Professional Documents
Culture Documents
By David Mahdi
Sr. Product Marketing Manager
Entrust Inc.
A spear-phishing attack is a highly targeted form of phishing, using specific messages and information tailored to a particular user or small user group.
Mobile threats are becoming more complicated with combined threats from multiple vectors email, Web, SMS and voice to obtain information that would enable control over devices.
Compound attacks identified as the next mobile threat, Dan Raywood, SC Magazine UK, February 8, 2011.
In turn, the mobile device is sent a SMS message, as an example, which prompts the user to click on a link and download malware onto their mobile device. Once in control of both devices, fraudsters can initiate and complete a financial transaction regardless of any online authentication or SMS-related 3 OOB authentication or transaction verification. SMS messages used in conjunction with OOB caller authentication also have been compromised. A fraudster can gain access to the users device ID and is able to change that information, effectively hijacking the device. In combination with control over the users desktop, the fraudster can initiate and complete a financial transaction on the desktop.
While many of the more sophisticated online threats today are able to circumvent methods of strong authentication and hijack a users session through their browser, strong
two-factor authentication
remains the first pillar in a layered defense strategy to address online fraud.
Zeus Strikes Mobile Banking: Security Experts Confirm Threat to Mobile Online Users, Tracy Kitten, BankInfoSecurity, October 13, 2010; ZeuS Mitmo: Man-in-the-Mobile, David Barroso, S21sec, September 25, 2010.
As we have seen, SMS and voice channels have been susceptible to attacks, but effective out-of-band transaction verification can still add a significant level of security to an online or mobile banking session. There are approaches, specifically using a dedicated mobile application, that address vulnerabilities in OOB transaction verification. At the same time, using a mobile application enables some of these functions to be performed seamlessly in the background by embedding security functions in the application itself.
two-factor authentication
remains the first pillar in a layered defense strategy to address online fraud.
3. Financial institutions should look at solutions that provide the capability to embed security features of the authentication platform directly into a mobile application, improving security within mobile banking applications while making it transparent and easy for users,. Applications are already available that enable the developers to easily build strong authentication natively into their mobile banking applications. Its seamless and transparent for users, providing enhanced security for transactions without requiring the user to enter a one-time passcode. With the frequency and complexity of fraud attacks increasing and the morphing of traditional fraud attacks into the mobile space financial institutions need to become more aggressive in implementing online and mobile security; and they need to look beyond traditional security measures that dont apply in the mobile environment.
About Entrust
A trusted provider of identity-based security solutions, Entrust empowers governments, enterprises and financial institutions in more than 5,000 organizations spanning 85 countries. Entrusts award-winning software authentication platforms manage todays most secure identity credentials, addressing customer pain points for cloud and mobile security, physical and logical access, citizen eID initiatives, certificate management and SSL. For more information about Entrust products and services, call 888-690-2424, email or visit www.entrust.com.