Banks and other financial institutions know they are vulnerable to cyberattacks against their business or customers.
While multi-factor authentication (MFA), and Strong Customer Authentication(SCA) are effective defenses, not all are equally effective. Mobile authentication solutions make this even more true.
Many users expect the same convenience they have with other mobile applications. These applications must be protected, regardless how convenient.
Many mobile authentication solutions have serious security flaws.
These flaws include solutions using secure codes, also known by one-time passwords (OTPs), which are sent by SMS to customers’ mobile phones.
This method, which has been used for many years is extremely vulnerable to cyber-attacks. It is essential that organizations understand the risks they face in order to protect their customers as well as themselves. They need to be able to secure mobile authentication and transaction signing, as well as how to use the controls and protocols available today to deploy seamless, secure, and scalable solutions.
Knowing what’s at stake
There are many ways hackers can attack accounts.
ReadWrite for instance reported in May 2021 that FluBot malware was able to collect passwords and send them back to the company where they came from. Further virulent, the bot was also able to collect all contact information from victims and send them messages. This allowed for even more infected people.
A year before another major attack, attackers created a network of 16,000 virtual devices and then intercepted SMS one time passwords (OTP).
Ars Technica reports that IBM Trusteer investigators discovered the fraud operation that took millions of dollars out of mobile banking apps within a matter of days using a network of emulators.
Increased reliance on digital transactions channels
The volume of cyberattacks has significantly increased due to increasing reliance upon digital transaction channels.
Peter Daisyme, ReadWrite contributor, highlighted in his 5 Ways To Improve and Optimize your Company’s Data Security Program that the April 2022 Block Cash App hack may have exposed more customers’ data than eight million.
Crypto.com also admitted at the beginning 2022 that more than 500 users had $30+million stolen after a severe breach.
Hackers still use compromised user credentials as a primary method of launching attacks.
Hackers exploited a multifactor authentication flaw to steal cryptocurrency approximately 6,000 Coinbase account accounts in Spring 2021. The flaw allowed them to send an SMS OTP and gain access to user account information.
Mobile authentication security offers a solution for these challenges. Users can take advantage of different mobile device capabilities to verify identities before accessing any application or performing any transaction.
How Mobile Authentication Security Works
Although it’s possible to turn the ubiquitous smartphone into an intuitive, universal authenticator, it’s not easy to ensure that the mobile authentication process is secure.
Through the non-profit Open Web Application Security Project foundation, industry has established baseline security standards to enable mobile authentication. These standards differ from those that were created for web apps.
Mobile apps have a lot more options when it comes to storing data, as well as leveraging the built-in security features of a device for authenticating its users. As a result, even small design choices can have a larger-than-anticipated impact on a solution’s overall security.
A mobile authentication option is SMS verification. This method, or OTP sent by SMS, has been growing in popularity worldwide. HID Global’s 2021 study found that this method was the most widely used authentication method for financial institutions. Ponemon Institute estimates that SMS OTP is used in about one third of mobile users, despite the security risks.
Another alternative is authentication solutions, which combine push notifications with an out-of-band channel.
The out-of band approach offers greater security, flexibility and usability. This secure channel-based authentication method applies cryptographic methods to the task to link a particular device to its owner.
Without physical access to the device, it prevents an attacker from impersonating another person. This is in addition to being more secure than SMS authentication. It does not require a service provider or customer to send sensitive information to the device of a customer over a network which is not secure.
Push notifications are also easier to use than SMS systems.
A push notification will appear on the user’s mobile phone. They must confirm the request by choosing to either approve or deny the transaction. This is different from referencing an OTP sent via SMS and having to re-type it into their phone.
Most authentication is done in the background. Users see only a small part of it.
The mobile authentication process starts with the registration and recognition of the device by the user and then the provisioning of secure credentials.
Secure user credentials are also required.
It also needs to protect sensitive data while the company’s app is running, ensure security throughout the customer lifecycle and prevent brute force attack. Each of these steps is challenging.
Seven major challenges in customer authentication
Mobile authentication security is complicated because of many factors. This includes the selection and integration of the most effective techniques in the company’s security systems. There are seven major challenges in the mobile authentication process:
Recognizing and authenticating user device
It is possible to identify when a person uses their device to authenticate their digital identity. An attacker could impersonate the user using their mobile device by transferring their data to a virtual or real copy.
This can be countered by using anti-cloning technology to make sure that no one is able to gain access to the fraudulent device.
Anti-cloning strategies are most effective when it relies on the secure element, (SE), that is shipped with almost all modern smartphones.
For iOS, it is the Secure Enclave dedicated secure system integrated into Apple systems-on-chips (SoCs).
TEE, or Trusted Execution Environment for Android devices, runs alongside the Android operating system. By using the secure element of the device, authentication solutions can take full advantage of hardware security protections.
Furthermore, strong authentication solutions can stop would-be hackers from using multiple layers in cryptographic protection. They also secure individual keys with a unique device code. This unique key is generated during initial provisioning. It is impossible for an attacker to gain access to other keys or impersonate any device.
Provisioning User Devices to Protect and Secure From Cyber Attacks
It is essential to protect and secure the identities of users and their credentials on mobile devices from cyberattacks.
Some mobile authentication solutions use public-key cryptography to activate user devices (based on a mathematically linked privately/public key pair). This public/private pair includes the customer’s private keys. These keys are secret.
