The Growing Penetration of Mobile Security
The mobile revolution is inexorable. Mobile devices such as smartphones, netbooks and tablets proliferate in today’s personal and professional environment. A major part of people’s lives takes place on their mobile phone: connecting with friends and family via social networks, sharing pictures, gaming, shopping, matrimonial, etc. We believe that the explosive growth in mobile apps has triggered the demand for user-friendly security solutions. Users demand trustworthy apps, secure user access to their applications, and the ability to safely perform mobile transactions. The implementation of two-factor authentication in our mobile, daily life requires the commitment of both application owners and end users. It is a joint effort that creates a balance between security and day-to-day convenience. Ultimately, mobility is about user convenience.
Transacting on mobiles on a roll
Mobile payments are an emerging and rapidly-growing alternative payment method, already quite popular in Europe and Asia. Rather than pay by cash, check, or credit card, an individual can opt to use their mobile phone to pay for an ever-increasing range of (digital) goods and services. Because of their quick transaction speed and convenience, mobile payments are gaining popularity as a method of paying for small-ticket items, such as:
- Music, videos, ringtones, online game subscriptions, wallpapers, and other digital goods
- Transportation fare (bus, subway, or train), parking meters, and other services, phone credits
- Books, magazines, tickets, and other hard goods
While embracing the flexibility of mobile, it is essential not to be heedless of the dangers that may come with it. Concerns about data integrity, the privacy and accessibility of sensitive data and data protection requirements are the most significant obstacles.
Security is as strong as the weakest link
Protecting access to applications such as m-commerce or m-banking services or access to corporate networks becomes essential. However, any security system is only as effective as its weakest link. These days, most consumers already find it difficult to manage their digital life. They have already created several accounts and it has become quite a hassle to remember all these username and password combinations. A lot of people have seemingly solved this problem by using the same username and password combinations over and over again. Unfortunately, this makes the accounts even more vulnerable. Putting aside that static passwords provide a weak level of security, using the same static password over and over again lowers the security level even more. It makes it possible for hackers to break into one’s account, steal the credentials and use them to enter all kinds of accounts a person would have created. Users have to let go of static passwords and realize they do not offer enough security anymore. Strong authentication is a lot more secure and even more user-friendly. Furthermore, mobile devices are often not password-enabled and lack the ability to authenticate users and control access to data stored on the devices.
Need for authentication for mobiles
Potential threats for mobile applications such as m-banking and m-commerce or even remote access to a corporate network are similar to those of traditional applications; only the platform and technology have changed. As the business world will continue to change under the influence of continuous technological developments, working practices will change as well. And with the increasing trend of BYOD (Bring Your Own Device) on the work floor, security remains all-important.
The innovation and development in mobile solutions (both for mobile applications and mobile devices/users) is expanding beyond industry trends and address the growing need to protect the mobile device by establishing the integrity of the mobile device as it will be done with jailbreak and root detection and identifying the presence of malware on the mobile device which could compromise the integrity of the authentication process.
Multi-factor and two factor authentication: an added security layer
Deploying an adequate security environment for every mobile device used by customers, consumers or employees is a daunting task. Furthermore, end users don’t want to be burdened with laborious procedures in order to retrieve information or complete an online transaction.
Two-factor authentication offers an answer to these challenges. It provides a higher level of security than traditional passwords and ensures that only authorized people gain access. The mobile device is then used as a second factor and can be used as an authentication device to generate a strong one- time password. This password, with a limited validity, can be generated on the device itself or can be sent via text message to the user’s mobile phone.
Multi-factor or two-factor authentication is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:
- Something you know (typically a password)
- Something you have (a trusted device that is not easily duplicated, like a phone)
- Something you are (biometrics)
The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the trusted device. Conversely, if the user happens to lose the device, the finder of that device won’t be able to use it unless he or she also knows the user’s password. An ideal multi-factor authentication requires users to also verify sign-ins using a mobile app, phone call or text message.
Apple Pay – Advocating mobile security
Apple recently launched Apple Pay to bring more convenience to their customers. It goes without saying that any method for making payment convenient invites associated security threats. Apple pay won’t be much an exception. Acknowledging security threats is the most ideal start for addressing security concerns. Apple’s proactive approach for combating security threats reiterates importance of authentication.
Apple is being smart in addressing all of the potential vulnerabilities in Apple Pay. The old approach to mobile security was to focus on protecting just the transaction. Today, it’s moved to the bigger task of protecting the mobile device and all that it can do. 4.5 million mobile phones were lost or stolen last year; as the smart phone becomes a combined mobile wallet and authentication device, this will raise the stakes for everyone.
Apple would step up its security game by broadening its use of two-factor authentication and more aggressively encouraging people to turn on two-factor authentication. Undoubtedly, the global hacking community has been watching Apple’s announcements with even more excitement than we have, as they will race to exploit new opportunities for criminal attacks and fraud in mobile payments.
As we look at the recent actions of Apple, Societe Generale in India and other major companies, we see the tide turning in a significant way in winning public acceptance of improved security methods such as one-time passwords, two-factor authentication, and biometrics.
Apple’s announcement of a mobile wallet will undoubtedly accelerate the adoption of mobile banking even further. It is predicted that even by 2017, mobile wallets will be used in less than 2% of transactions. The bigger issue for consumers will still be protecting their everyday online and mobile transactions from attacks that are becoming more frequent and intense.
When the most influential company in the industry comes out with a strong endorsement of two-factor authentication, that’s good news for consumers and bad news for hackers.
–The author of the article is Jan Valcke, President and COO, VASCO Data Securities