Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Banking

DEFENDING MOBILE BANKING SYSTEMS FROM FRAUDSTERS THROUGH STRONG AUTHENTICATION

DEFENDING MOBILE BANKING SYSTEMS FROM FRAUDSTERS THROUGH STRONG AUTHENTICATION

Financial institutions are increasingly introducing internet banking platforms to enable customers to conduct banking transactions anytime, anywhere. However, as mobile malware becomes more prevalent, defending against mobile-based threats requires a strong authentication approach. Most banks have implemented strong hardware-based authentication for their commercial customers but this is less so on the consumer side, thinking it costly and complicated to deploy. This all changes, however, with the advent of advanced mobile security that fosters a convenient banking experience with out-of-band strong authentication.

The most basic mobile authentication option is delivering a One-Time-Password (OTP) via SMS. A customer logging in to the bank’s website with username and password triggers a request to send an OTP to his or her registered mobile phone. Upon receipt of a text message with the OTP, the customer enters it into a field on the banking site’s login page to complete the login process. However, there are drawbacks to this approach. Firstly, it pushes extra costs onto some end users where customers must pay for the messages they receive. Secondly, it is subject to network coverage, latency and SMS delivery issues, which creates uncertainty around delivery. Finally, it doesn’t address the Man-in-the-Middle fraud problem – an SMS is generated in the backend and sent via the network, so there’s greater chance it will be intercepted. The recent Zeus Botnet Eurograbber attack which stole $47 million in assets from more than 30,000 banking customers is a useful example of successful SMS-related malware.

Alternatively, the mobile phone can be turned into a “soft token” by installing software that generates OTPs itself. OATH-compliant HMAC-based algorithms (HTOP) or time-based OTP algorithms (TOTP) can be used. A unique combination of time and event-based algorithms are considered more secure. However, it is important to note that mobile OTP generators, if poorly implemented, are susceptible to attack. Ensuring OTPs are generated securely and only for intended users requires advanced technologies to mitigate key threats, such as:

  • Phishing: Ensure that each software token is bound to the device of the user on which the application is installed.
  • Keystroke Logging: Preclude attacker from capturing OTPs using key-logging. Even with a captured PIN or activation code, the attacker will be unable to generate an identical (clone) mobile software token.
  • Static Code Dump/Patch Runtime Debugging: Even if the unique device IDs are spoofed, the mobile software token must have sophisticated levels of code obfuscation and symbol stripping, as well as an additional security layer in the form of a PIN, built-in. These measures ensure that even through reverse engineering by an attacker, an OTP will not be generated.
  • System Resource Manipulation: In this type of an attack, a “jail-broken” or rooted device is required. The mobile software token does not operate on such a device thereby circumventing such an attack.
  • Static Code Dump/Patch: Sophisticated levels of anti-piracy security layers in mobile software tokens deter attackers from creating pirated and adapted mobile soft tokens and using them to obtain OTPs.
  • Brute Force: The mobile software token must be PIN protected and designed to self-destruct after five incorrect entries entered consecutively. The mobile software token can also be protected with a layer of PIN camouflaging. In this case, an incorrect PIN will be accepted and an invalid OTP will be displayed. The attacker has no way of knowing if an input PIN is correct or incorrect.
  • Dynamic Memory Access: In this type of an attack, the device would need to be in a vulnerable state such as jail broken or rooted. The mobile software token should implement sophisticated layers of verification to determine if the device is compromised and ceases to operate.
  • Chosen Plain Text Brute Force: The attacker will not be able to mount this attack as it is computationally not feasible to obtain the token secret key in brute force.
  • Screen Capturing: It should be possible to deploy the mobile software token with the configuration to generate OATH-compliant time-based OTP and Challenge/Response with short time validity for making it ineffective to capture and relay.
Andrew Lintell

Andrew Lintell

All strong authentication solutions should be implemented as part of a larger, multi-layered strategy. Five layers of security should ideally be deployed to protect and secure access to data. The first layer is composed of a multi-factor authentication solution, both inside the firewall and in the cloud, that combines something the user knows (a password) with something the user has (a mobile) with something the user is (ascertained through a biometric or behaviourmetric solution).

The next layer is device authentication. It is important to verify that the person is using a “known” device and can be established when endpoint device identification and profiling with such elements as proxy detection and geo-location are combined. The third layer is browser protection; this ensures that the browser being used is part of a secure communication channel. The most robust approach is to use a proactive hardened browser with mutual secure socket layer connection to the bank application.

The fourth layer increases security for particularly sensitive transactions, including signing contracts and transferring large funds. A transaction authentication layer can include Out-Of-Band (OOB) transaction verification, transaction signing for non-repudiation, transaction monitoring, and behavioural analysis. This layer presents security intelligence data which can be instrumental in spotting any anomalous or fraudulent behaviour which may indicate a malware compromise. The final layer is application security, which is especially important to mobile banking. This layer protects applications on mobile devices and must be architecturally hardened and capable of executing mutual authentication. Adding this layer makes data theft much more complex for hackers.

The security benefits of adopting a five layer approach to the financial institution are immediate, providing customers with the peace of mind that their on-line banking provider has taken steps to provide a secure environment in which to conduct their financial transactions conveniently.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post