"Fighting eCrime in Today's Mobile Environment" analyzes the proliferation of mobile devices and the rapidly increasing security threats that pose a danger to enterprises.
Handwritten Text Recognition for manuscripts and early printed texts
Entrust - Fighting E-crime_April_2012
1. Fighting eCrime in Today’s By David Mahdi
Sr. Product Marketing Manager
Mobile Environment Entrust Inc.
Stopping online fraud on the mobile battlefield
Mobile devices are now the centerpiece to consumer lifestyles. From email
communication, social networking, banking, games, music and video, mobile
devices have forced a radical shift in the way in which organizations service
their customers.
The explosion in task-specific applications for mobile devices has gone hand-
in-hand with the growth in cell phones and other computing tablets. These
applications are easy to purchase and install, and provide immediate access
to information, utilities and services.
Online fraud finds new targets
But the growth in mobile devices has also driven the incidence of fraud
targeting these devices. Whether simple rogue text messages, fictitious billing
scams or more malicious attacks using malware installed on the device, the
number of attacks are increasing at an alarming rate. And with less education
about mobile threats, users seem more inclined to fall victim to them during
mobile sessions.
In the mobile environment, where the expectation is for instant, unobtrusive
communication, end-user security and strong authentication needs to be
simple, quick and transparent.
The Proliferation of Online Threats
While many safeguards are deployed within financial institutions, criminals
are evolving their techniques rapidly. Phishing, smishing and spear-phishing
attacks are designed to deploy malware, which takes over users’ browsers
1
and mobile devices to execute malicious transactions. The malware is
crafted to avoid detection by anti-virus tools. The result is known as a “man-
in-the-browser” attack.
Most traditional defenses are rendered completely ineffective because the
Trojan is difficult to detect through standard virus-scanning. It has direct
access to authentication data (e.g., static and one-time passcodes or even
biometrics) and details of the transaction.
1
A spear-phishing attack is a highly targeted form of phishing, using specific messages
and information tailored to a particular user or small user group.
2. The New Frontier: Mobile Threats
“ … Mobile threats are
The dramatic growth of mobile devices and smartphones, shipments of which becoming more
have now surpassed PCs, makes them a logical target for malware. Mobile complicated with
devices are particularly susceptible to attack for a number of reasons:
combined threats from
1. The distribution of applications to the devices, via third-party app multiple vectors —
stores, makes them susceptible to the distribution of malware. While email, Web, SMS and
all major devices and operating systems have been targeted,
voice — to obtain
observers believe that the Google Android platform may be more
susceptible to attacks than other devices because the apps can be
information that would
distributed anywhere on the Web. enable control over
devices.”
2. Users are regularly checking email on mobile devices and the current
limitations of mobile browsers make it more difficult to identify
fraudulent messages and sites. This increases the risk of clicking on
or being duped by fraudulent messages. While larger screens on
mobile devices and the gradual adoption of device identification will
help mitigate these risks, the tendency for quick communication and
instant response reinforces the risk.
SMS & OOB threats
Despite the limitations associated with character lengths and its awkward
interface, SMS has been adopted by a limited number of financial institutions
to add security to the online channel by providing out-of-band (OOB)
authentication or out-of-band transaction verification.
And while out-of-band transaction verification leveraging the mobile device —
whether via an OOB OTP sent to the device or an actual OOB phone call —
provides significantly better protection against fraud, the SMS channel is also
open to attacks from malware such as ZeuS or SpyEye.
Attacks from every vector
But mobile threats are becoming more complicated with combined threats
from multiple vectors — email, Web, SMS and voice — to obtain information
2
that would enable control over devices.
A user’s mobile device now may be compromised in conjunction with an
attack on their desktop. The user is first tricked into placing
malware/crimeware on their desktop, enabling the fraudster to gain
information about their mobile device.
2
“Compound attacks identified as the next mobile threat,” Dan Raywood,
SC Magazine UK, February 8, 2011.
