Fighting eCrime in Todays Mobile Environment

Stopping online fraud on the mobile battlefield

Mobile devices are now the centerpiece to consumer lifestyles. From email communication, social networking, banking, games, music and video, mobile devices have forced a radical shift in the way in which organizations service their customers. The explosion in task-specific applications for mobile devices has gone handin-hand with the growth in cell phones and other computing tablets. These applications are easy to purchase and install, and provide immediate access to information, utilities and services. Online fraud finds new targets But the growth in mobile devices has also driven the incidence of fraud targeting these devices. Whether simple rogue text messages, fictitious billing scams or more malicious attacks using malware installed on the device, the number of attacks are increasing at an alarming rate. And with less education about mobile threats, users seem more inclined to fall victim to them during mobile sessions. In the mobile environment, where the expectation is for instant, unobtrusive communication, end-user security and strong authentication needs to be simple, quick and transparent.

By David Mahdi
Sr. Product Marketing Manager

Entrust Inc.

The Proliferation of Online Threats

While many safeguards are deployed within financial institutions, criminals are evolving their techniques rapidly. Phishing, smishing and spear-phishing attacks are designed to deploy malware, which takes over users browsers 1 and mobile devices to execute malicious transactions. The malware is crafted to avoid detection by anti-virus tools. The result is known as a manin-the-browser attack. Most traditional defenses are rendered completely ineffective because the Trojan is difficult to detect through standard virus-scanning. It has direct access to authentication data (e.g., static and one-time passcodes or even biometrics) and details of the transaction.

A spear-phishing attack is a highly targeted form of phishing, using specific messages and information tailored to a particular user or small user group.

The New Frontier: Mobile Threats

The dramatic growth of mobile devices and smartphones, shipments of which have now surpassed PCs, makes them a logical target for malware. Mobile devices are particularly susceptible to attack for a number of reasons: 1. The distribution of applications to the devices, via third-party app stores, makes them susceptible to the distribution of malware. While all major devices and operating systems have been targeted, observers believe that the Google Android platform may be more susceptible to attacks than other devices because the apps can be distributed anywhere on the Web. 2. Users are regularly checking email on mobile devices and the current limitations of mobile browsers make it more difficult to identify fraudulent messages and sites. This increases the risk of clicking on or being duped by fraudulent messages. While larger screens on mobile devices and the gradual adoption of device identification will help mitigate these risks, the tendency for quick communication and instant response reinforces the risk. SMS & OOB threats Despite the limitations associated with character lengths and its awkward interface, SMS has been adopted by a limited number of financial institutions to add security to the online channel by providing out-of-band (OOB) authentication or out-of-band transaction verification. And while out-of-band transaction verification leveraging the mobile device whether via an OOB OTP sent to the device or an actual OOB phone call provides significantly better protection against fraud, the SMS channel is also open to attacks from malware such as ZeuS or SpyEye. Attacks from every vector But mobile threats are becoming more complicated with combined threats from multiple vectors email, Web, SMS and voice to obtain information 2 that would enable control over devices. A users mobile device now may be compromised in conjunction with an attack on their desktop. The user is first tricked into placing malware/crimeware on their desktop, enabling the fraudster to gain information about their mobile device.

Mobile threats are becoming more complicated with combined threats from multiple vectors email, Web, SMS and voice to obtain information that would enable control over devices.

Compound attacks identified as the next mobile threat, Dan Raywood, SC Magazine UK, February 8, 2011.

In turn, the mobile device is sent a SMS message, as an example, which prompts the user to click on a link and download malware onto their mobile device. Once in control of both devices, fraudsters can initiate and complete a financial transaction regardless of any online authentication or SMS-related 3 OOB authentication or transaction verification. SMS messages used in conjunction with OOB caller authentication also have been compromised. A fraudster can gain access to the users device ID and is able to change that information, effectively hijacking the device. In combination with control over the users desktop, the fraudster can initiate and complete a financial transaction on the desktop.

