Fighting eCrime in Today’s By David Mahdi Sr. Product Marketing ManagerMobile Environment Entrust Inc.Stopping online fraud on the mobile battlefieldMobile devices are now the centerpiece to consumer lifestyles. From emailcommunication, social networking, banking, games, music and video, mobiledevices have forced a radical shift in the way in which organizations servicetheir customers.The explosion in task-specific applications for mobile devices has gone hand-in-hand with the growth in cell phones and other computing tablets. Theseapplications are easy to purchase and install, and provide immediate accessto information, utilities and services.Online fraud finds new targetsBut the growth in mobile devices has also driven the incidence of fraudtargeting these devices. Whether simple rogue text messages, fictitious billingscams or more malicious attacks using malware installed on the device, thenumber of attacks are increasing at an alarming rate. And with less educationabout mobile threats, users seem more inclined to fall victim to them duringmobile sessions.In the mobile environment, where the expectation is for instant, unobtrusivecommunication, end-user security and strong authentication needs to besimple, quick and transparent.The Proliferation of Online ThreatsWhile many safeguards are deployed within financial institutions, criminalsare evolving their techniques rapidly. Phishing, smishing and spear-phishingattacks are designed to deploy malware, which takes over users’ browsers 1and mobile devices to execute malicious transactions. The malware iscrafted to avoid detection by anti-virus tools. The result is known as a “man-in-the-browser” attack.Most traditional defenses are rendered completely ineffective because theTrojan is difficult to detect through standard virus-scanning. It has directaccess to authentication data (e.g., static and one-time passcodes or evenbiometrics) and details of the transaction.1 A spear-phishing attack is a highly targeted form of phishing, using specific messagesand information tailored to a particular user or small user group.
The New Frontier: Mobile Threats “ … Mobile threats areThe dramatic growth of mobile devices and smartphones, shipments of which becoming morehave now surpassed PCs, makes them a logical target for malware. Mobile complicated withdevices are particularly susceptible to attack for a number of reasons: combined threats from 1. The distribution of applications to the devices, via third-party app multiple vectors — stores, makes them susceptible to the distribution of malware. While email, Web, SMS and all major devices and operating systems have been targeted, voice — to obtain observers believe that the Google Android platform may be more susceptible to attacks than other devices because the apps can be information that would distributed anywhere on the Web. enable control over devices.” 2. Users are regularly checking email on mobile devices and the current limitations of mobile browsers make it more difficult to identify fraudulent messages and sites. This increases the risk of clicking on or being duped by fraudulent messages. While larger screens on mobile devices and the gradual adoption of device identification will help mitigate these risks, the tendency for quick communication and instant response reinforces the risk.SMS & OOB threatsDespite the limitations associated with character lengths and its awkwardinterface, SMS has been adopted by a limited number of financial institutionsto add security to the online channel by providing out-of-band (OOB)authentication or out-of-band transaction verification.And while out-of-band transaction verification leveraging the mobile device —whether via an OOB OTP sent to the device or an actual OOB phone call —provides significantly better protection against fraud, the SMS channel is alsoopen to attacks from malware such as ZeuS or SpyEye.Attacks from every vectorBut mobile threats are becoming more complicated with combined threatsfrom multiple vectors — email, Web, SMS and voice — to obtain information 2that would enable control over devices.A user’s mobile device now may be compromised in conjunction with anattack on their desktop. The user is first tricked into placingmalware/crimeware on their desktop, enabling the fraudster to gaininformation about their mobile device.2 “Compound attacks identified as the next mobile threat,” Dan Raywood,SC Magazine UK, February 8, 2011.
In turn, the mobile device is sent a SMS message, as an example, whichprompts the user to click on a link and download malware onto their mobiledevice. Once in control of both devices, fraudsters can initiate and completea financial transaction regardless of any online authentication or SMS-related “While many of the more 3OOB authentication or transaction verification. sophisticated onlineSMS messages used in conjunction with OOB caller authentication also have threats today are able tobeen compromised. A fraudster can gain access to the user’s device ID andis able to change that information, effectively hijacking the device. In circumvent methods ofcombination with control over the user’s desktop, the fraudster can initiate strong authenticationand complete a financial transaction on the desktop. and hijack a user’s session through theirEnhancing Security for Online & Mobile Users browser, strongWhile many of the more sophisticated online threats today are able tocircumvent methods of strong authentication and hijack a user’s session two-factor authenticationthrough their browser, strong two-factor authentication remains the first pillar remains the first pillar inin a layered defense strategy to address online fraud. a layered defenseMobile soft tokens strategy to addressA soft token on a user’s mobile device is an effective, easy-to-use form ofstronger authentication that allows banks to leverage physical devices that online fraud.”are widely deployed. This out-of-band OTP is generated on the device and isused in conjunction with an individual’s username and password to stronglyauthenticate an online-banking session.And in some instances, a mobile soft token may be generated on the deviceas part of the mobile banking login process and submitted without userintervention.While out-of-band strong authentication on its own is still susceptible to man-in-the-browser/man-in-the-mobile attacks, it increases the level of security intoday’s transactions that are relatively unprotected.Out-of-Band Transaction VerificationBanks may also use the mobile channel to send details of a transaction out-of-band to a user to confirm a transaction made in an online session on theirdesktop. This is best done in conjunction with an out-of-band OTP, such as amobile soft token. For transactional verification, the user is sent three piecesof information: an OTP via out-of-band communication (e.g., soft token, SMS or voice channel); a summary of the transaction that’s about to occur; and a confirmation code.3 “Zeus Strikes Mobile Banking: Security Experts Confirm Threat to Mobile Online Users,”Tracy Kitten, BankInfoSecurity, October 13, 2010; “ZeuS Mitmo: Man-in-the-Mobile,”David Barroso, S21sec, September 25, 2010.
As we have seen, SMS and voice channels have been susceptible to attacks,but effective out-of-band transaction verification can still add a significantlevel of security to an online or mobile banking session. “While many of the moreThere are approaches, specifically using a dedicated mobile application, that sophisticated onlineaddress vulnerabilities in OOB transaction verification. At the same time,using a mobile application enables some of these functions to be performed threats today are able toseamlessly in the background by embedding security functions in the circumvent methods ofapplication itself. strong authentication and hijack a user’sSolutions for Effective Mobile & Online Security session through theirBanks need to adopt solutions that not only help increase confidence in the browser, strongonline channel, but are also designed to address the unique requirements of two-factor authenticationmobile-banking applications. Financial institutions should consider solutionsthat provide the broadest range of capabilities to address the online and remains the first pillar inmobile fraud threat. As a minimum, there are three areas that should be a layered defenseaddressed: strategy to address 1. Financial institutions should deploy a software authentication platform that supports a broad range of authentication options. This online fraud.” provides the flexibility to deploy different methods of strong authentication depending upon the type of user (e.g., commercial banking with high-value transactions or a consumer solution), as well as the type of banking and transactions they are doing, without requiring a second authentication infrastructure. The platform should support transparent authentication (e.g., IP- geolocation and device authentication), offer physical methods of strong authentication (e.g., physical tokens or grid cards) and support soft/mobile tokens that leverage mobile devices. 2. Financial institutions should look at out-of-band transaction verification using a mobile application. Integrating strong authentication and transaction verification into a mobile application is one of the most effective forms of out-of-band transaction verification technology — and is effective against attacks that compromise stronger authentication. While out-of-band transaction verification using SMS or voice dial-out transaction provides some protection against fraud attacks, these approaches rely on baseline telecommunication technology that has already been compromised. But using a mobile application to provide transaction verification isolates it from the type of mobile attacks that have targeted SMS messages.