Banks and other financial service providers know that they are especially vulnerable for cyberattacks targeting their business and customers.
Multi-factor authentication or Strong customer authentication (SCA), while they are particularly effective defenses are not the best. This is especially true when it comes to mobile authentication.
Consumers want the same easy experience they have with their mobile apps. But, they must be well secured, no matter how convenient.
Offerings of mobile authentication solutions with significant security flaws are common.
These flaws include solutions that use one-time passwords, also known as OTPs (one-time passwords), that are sent to customers’ mobiles by SMS.
This method has been widely used over many years. It is very vulnerable to cybersecurity threats. So that they can protect their customers and themselves from cyber threats, organizations need to understand their risks. They should also know how to make mobile transactions and authentication secure.
Knowing the Factors
There are many attack methods, including the illicit SMS services hackers use to reroute texts and gain access to accounts.
ReadWrite reported, in May 2021, that FluBot malware, after being installed, was collecting passwords and returning them to the company from whom they originated. Even more dangerous — the bot was also sending messages to victims from victims’ accounts, infecting more people.
An attackers had already attacked another major attack a full year ago. They created a network with 16,000 virtual mobile devices. After that, they intercepted SMS passwords (OTP).
Ars Technica has reported that IBM Trusteer researches found a huge fraud operation that used a network to cheat mobile banking apps to take millions of dollars.
A growing reliance upon digital transaction channels
The number of cyberattacks has increased substantially due to an increasing dependence on digital transaction channels.
Peter Daisyme, ReadWrite contributor pointed out in his 5 Methods to Improve and Optimize the Data Security Program of Your Company, that the April 2022 Block Cash App data breach may have exposed over eight million customer records.
Crypto.com announced that at the beginning in 2022, nearly 500 users had $30+million collectively stolen following a severe breach.
Hackers still launch their attacks by using compromised user credentials.
In Spring 2021 hackers used a multifactor authentication flaw, to steal cryptocurrency out of approximately 6,000 Coinbase customers. They could use the flaw to obtain and retrieve user account information via SMS by entering an OTP.
Mobile authentication security solves these problems by allowing users to use various capabilities on their mobile devices to verify and validate their identities before they can access any app or perform transactions.
How Mobile Authentication Security Works
The ideal solution is to make the smartphone an universal authenticator. But it’s no easy feat to secure the mobile authentication process.
Through the non-profit Open Web Application Security Project, (OWASP) foundation, the industry has established security standards that allow mobile authentication. These standards, however, are not like those developed for web application.
Mobile apps offer a greater range of options for storing and using the device’s security functions to authenticate users. As a result, even small design choices can have a larger-than-anticipated impact on a solution’s overall security.
SMS verification or OTP sent through SMS is one option for mobile authentication. It has gained popularity around the world. HID Global found that this was the preferred method of authentication for the majority of financial institutions in its 2021 survey. Ponemon Institute estimated that SMS OTP, despite its serious security risks, is used by only about one-third (33%) of mobile users.
Alternative options include authentication solutions that combine push notifications and a secure channel out-of–band.
Out-of–band offers greater flexibility, security, and better usability. This channel-based, secure authentication technique uses cryptographic technologies to link a specific device to its owners’ identity.
Without having physical access, an attacker cannot pretend to be someone else. Because the service provider doesn’t have to send sensitive information via a network that isn’t secure, this is a safer approach to SMS authentication.
Push notifications allow users to have a simpler experience than SMS systems.
The only thing a user has to do when they receive a push notification on their phone is to validate the request. This is not the case with an OTP you received via SMS.
Users are typically only privy to a small amount of the authentication process. The rest happens in the background.
The entire process of mobile authentication begins with both the registration and recognition and the provisioning and activation of secure credentials.
The solution should also secure user credentials and all communications between the user and the app and backend server.
Finally, it must safeguard sensitive data requests while the app runs, maintain security through the customer lifecycle, as well as prevent bruteforce attacks. Each step comes with its own set of challenges.
Solving Seven Major Challenges in Customer Authentication
Mobile authentication security security can be challenging because of multiple factors. There are seven main types of challenges encountered throughout the mobile authorization lifecycle.
Recognizing and authenticating device users
A great way to authenticate a person’s digital identity is to know when they are using their device. In the absence of this recognition, attackers could use their stolen data to impersonate users by creating a virtual or actual clone.
Anti-cloning technology can also be used to stop fraudsters from getting access to these fraudulent devices.
Anti-cloning technologies are most effective if they rely on the Secure element (SE) that comes with nearly all modern smartphones.
This refers to iOS’ Secure Enclave, a dedicated secure subsystem embedded into Apple systems on chip (SoCs).
TEE is a trusted execution environment that runs alongside Android’s operating system. By using the secure element on the device, authentication solutions are able to benefit from the best hardware security protections.
Also, strong authentication solutions prevent potential cloners to use multiple layers of cryptographic defense and protect individual keys using a unique device number. The unique key is generated in the initial provisioning process. This ensures that attackers cannot access other keys, or impersonate, the device, even if they are breached.
Provisioning Devices for Cyberattacks
The security and safety of managing users’ identities and issuing mobile credentials must be protected from cyberattacks.
