manual option) are also available. These steps allow for secure communication between client and server of secret key material.
To establish a secure channel, the initial authentication of the user.
To exchange secrets, the channel must be established.
The most secure solutions ensure that the initial authentication is unique for each user. It expires after the registration is completed successfully.
Some solutions allow organizations to modify security settings and rules. They can, for example, change the length and alphanumeric composition of the initial authentication code or the number allowed of retries after a failed authentication.
It is important for organizations to consider their policies regarding device provisioning and user use.
The authentication solution should allow an organization to determine if it is possible to issue credentials to older operating systems, jailbroken phones, or mobile devices without a secure element.
These solutions often allow organizations to choose the type of encryption they want. These solutions make it easier to configure settings beyond those already established by the vendor.
Protecting user credentials in a dangerous digital world
For protecting credentials against phishing and other attacks, strong policies are crucial. This can be challenging, especially if password policies differ between organizations. Push notifications can be used to accommodate policy differences and mobile authentication solutions can help.
A push notification could be sent out immediately following successful password entries. The user may be asked to enter their PIN/password on their device or to provide additional information to verify their identity.
Secure Communications: Protect Sensitive Data
Insecure channels can lead to sensitive data being intercepted. Therefore encryption is necessary for all communication between users, mobile authentication and backend servers.
To ensure that the mobile authentication software communicates with the correct server, certificate pinning is required before any messages can be exchanged. This limits the validity of certificates for that server, establishes trust between authentication solutions and servers, and reduces reliance on third parties.
Transport-level security is made possible by the use of TLS protocol. TLS 1.2 protects every message that is sent between the authentication solution (the server) and the mobile device.
To ensure message-level security, information should be encrypted in this secure tunnel. The best authentication solutions don’t require sensitive user data to send within push notifications. They instead provide a secure, private channel between the app’s server and the app.
This channel retrieves context information about the request, which reduces risk of compromise and exposure.
Real-Time Attacks Detection and Blocking
Zero-day vulnerabilities are increasing, so it is vital that all applications use various real-time techniques to detect and stop attacks.
Runtime Application Self Protection is one way to achieve this. It establishes controls and techniques for detecting and blocking attacks as an application runs. RASP is also useful in preventing reverse engineering and unauthorized application code modification. It does not require human intervention.
It is important that multi-layered defenses are used.
This reduces the chance of a breach by avoiding any one control. These layers include:
Code obfuscation is when decompiled source code is difficult to understand unless the program execution is modified.
Tamper detection: Organizations can use technologies such as ASLR, stack smashing and property list checks (also called.plist check) to ensure that the environment or app has not been compromised, and that all associated functionality has not changed.
Jailbreak and Emulator detection: Organizations can create and enforce policies that govern the type of devices that are trusted — or not.
Streamlining the Management of the Authentication Lifecycle
They are issued with a finite lifecycle to reduce the possibility of cryptographic keys or certificates being compromised.
The key’s lifecycle will be shorter the safer it is. These shorter critical lifecycles also require strict key management and renewal procedures.
The solution to this problem shouldn’t require users to re-register every time they use the service.
What is the answer? The new authentication solutions make it easier to set the key’s life expectancy. The server can also renew keys that have expired before they expire by using these authentication solutions. Organizations can comply with security best practices without having to ask customers for permission.
Brute Force Attacks Preventable Login Information and Encryption keys Acquired
Brute force attacks use trial-and-error to reach their goals. These attacks are easy enough to be popular and they’re effective enough to become very common. Mobile authentication solutions can be used to combat these attacks.
One of the most powerful features is to allow organizations to tailor settings to meet their specific needs and policies. Examples include:
Delay locks: Organizations can set up delay locks that allow users to enter a new password or PIN after an unsuccessful attempt.
Counter locks: This setting can be used to make invalid passwords after many unsuccessful attempts.
Silent locks: An organization can lock out a user from the system without giving any feedback if they enter the wrong password or PIN.
Third-Party Certifications and Audits are key indicators to help you make the right decision
Without third-party audits or certification of compliance, no security strategy can be complete. These ensure that the authentication solution is secure, and can protect the organization from today’s rapidly changing landscape.
To verify that the solution is in compliance with industry standards such as the OWASP Mobile Safety Project, internal reviews should be conducted.
Certifications such as the Certification de Securite de Premier Niveau, awarded by the French National Agency for the Security of Information Systems(ANSSI), can be used to verify the solution’s reliability. They are based on a rigorous intrusion test and conformity analysis.
It is difficult to secure the mobile authentication journey of consumers throughout its entire lifecycle, from device registration to credential management and all recommended security audits.
Organizations must carefully assess their risks and learn how to use device-level security features to make mobile authentication and transaction signature secure.
They are limited to deploying solutions that will protect their customers and themselves in today’s constantly changing threat landscape.