While many of the more sophisticated online threats today are able to circumvent methods of strong authentication and hijack a users session through their browser, strong

Enhancing Security for Online & Mobile Users

While many of the more sophisticated online threats today are able to circumvent methods of strong authentication and hijack a users session through their browser, strong two-factor authentication remains the first pillar in a layered defense strategy to address online fraud. Mobile soft tokens A soft token on a users mobile device is an effective, easy-to-use form of stronger authentication that allows banks to leverage physical devices that are widely deployed. This out-of-band OTP is generated on the device and is used in conjunction with an individuals username and password to strongly authenticate an online-banking session. And in some instances, a mobile soft token may be generated on the device as part of the mobile banking login process and submitted without user intervention. While out-of-band strong authentication on its own is still susceptible to manin-the-browser/man-in-the-mobile attacks, it increases the level of security in todays transactions that are relatively unprotected. Out-of-Band Transaction Verification Banks may also use the mobile channel to send details of a transaction outof-band to a user to confirm a transaction made in an online session on their desktop. This is best done in conjunction with an out-of-band OTP, such as a mobile soft token. For transactional verification, the user is sent three pieces of information: an OTP via out-of-band communication (e.g., soft token, SMS or voice channel); a summary of the transaction thats about to occur; and a confirmation code.

two-factor authentication
remains the first pillar in a layered defense strategy to address online fraud.

Zeus Strikes Mobile Banking: Security Experts Confirm Threat to Mobile Online Users, Tracy Kitten, BankInfoSecurity, October 13, 2010; ZeuS Mitmo: Man-in-the-Mobile, David Barroso, S21sec, September 25, 2010.

As we have seen, SMS and voice channels have been susceptible to attacks, but effective out-of-band transaction verification can still add a significant level of security to an online or mobile banking session. There are approaches, specifically using a dedicated mobile application, that address vulnerabilities in OOB transaction verification. At the same time, using a mobile application enables some of these functions to be performed seamlessly in the background by embedding security functions in the application itself.

While many of the more

sophisticated online threats today are able to circumvent methods of strong authentication and hijack a users

Solutions for Effective Mobile & Online Security

Banks need to adopt solutions that not only help increase confidence in the online channel, but are also designed to address the unique requirements of mobile-banking applications. Financial institutions should consider solutions that provide the broadest range of capabilities to address the online and mobile fraud threat. As a minimum, there are three areas that should be addressed: 1. Financial institutions should deploy a software authentication platform that supports a broad range of authentication options. This provides the flexibility to deploy different methods of strong authentication depending upon the type of user (e.g., commercial banking with high-value transactions or a consumer solution), as well as the type of banking and transactions they are doing, without requiring a second authentication infrastructure. The platform should support transparent authentication (e.g., IPgeolocation and device authentication), offer physical methods of strong authentication (e.g., physical tokens or grid cards) and support soft/mobile tokens that leverage mobile devices. 2. Financial institutions should look at out-of-band transaction verification using a mobile application. Integrating strong authentication and transaction verification into a mobile application is one of the most effective forms of out-of-band transaction verification technology and is effective against attacks that compromise stronger authentication. While out-of-band transaction verification using SMS or voice dial-out transaction provides some protection against fraud attacks, these approaches rely on baseline telecommunication technology that has already been compromised. But using a mobile application to provide transaction verification isolates it from the type of mobile attacks that have targeted SMS messages.

session through their browser, strong

two-factor authentication
remains the first pillar in a layered defense strategy to address online fraud.

3. Financial institutions should look at solutions that provide the capability to embed security features of the authentication platform directly into a mobile application, improving security within mobile banking applications while making it transparent and easy for users,. Applications are already available that enable the developers to easily build strong authentication natively into their mobile banking applications. Its seamless and transparent for users, providing enhanced security for transactions without requiring the user to enter a one-time passcode. With the frequency and complexity of fraud attacks increasing and the morphing of traditional fraud attacks into the mobile space financial institutions need to become more aggressive in implementing online and mobile security; and they need to look beyond traditional security measures that dont apply in the mobile environment.

About Entrust

A trusted provider of identity-based security solutions, Entrust empowers governments, enterprises and financial institutions in more than 5,000 organizations spanning 85 countries. Entrusts award-winning software authentication platforms manage todays most secure identity credentials, addressing customer pain points for cloud and mobile security, physical and logical access, citizen eID initiatives, certificate management and SSL. For more information about Entrust products and services, call 888-690-2424, email or visit www.entrust.com.

2012 Entrust Inc. All rights reserved.