Mobile Fraud Changes Outlook for Multifactor Authentication
SMS one-time passcodes just won't cut it anymore. We need new approaches that people will actually use.
The writing is on the wall — and the Dark Web: SMS one-time passcodes are on their way out. As malware aimed at mobile banking and payment apps becomes more prevalent, authentication by SMS has proven to be too vulnerable. Cell networks are under attack, and mobile phones can be compromised in myriad ways: loss, physical theft, account hijacking, and crimeware (such as banking Trojans, adware, spyware, ransomware, etc.). If you want to see how bad it can get, read about Brazil's ongoing nightmare with banking crimeware. In addition to a rash of banking Trojans, malware aimed at the country's Boleto system for money orders has netted nearly $4 billion in the last two years.
Plenty of evidence shows that mobile malware is increasing in the US and globally: Kaspersky Lab research, a Nokia study of 100 million devices, FBI and Federal Financial Institutions Examination Council warnings, IBM experts, and other sources show this. Much of the malware is designed to commit banking or transaction fraud by spying on consumers' credentials or intercepting SMS passcodes. To make it official, the National Institute of Standards and Technology (NIST) has issued draft national recommendations that discourage use of SMS-based two-factor authentication and recommend the use of alternative authentication factors.
We've had a hard enough time convincing consumers and companies that password protection is woefully insufficient by itself, and that two-factor authentication should be required for all sensitive authentication scenarios. Now we have to find an appealing alternative to the fairly easy-to-use SMS one-time passcode scheme. The primary problem with SMS methods (in addition to hacking vulnerability) is that they verify only the device, not the person holding it.
There are many options for next-generation authentication; the challenge lies in creating implementations that are efficient for the authenticator and seamless for the user. True multifactor authentication processes should use something you have, something you know, and something you are. For example: your phone or hardware token, a password, and a unique biometric characteristic.
The Consumer Factor
It's easy to see how true multifactor authentication is both more secure and more cumbersome. Consumers who prefer to pay by waving their phone in front of a scanner won't be pleased with a three-step process and will circumvent it if possible. More work needs to be done figuring out how customers want to use their mobile wallets and banking apps, and what types of security measures they will comply with. The NIST guidelines encourage moving toward biometric authentication methods, if they are used in combination with other factors (e.g., strong passwords). While biometric applications such as facial-recognition technology have been employed by law enforcement and government agencies for some time, they have only recently become practical for widespread commercial use. Likewise, smartphones are now prevalent enough that most consumers can complete biometric authentication processes on the go.
With the proper attention to the details of user experience, biometric authentication can be easy-to-use (nothing to remember or carry), virtually tamper-proof (more difficult and labor-intensive to spoof a retina, voice, or facial symmetry), and more secure (can't be cyber-hijacked). Moreover, there are several biometric methods that could be used in various combinations or layers to better thwart hacker workarounds. Innovative companies are developing enterprise-ready versions of hardware and software for matching validated records to scans of faces, voices, fingerprints, hands, retinas, and even ear shapes.
The best solutions will take advantage of behaviors users find natural and simple, such as taking selfies, validating government-issued identity credentials, scanning fingerprints, and repeating voice prompts. HSBC now permits customers to use selfies to access their accounts; other major banks have implemented voice and fingerprint-recognition options. Such methods will become increasingly common
As cyber currency, blockchain technologies, and other innovations become more mainstream, millions of people around the world will use banking and lending services for the first time, and the vast majority of them will do so primarily through mobile devices. Even in developed economies, mobile payment ecosystems are still being established, and there are many challenges to be addressed. Security and privacy are top concerns for traditional financial institutions, financial technology innovators, and consumers. Cybercriminals, crimeware developers, hacktivists, and black market syndicates will move rapidly from one opportunity to the next, exploiting every opening that aids them in their quest to defraud, steal, blackmail, and expose.
True protection of institutions and individuals means developing a variety of methods, using them in layers, and discontinuing the use of approaches that are outdated. An example can be to validate a government-issued identity document that is highly likely to be authentic and then match a selfie to the photo on that document in addition to password protection. Developing simple, modular mechanisms for securing sensitive mobile transactions is essential as the digital economy continues to rapidly develop. Failure to provide the ability to transact securely will impact all industries, including the currently booming sharing economy businesses such as Uber and Airbnb.
Related Content:
About the Author
You May Also Like