The credential is never lost or stolen as they are not allowed to leave the device. This is a good thing for mobile authenticators, as they can exchange information directly with the authentication server during authentication requests. No manual intervention (e.g. push authentication response) is needed from users.
There are two additional steps to be taken if secret key material needs to be exchanged between a mobile authentication server and a mobile authenticator.
This is true for mobile authenticators that provide a manual alternative (such as an OTP). These steps guarantee a secure exchange between the client’s secret key material and the server.
Initial authentication is required to establish a secure channel.
Establishment of the secure channel to exchange shared secrets.
Secure solutions require that each user is authenticated once. This authentication event expires when the registration process has been completed.
Some solutions enable organizations to adjust security settings and rules. You can modify the length of the initial password, its alphanumeric content, or the number permitted retries following a failed initial authentication.
Also, organizations should consider policies that govern device provisioning and user usage.
In ideal cases, an authentication solution should be able to allow an organization determine whether it’s permissible for credentials to be issued to jailbroken or old operating systems.
Organizations often have the option to choose which encryption type they use with solutions like these. They make it easy to modify settings that have not been set by the vendor.
In a Digital World that is dangerously digital, how can we protect our user credentials?
Protecting credentials from phishing attacks and other threats requires strong policies. It can be hard to do this, especially when password policies are different across organizations. This area can be helped by mobile authentication solutions, which accommodate these policy differences via push notifications.
After a successful password enter, a push notification may be sent. A user might be asked to complete additional steps to validate their identity, such as entering their PIN/password/biometric marker.
Secure Communications are a way to protect sensitive data
Sensitive data could be intercepted if it travels through unsecure channels. Encryption is required for all communication between users and mobile authentication solutions as well as backend servers.
Certificate pinning must first be done before exchanging messages. This ensures that the mobile authentication solution is communicating with the correct server. This allows the authentication solution to limit which certificates are valid for each server and establishes explicit trust between them and their servers. It also reduces reliance upon third-party organisations.
Transport-level security requires the use TLS protocol. TLS1.2 is a protocol that protects all messages between the authentication solution, the server, and any notifications sent to the mobile device.
This secure tunnel should contain encryption to protect message-level security. The best authentication options don’t require any user data to be sent in push notifications. Instead, they provide a secure and private connection between the server and the app.
This channel retrieves the context of the request to limit the risk of exposure or compromise.
Real-Time Attacks Blocking and Detection
Zero-day vulnerabilities continue to grow, which makes it crucial for applications to use real-time techniques in order detect and stop attacks.
Runtime Application Self Protection (RASP) is one method to accomplish this. This allows you to set up the techniques and controls for detecting, blocking and mitigating attacks during application execution. RASP can also prevent reverse engineering or unauthorized code modification of applications. This function is performed without the need for human intervention.
It is crucial that defenses use multiple layers.
This decreases the likelihood of any one control being bypassed and resulting in a breach. These layers include:
Code obfuscation – This makes it more difficult for humans not to understand the source code of decompiled programs.
Tamper detection: Organizations can rest assured that their app and its environment are safe and sound using technology such ASLR, stack crushing, and property check (also known by.plist checks).
Jailbreak detection and emulator detection: Organizations are able to establish and enforce policies regarding the types of devices that can be trusted.
Streamlining Management of the Authentication & Lifecycle
The lifecycles of cryptographic keys and certificates are limited to decrease the chance that they might be compromised.
The lifecycle of a key is shorter, which means that it will be more secure. However, these critical lifecycles are shorter and require that key management and renewal processes be followed strictly.
This doesn’t mean that users have to register for the service again and again.
The solution? The most recent authentication solutions make it easy to configure the length of a key’s lifetime. They have mechanisms that allow the server to renew a key before it expires automatically. Companies can avoid the need to explicitly intervene from their customers and comply with security best practice without disrupting their service.
Brute Force Attacks Avoided – Login Information and encryption keys –
Brute force attacks rely on trial and error to accomplish their goals. These attacks are effective and simple enough to gain popularity. There are many ways to counter them.
The best way to make settings adaptable to your organization’s specific policies and needs is one of the most efficient. Examples include:
Delay locks can be customized by organizations to allow users to re-enter their PIN or password after a failed attempt.
Counter locks: This setting allows you to invalidate passwords after multiple unsuccessful attempts.
Silent locks – Organizations have the option to lock users out of the system with no feedback when they enter the wrong password/PIN.
Third-Party Audits & Certifications are key indicators that will help you make the right decisions
Third-party audits and certifications of compliance are essential to any security strategy. These certifications and audits help to ensure that your organization’s authentication solution is secure in today’s changing environment with constantly evolving threats.
For security purposes, it is important to conduct internal reviews.
Certifications, such as the Certification de securite de Premier Niveau or ANSI’s Certification de Securite de Premier Niveau (CSPN), which are external penetration audits and certifications that can be issued to certify the solution’s robustness based upon a strict intrusion test and conformity analysis, can also be awarded.
It’s not easy to ensure the security of mobile authentication for consumers across their entire lifecycle (from device registration through credential management, and all recommended security audits, and certifications).
It is important for organizations to consider their risks and learn how they can implement and leverage device level security features that make mobile transaction signing and authentication secure.
They will only be able to deploy solutions that are both effective and cost-effective in today’s evolving threat landscape.