Security breaches at trusted global corporations, such as Target and eBay are becoming a regular occurrence. Valuable customer data serves as a new currency of sorts for fraudsters, prompting the digital underground to stage well thought out attacks on a scale previously unheard of.
While the risk of reputational blowback and financial loss has reached new heights, many organizations, including card-issuing financial institutions, remain dependent on outdated, easily compromised authentication systems for users and transactions. In other words, banks and credit unions are leaving the back door wide open for fraudsters to attack whenever they please.
The most frequently used authentication system today is the one-time password (OTP), a passcode made valid for a single system login, payment, or other transaction, and then discarded. Originally developed to improve on the security of static passwords, OTPs were considered state of the art at the time of their introduction…nearly 30 years ago. Today, financial institutions continue to deploy these systems for online transactions and authentication security despite their well-documented vulnerabilities.
Cyber criminals have been successfully attacking banks leveraging OTP-based systems for a decade. Swedish Internet bank Nordea fell victim to one of the first large scale attacks in October 2005 when the institution’s paper-based OTP security system was compromised by a phishing scam. Less than a year later, in July 2006, Citibank’s CitiBusiness Online was also attacked. Unlike Nordea, Citibank relied on OTPs generated by a hardware token, but this still provided fraudsters with everything they needed to infiltrate user accounts.
Regardless of the specific type of OTP-based authentication system, they all share the same basic flaws and vulnerabilities. First, they are all symmetric, as the bank has access to the exact same information as its customers. Second, OTP systems all maintain reliance on browser-based communications. Because of this, should a phishing site be set up to mimic the bank’s online portal or the browser is compromised in some other way, user credentials and the OTP can easily be captured by fraudsters and immediately utilized to access accounts and authenticate fraudulent transactions.
One of the most commonly used methods of delivering OTPs is through the SMS channel. For more than a decade, banks have leveraged SMS to provide customers with OTPs.
While SMS may be more convenient for the customer (eliminating as it does the need to carry around a specialized hardware token), the channel is considered unsafe for several reasons. The security of SMS relies heavily on cellular networks’ security parameters and, without access to GSM or 3G networks, the confidentiality of text messages cannot be assured. Mobile phones are highly susceptible to trojans, such as Zeus, Zitmo, Citadel and Perkal, which prey on open access to SMS on mobile phones to intercept OTPs. In addition, fraudsters leverage several other forms of attack on the SMS channel, including SIM clones, number porting attacks, fake caller ID and call forwarding scams to exploit network weaknesses. And costs incurred from utilizing the SMS channel are extremely high. On top of transactional costs, a single SMS can range anywhere from $.10 to $.20 depending on location and message volume, which significantly impacts the overall cost.
Although the use of SMS as a delivery method for OTPs is no longer a viable option, the mobile device itself can play an important role in helping to make the authentication process more secure without sacrificing convenience for customers.
By leveraging the ubiquity, power and universal connectivity of the mobile device to authenticate transactions, financial institutions can not only offer their customers access anytime, anywhere, but also better authenticate and secure other forms of customer interaction, such as credit and debit card payments and call center communications. Rather than relying on the security of cellular networks, deploying industry-standard X.509 digital certificates to customers’ mobile phones and tablets enables banks to uniquely confirm their identities, essentially transforming the mobile device into a second factor of authentication.
For those institutions committed to leveraging mobile technology for their banking offerings, it is time to ditch the SMS channel. Instead, new technologies are available to the financial services industry that allow institutions to capitalize on the convenience and security of mobile devices to virtually eliminate all forms of man-in-the-middle attacks and enable mutual authentication and secure communication between the customer’s mobile device and the institution.
Christiaan Brand is co-founder and chief technology officer of Entersekt.