Page 41 - Cyber Warnings
P. 41
Is Strong Authentication Killing the SMS-Delivered Password?
Paul Wilson, Product Manager at Easy Solutions
Over the past few years, there has been a noticeable move away from what has been the norm
for decades – communication and business conducted in person or over the phone – toward
increasingly digital-only interaction.
Customers today want to communicate with companies and financial institutions from their
smartphones or tablets.
A digital presence is expected, and it goes far beyond just having a website.
From eBay and Amazon purchases and PayPal transfers, to financial transactions made over
banking websites and apps, the more that business is performed online, the more customers
need authentication to protect them from cyberattacks.
Not too long ago, a prudent course of action to reconcile the rise in fraud threats was to shore
up the inherently unsecure username/password security approach by sending the end user a
SMS message that contained a one-time passcode (OTP) in order to verify an online
transaction.
But eventually, this, too, became unsecure. OTPs can be intercepted, and in most cases are
sent to users unencrypted.
The one-time passcode is meant to be entered into the same transactional page that the
customer enters their name and password.
But if their device, or the page itself, has been compromised by malware, then fraudsters will be
able to harvest the OTP along with the username/password combo, and then the customer’s
account is at the mercy of the cybercriminal.
Earlier this year it was discovered that an updated version of the malware ‘Android.Bankosy’
was present on a number of Android OS phones in the Asia-Pacific region.
Once the malware was installed on the victims’ devices, it opened a back door, collected a list of
system-specific information from the phone and sent it to a server set up to collect the stolen
data and reveal infected devices’ unique IDs. Once this was completed, all incoming SMS
messages, including those that contained OTPs, could be captured, allowing the malware to
steal funds from online accounts if the victims had also previously had their login credentials
compromised.
This is hardly an isolated incident, and SMS-delivered OTPs have been compromised by
cybercriminals using numerous techniques.
41 Cyber Warnings E-Magazine December 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
