Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

DEFENDING MOBILE BANKING SYSTEMS FROM FRAUDSTERS THROUGH STRONG AUTHENTICATION

Financial institutions are increasingly introducing internet banking platforms to enable customers to conduct banking transactions anytime, anywhere. However, as mobile malware becomes more prevalent, defending against mobile-based threats requires a strong authentication approach. Most banks have implemented strong hardware-based authentication for their commercial customers but this is less so on the consumer side, thinking it costly and complicated to deploy. This all changes, however, with the advent of advanced mobile security that fosters a convenient banking experience with out-of-band strong authentication.

The most basic mobile authentication option is delivering a One-Time-Password (OTP) via SMS. A customer logging in to the bank’s website with username and password triggers a request to send an OTP to his or her registered mobile phone. Upon receipt of a text message with the OTP, the customer enters it into a field on the banking site’s login page to complete the login process. However, there are drawbacks to this approach. Firstly, it pushes extra costs onto some end users where customers must pay for the messages they receive. Secondly, it is subject to network coverage, latency and SMS delivery issues, which creates uncertainty around delivery. Finally, it doesn’t address the Man-in-the-Middle fraud problem – an SMS is generated in the backend and sent via the network, so there’s greater chance it will be intercepted. The recent Zeus Botnet Eurograbber attack which stole $47 million in assets from more than 30,000 banking customers is a useful example of successful SMS-related malware.

Alternatively, the mobile phone can be turned into a “soft token” by installing software that generates OTPs itself. OATH-compliant HMAC-based algorithms (HTOP) or time-based OTP algorithms (TOTP) can be used. A unique combination of time and event-based algorithms are considered more secure. However, it is important to note that mobile OTP generators, if poorly implemented, are susceptible to attack. Ensuring OTPs are generated securely and only for intended users requires advanced technologies to mitigate key threats, such as:

  • Phishing: Ensure that each software token is bound to the device of the user on which the application is installed.
  • Keystroke Logging: Preclude attacker from capturing OTPs using key-logging. Even with a captured PIN or activation code, the attacker will be unable to generate an identical (clone) mobile software token.
  • Static Code Dump/Patch Runtime Debugging: Even if the unique device IDs are spoofed, the mobile software token must have sophisticated levels of code obfuscation and symbol stripping, as well as an additional security layer in the form of a PIN, built-in. These measures ensure that even through reverse engineering by an attacker, an OTP will not be generated.
  • System Resource Manipulation: In this type of an attack, a “jail-broken” or rooted device is required. The mobile software token does not operate on such a device thereby circumventing such an attack.
  • Static Code Dump/Patch: Sophisticated levels of anti-piracy security layers in mobile software tokens deter attackers from creating pirated and adapted mobile soft tokens and using them to obtain OTPs.
  • Brute Force: The mobile software token must be PIN protected and designed to self-destruct after five incorrect entries entered consecutively. The mobile software token can also be protected with a layer of PIN camouflaging. In this case, an incorrect PIN will be accepted and an invalid OTP will be displayed. The attacker has no way of knowing if an input PIN is correct or incorrect.
  • Dynamic Memory Access: In this type of an attack, the device would need to be in a vulnerable state such as jail broken or rooted. The mobile software token should implement sophisticated layers of verification to determine if the device is compromised and ceases to operate.
  • Chosen Plain Text Brute Force: The attacker will not be able to mount this attack as it is computationally not feasible to obtain the token secret key in brute force.
  • Screen Capturing: It should be possible to deploy the mobile software token with the configuration to generate OATH-compliant time-based OTP and Challenge/Response with short time validity for making it ineffective to capture and relay.
Andrew Lintell
Andrew Lintell

All strong authentication solutions should be implemented as part of a larger, multi-layered strategy. Five layers of security should ideally be deployed to protect and secure access to data. The first layer is composed of a multi-factor authentication solution, both inside the firewall and in the cloud, that combines something the user knows (a password) with something the user has (a mobile) with something the user is (ascertained through a biometric or behaviourmetric solution).

The next layer is device authentication. It is important to verify that the person is using a “known” device and can be established when endpoint device identification and profiling with such elements as proxy detection and geo-location are combined. The third layer is browser protection; this ensures that the browser being used is part of a secure communication channel. The most robust approach is to use a proactive hardened browser with mutual secure socket layer connection to the bank application.

The fourth layer increases security for particularly sensitive transactions, including signing contracts and transferring large funds. A transaction authentication layer can include Out-Of-Band (OOB) transaction verification, transaction signing for non-repudiation, transaction monitoring, and behavioural analysis. This layer presents security intelligence data which can be instrumental in spotting any anomalous or fraudulent behaviour which may indicate a malware compromise. The final layer is application security, which is especially important to mobile banking. This layer protects applications on mobile devices and must be architecturally hardened and capable of executing mutual authentication. Adding this layer makes data theft much more complex for hackers.

The security benefits of adopting a five layer approach to the financial institution are immediate, providing customers with the peace of mind that their on-line banking provider has taken steps to provide a secure environment in which to conduct their financial transactions conveniently.