SMS authentication is not enough

Mobile banking attacks show that some popular solutions are anything but, notes Chris Russell

Be honest, how many times a day do you log into Facebook? There's no doubting that the site is a dominant presence in many of our lives. This phenomenon has unfortunately not gone unnoticed by web predators.

A sophisticated Trojan targeting Android – specifically Facebook users – recently made the headlines.

Users logging in via an infected PC were invited to enter their mobile phone number as an additional security measure so Facebook could authorise them.

Upon so doing, the user would be sent a link via SMS that encouraged them to download a piece of malware.

Once installed, one of the main goals of the malware is to intercept one-time codes (OTCs) that are frequently used by banks and other financial institutions to authenticate users when accessing online or mobile banking.

And once a hacker has an authenticating OTC, he or she can usually take full control.

What's interesting about this particular Trojan is the number of potential points of failure it is prepared to accommodate.

The hackers infect a desktop PC in hopes that the user will access Facebook, submit their phone number, download the application, then use a mobile banking app that utilises an OTC function via SMS.

For many, receiving any unsolicited download link is enough to set alarm bells ringing, but this certainly isn't the case for all users, and Facebook has a colossal number of users.

It also demonstrates how sophisticated hacking methods are becoming and it really should make banks that use this form of authentication consider just how secure these OTCs really are.

And it's not just about the banks. Sending OTCs as an additional level of authentication is a popular technique used by many companies. Clearly what's needed is a way to render an OTC useless if it is intercepted by a third party.

Fortunately, help is at hand. Some of the more flexible authentication platforms available offer a third layer of security that can guard against this eventuality.

Users combine a 10-digit security string with a four-digit PIN to generate a unique OTC. This ensures the end result is never communicated or transmitted at the point of login.

It can help against common attacks such as phishing, key logging, man in the middle, or shoulder surfing.

As desktop and mobile continue to converge, more care is needed to ensure data remains secure.

Strong authentication is not simply about whether you have it or not. Decisions need to take account of developments in the IT risk environment.

Chris Russell is chief technology officer at Swivel Secure