Financial institutions are increasingly introducing internet banking platforms to enable customers to conduct banking transactions anytime, anywhere. However, as mobile malware becomes more prevalent, defending against mobile-based threats requires a strong authentication approach. Most banks have implemented strong hardware-based authentication for their commercial customers but this is less so on the consumer side, thinking it costly and complicated to deploy. This all changes, however, with the advent of advanced mobile security that fosters a convenient banking experience with out-of-band strong authentication.
The most basic mobile authentication option is delivering a One-Time-Password (OTP) via SMS. A customer logging in to the bank’s website with username and password triggers a request to send an OTP to his or her registered mobile phone. Upon receipt of a text message with the OTP, the customer enters it into a field on the banking site’s login page to complete the login process. However, there are drawbacks to this approach. Firstly, it pushes extra costs onto some end users where customers must pay for the messages they receive. Secondly, it is subject to network coverage, latency and SMS delivery issues, which creates uncertainty around delivery. Finally, it doesn’t address the Man-in-the-Middle fraud problem – an SMS is generated in the backend and sent via the network, so there’s greater chance it will be intercepted. The recent Zeus Botnet Eurograbber attack which stole $47 million in assets from more than 30,000 banking customers is a useful example of successful SMS-related malware.
Alternatively, the mobile phone can be turned into a “soft token” by installing software that generates OTPs itself. OATH-compliant HMAC-based algorithms (HTOP) or time-based OTP algorithms (TOTP) can be used. A unique combination of time and event-based algorithms are considered more secure. However, it is important to note that mobile OTP generators, if poorly implemented, are susceptible to attack. Ensuring OTPs are generated securely and only for intended users requires advanced technologies to mitigate key threats, such as:
- Phishing: Ensure that each software token is bound to the device of the user on which the application is installed.
- Keystroke Logging: Preclude attacker from capturing OTPs using key-logging. Even with a captured PIN or activation code, the attacker will be unable to generate an identical (clone) mobile software token.
- Static Code Dump/Patch Runtime Debugging: Even if the unique device IDs are spoofed, the mobile software token must have sophisticated levels of code obfuscation and symbol stripping, as well as an additional security layer in the form of a PIN, built-in. These measures ensure that even through reverse engineering by an attacker, an OTP will not be generated.
- System Resource Manipulation: In this type of an attack, a “jail-broken” or rooted device is required. The mobile software token does not operate on such a device thereby circumventing such an attack.
- Static Code Dump/Patch: Sophisticated levels of anti-piracy security layers in mobile software tokens deter attackers from creating pirated and adapted mobile soft tokens and using them to obtain OTPs.
- Brute Force: The mobile software token must be PIN protected and designed to self-destruct after five incorrect entries entered consecutively. The mobile software token can also be protected with a layer of PIN camouflaging. In this case, an incorrect PIN will be accepted and an invalid OTP will be displayed. The attacker has no way of knowing if an input PIN is correct or incorrect.
- Dynamic Memory Access: In this type of an attack, the device would need to be in a vulnerable state such as jail broken or rooted. The mobile software token should implement sophisticated layers of verification to determine if the device is compromised and ceases to operate.
- Chosen Plain Text Brute Force: The attacker will not be able to mount this attack as it is computationally not feasible to obtain the token secret key in brute force.
- Screen Capturing: It should be possible to deploy the mobile software token with the configuration to generate OATH-compliant time-based OTP and Challenge/Response with short time validity for making it ineffective to capture and relay.
All strong authentication solutions should be implemented as part of a larger, multi-layered strategy. Five layers of security should ideally be deployed to protect and secure access to data. The first layer is composed of a multi-factor authentication solution, both inside the firewall and in the cloud, that combines something the user knows (a password) with something the user has (a mobile) with something the user is (ascertained through a biometric or behaviourmetric solution).
The next layer is device authentication. It is important to verify that the person is using a “known” device and can be established when endpoint device identification and profiling with such elements as proxy detection and geo-location are combined. The third layer is browser protection; this ensures that the browser being used is part of a secure communication channel. The most robust approach is to use a proactive hardened browser with mutual secure socket layer connection to the bank application.
The fourth layer increases security for particularly sensitive transactions, including signing contracts and transferring large funds. A transaction authentication layer can include Out-Of-Band (OOB) transaction verification, transaction signing for non-repudiation, transaction monitoring, and behavioural analysis. This layer presents security intelligence data which can be instrumental in spotting any anomalous or fraudulent behaviour which may indicate a malware compromise. The final layer is application security, which is especially important to mobile banking. This layer protects applications on mobile devices and must be architecturally hardened and capable of executing mutual authentication. Adding this layer makes data theft much more complex for hackers.
The security benefits of adopting a five layer approach to the financial institution are immediate, providing customers with the peace of mind that their on-line banking provider has taken steps to provide a secure environment in which to conduct their financial transactions conveniently.