Some mobile authentication systems activate user devices using public key cryptography. This is based on a mathematically linked, private/public pair. This pair is public/private and the private keys generated on the customer’s mobile device are secret.
They don’t leave the device and there is less chance that they will lose their credential. This is ideal for mobile authenticators who can communicate directly with the authentication server through authentication requests. There is no need for a user to perform any manual intervention, such push authentication responses.
Two extra steps must be taken when secret key material has to be shared between a mobile autenticator and an authentication server.
This is the case for mobile authenticators which provide an OTP or manual alternative. These steps assure secure transmission of the secret key material between client & server.
To establish a secure channel, initial authentication must be done by the user.
The secure channel is the actual establishment of shared secrets.
With the most secure solutions, the first authentication is unique to each person. This authentication event expires right after registration has been completed.
Some solutions let organizations customize security settings and rules. They can alter the length, alphanumeric and number of retries that are allowed after an initial authentication failure, among other parameters.
Companies should also think about the policies that will govern their device and user provisioning processes.
Ideally, an authentication solution will allow an organisation to determine if it’s legal to issue credentials on old operating system or jailbroken devices or mobile devices that don’t have a secure element.
These solutions allow organizations to select the type of encryption that they wish to use. They also make it simpler to change settings from what was already set up by the vendor.
Security of User Credentials In A Dangerous Digital World
Strong policies are vital to protect credentials from multiple attacks and phishing scams. However, this can prove difficult for password policies which may differ across organizations. By using push notifications, mobile authentication solutions can accommodate policy differences.
If a password is successfully entered, a push message can be sent. Or, users may need to first take additional steps to prove their identity. This could include entering their device’s PIN/password, or a biometric marker.
Secure Communications Are Essential for Protecting Sensitive Data
Sensitive data may be intercepted if it is sent through unsecure channels. To protect your sensitive data, encryption is required for all communication, including between users, mobile authentication, and backend services.
To ensure that mobile authentication solutions communicate with the right server before they can exchange messages, certificate-pinning must be performed. This allows you to restrict the certificates that are valid for a particular server and creates explicit trust between the authentication system and servers.
Transport-level security cannot be achieved without the TLS protocol. TLS1.2 ensures that every message between the authentication software and the server as well as any notification to the mobile device is secure.
For message-level security, the secure tunnel must also contain encrypted information. The best authentication methods don’t require sensitive user information to be sent via push notifications. They provide a private, secure connection between the app (and the server) instead.
This channel retrieves context from the request, which minimizes risk and compromise.
Real-Time Attacks: Detecting and Blocking
Zero-day vulnerability is on the rise. All applications must use different real-time techniques that detect and stop these attacks.
Runtime Application Self Protection or RASP is one solution. This creates the controls and techniques to detect, block and mitigate attacks, while an application is running. RASP helps to prevent reverse engineering, unauthorized modification of application code, and it does not require any human intervention.
It is vital that there be multiple layers of defense.
This minimizes the risk of any one control being overlooked and leading to a breach. These layers include:
Code obfuscation. This is when it becomes more difficult for humans understand decompiled code, unless they modify the program execution.
Tamper detection: Organizations are able to be sure that the app or its surroundings have not been compromised. Additionally, any functionality associated with it has not been altered by technologies such ASLR (stack smashing), and property listing checks (also known.plist tests).
Jailbreak and emulator detection – This allows organizations create and enforce policies relating to devices that are trustworthy.
Streamlining the management of authentication lifecycles
To reduce the chance of certificates and cryptographic keys being compromised, they have finite lifecycles.
The key will be more secure if it has a shorter lifecycle. With these shorter critical lives, however, it is important to strictly follow key management and renewal policies.
However, this solution shouldn’t make users constantly register for the service.
The answer is: Modern authentication solutions have made it simpler to control the key’s lifetime. They provide mechanisms to allow the server renew a device’s key before they expire. This will allow organizations to follow security best practices and not interrupt their customers’ service by removing the need for explicit user intervention.
Brute Force Attacks Can Be Prevented by Obtaining Login Information And Encryption Keys
Brute force attack use trial and errors to reach their goals. These attacks have become so popular because they are simple and efficient. Mobile authentication solutions employ many techniques to defeat them.
It’s possible for organizations to personalize settings to suit their needs and policies. Examples include:
Delay locks: An organization can create an escalating sequence of delays before allowing users to re-enter a password or pin after a failed attempt.
Counter locks: This setting will invalidate passwords after several failed attempts.
Silent locks can be used by organizations to block users from accessing the system.
Third-Party certifications and audits are key indicators for helping you make the right choice
Security strategies are incomplete without third-party audits. These are essential to make sure that an authentication solution works in today’s dynamic environment and protect against evolving threats.
To ensure that the solution meets industry standards like the OWASP Security Project Mobile Security Project, internal checks should be performed.
Certifications and external penetration audits are offered by the French National Agency for the Security of Information Systems. The Certification de Segrite de Premier Niveau is a certification that certifies the solution’s security. It is based on a strict intrusion testing and conformity analysis.
It is not easy to protect the consumer’s mobile authentication journey from its initial registration through credential administration and all recommended security auditors and certifications.
It requires companies to assess their risk and learn how devices-level security features can be used to secure mobile authentication and transaction signing.
They can only provide solutions that protect their consumers and them from today’s growing threat landscape.