3. In turn, the mobile device is sent a SMS message, as an example, which
prompts the user to click on a link and download malware onto their mobile
device. Once in control of both devices, fraudsters can initiate and complete
a financial transaction regardless of any online authentication or SMS-related “While many of the more
3
OOB authentication or transaction verification. sophisticated online
SMS messages used in conjunction with OOB caller authentication also have threats today are able to
been compromised. A fraudster can gain access to the user’s device ID and
is able to change that information, effectively hijacking the device. In circumvent methods of
combination with control over the user’s desktop, the fraudster can initiate strong authentication
and complete a financial transaction on the desktop.
and hijack a user’s
session through their
Enhancing Security for Online & Mobile Users
browser, strong
While many of the more sophisticated online threats today are able to
circumvent methods of strong authentication and hijack a user’s session two-factor authentication
through their browser, strong two-factor authentication remains the first pillar
remains the first pillar in
in a layered defense strategy to address online fraud.
a layered defense
Mobile soft tokens
strategy to address
A soft token on a user’s mobile device is an effective, easy-to-use form of
stronger authentication that allows banks to leverage physical devices that
online fraud.”
are widely deployed. This out-of-band OTP is generated on the device and is
used in conjunction with an individual’s username and password to strongly
authenticate an online-banking session.
And in some instances, a mobile soft token may be generated on the device
as part of the mobile banking login process and submitted without user
intervention.
While out-of-band strong authentication on its own is still susceptible to man-
in-the-browser/man-in-the-mobile attacks, it increases the level of security in
today’s transactions that are relatively unprotected.
Out-of-Band Transaction Verification
Banks may also use the mobile channel to send details of a transaction out-
of-band to a user to confirm a transaction made in an online session on their
desktop. This is best done in conjunction with an out-of-band OTP, such as a
mobile soft token. For transactional verification, the user is sent three pieces
of information:
an OTP via out-of-band communication (e.g., soft token, SMS or
voice channel);
a summary of the transaction that’s about to occur;
and a confirmation code.
3
“Zeus Strikes Mobile Banking: Security Experts Confirm Threat to Mobile Online Users,”
Tracy Kitten, BankInfoSecurity, October 13, 2010; “ZeuS Mitmo: Man-in-the-Mobile,”
David Barroso, S21sec, September 25, 2010.
4. As we have seen, SMS and voice channels have been susceptible to attacks,
but effective out-of-band transaction verification can still add a significant
level of security to an online or mobile banking session.
“While many of the more
There are approaches, specifically using a dedicated mobile application, that sophisticated online
address vulnerabilities in OOB transaction verification. At the same time,
using a mobile application enables some of these functions to be performed threats today are able to
seamlessly in the background by embedding security functions in the
circumvent methods of
application itself.
strong authentication
and hijack a user’s
Solutions for Effective Mobile & Online Security session through their
Banks need to adopt solutions that not only help increase confidence in the browser, strong
online channel, but are also designed to address the unique requirements of two-factor authentication
mobile-banking applications. Financial institutions should consider solutions
that provide the broadest range of capabilities to address the online and remains the first pillar in
mobile fraud threat. As a minimum, there are three areas that should be
a layered defense
addressed:
strategy to address
1. Financial institutions should deploy a software authentication
platform that supports a broad range of authentication options. This online fraud.”
provides the flexibility to deploy different methods of strong
authentication depending upon the type of user (e.g., commercial
banking with high-value transactions or a consumer solution), as well
as the type of banking and transactions they are doing, without
requiring a second authentication infrastructure.
The platform should support transparent authentication (e.g., IP-
geolocation and device authentication), offer physical methods of
strong authentication (e.g., physical tokens or grid cards) and support
soft/mobile tokens that leverage mobile devices.
2. Financial institutions should look at out-of-band transaction
verification using a mobile application. Integrating strong
authentication and transaction verification into a mobile application is
one of the most effective forms of out-of-band transaction verification
technology — and is effective against attacks that compromise
stronger authentication.
While out-of-band transaction verification using SMS or voice dial-out
transaction provides some protection against fraud attacks, these
approaches rely on baseline telecommunication technology that has
already been compromised. But using a mobile application to provide
transaction verification isolates it from the type of mobile attacks that
have targeted SMS messages.