addressing advanced fraud threats in today’s...
TRANSCRIPT
1
© Entrust Inc. All Rights Reserved. 1
Addressing Advanced Fraud Threats in Today’s Mobile Environment
Financial institutions face challenges, opportunities with mobile services and applications
© Entrust Inc. All Rights Reserved.
Get this
White Paper
2
© Entrust Inc. All Rights Reserved. 2
Contents
Introduction 3
Financial Institutions & Mobile Services 3 Online fraud finds new targets Banks should capitalize on mobile opportunities FIs prime targets for advanced malware
The Proliferation of Online Threats 7
The New Frontier: Mobile Threats 8 SMS & OOB threats Attacks from every vector
Enhancing Security for Online & Mobile Users 11 The need for stronger authentication Mobile soft tokens Out-of-band transaction verification
Solutions for Effective Mobile & Online Security 13
Summary 16
Entrust & You 17 Company Facts Headquarters Sales
3
© Entrust Inc. All Rights Reserved. 3
Introduction Mobile devices are now the centerpiece to consumer lifestyles. From email communication, social networking, banking, games, music and video, mobile devices have forced a radical shift in the way in which organizations service their customers. In a June 2010 report on Internet trends, Morgan Stanley predicted that by 2012 the number of smartphones shipped will exceed the total number of desktop and notebook PCs.
1 And today, more than 80 percent
of adults in Europe and the United States own a mobile device. The explosion in task-specific applications for mobile devices has gone hand-in-hand with the growth in cell phones and other computing tablets. These applications are easy to purchase and install, and provide immediate access to information, utilities and services. And features in mobile devices, such as GPS, Bluetooth and near-field communication (NFC) technology, make daily tasks simpler, convenient and efficient for users.
Financial Institutions & Mobile Services Financial institutions are no exception to the pressure to extend their services to the mobile channel. A January 2011 Forrester Research study predicts that by 2015 mobile banking will reach one in five adults in the United States.
2
1 “CM Summit — New York City: Internet Trends,” Morgan Stanley, June 7, 2010.
2 “US Mobile Banking Forecast, 2010 to 2015,” Emmett Higdon, Forrester Research, January 31, 2011.
… features in mobile
devices, such as GPS,
Bluetooth and near-field
communication (NFC)
technology, make daily
tasks simpler, convenient
and efficient for users.
”
“
4
© Entrust Inc. All Rights Reserved. 4
Perhaps more significant in terms of the impact of mobile devices on banking, this report also predicts that 18 percent of adults in the United States who have yet to adopt online banking will use their mobile device to access their accounts by 2015. And for many customers, mobile banking will become the preferred channel for basic banking transactions (e.g., checking account balance, transferring money and paying bills).
3
Today, 23 percent of smartphone users in the U.S. are checking financial accounts.
4
In Europe, mobile banking trends are similar to those in the United States — as many as 12 percent of Europeans who are online take advantage of some mobile banking. However, adoption rates remain low and, at this time, it is predominantly used for simple SMS (Short Message Service) text messages. A much smaller number, only 4 percent, are actually accessing mobile banking.
5
While the convenience and immediacy offered by mobile banking is clearly the primary driver for these users, particularly for simple transactions, there are still a number of concerns that are holding back widespread adoption.
3 “Mobile Banking Will Displace Online Banking For Routine Interactions,” Alexander Hesse, Forrester Research, December 23, 2010.
4 “Mobile App Internet Recasts the Software and Services Landscape,” John McCarthy, Forrester Research, March 2, 2011.
5 “The State Of Mobile Banking In Europe: 2010,” Alexander Hesse, Forrester Research, April 22, 2010.
5
© Entrust Inc. All Rights Reserved. 5
In Europe and the United States, between 35 and 40 percent of adults currently banking online see no value in mobile banking. And those accessing mobile banking websites are the typical early adopters, the vast majority of whom are already banking online.
Online fraud finds new targets But the growth in mobile devices has also driven the incidence of fraud targeting these devices. Whether simple rogue text messages, fictitious billing scams or more malicious attacks using malware installed on the device, the number of attacks are increasing at an alarming rate — mobile malware increased by more than 45 percent in 2010. And with less education about mobile threats, users seem more inclined to fall victim to them during mobile sessions.
6
© Entrust Inc. All Rights Reserved. 6
And for many, it’s the lack of security on these devices that is a major inhibitor to their adoption of mobile banking. Twenty-two percent of adults banking online in Europe, and 35 percent of online adults in the United States, indicated that lack of security was stopping them from using mobile banking.
67
Financial institutions are being urged to improve the mobile end-user experience and develop new functionality in the mobile banking space to differentiate it from the online experience. Mobile banking offers an immediacy and persistent “always-on communication” that is not available in other channels, including online banking. This provides an opportunity for banks to differentiate offerings in the mobile space from the more traditional channels.
8
Improved security will be a prerequisite to recognize the exponential growth in mobile banking that is projected by leading analyst and research firms. And in the mobile environment, where the expectation is for instant, unobtrusive communication, end-user security and strong authentication needs to be simple, quick and transparent.
Banks should capitalize on mobile opportunities But as banks look to address these issues and capitalize on the opportunities of the mobile environment, they are also challenged by the need to bolster consumer confidence in online banking. In both the United States and Europe the majority of those using mobile banking in some capacity are also banking online — and in many cases their use of online banking has actually increased.
9
While most financial institutions currently restrict access to mobile banking to those who are already online users, the growth opportunity and potential financial return is in providing unrestricted access to mobile banking and not limiting it to those who are already using a channel that saves banks money.
10
FIs prime targets for advanced malware Online banking users — both consumers and commercial users — continue to be the target of sophisticated attacks. In 2009, the Financial Services Information Sharing and Analysis Center (FS-ISAC) went so far as to issue a report to its members calling in to question “the safety of online banking for its business account holders.”
11
6 Hesse, "State of Mobile Banking in Europe: 2010," p. 6.
7 Higdon, “US Mobile Banking Forecast, 2010 To 2015,” p. 8.
8 “Setting US Mobile Banking Priorities for 2011: Opportunities Attainable in the Short Term,” George Tubin, TowerGroup, November 1, 2010.
9 Higdon, “US Mobile Banking Forecast, 2010 To 2015,” p. 5.
10 Tubin, p. 5.
11 “Major Financial Services Firms Call Online Banking Dangerous,” Avivah Litan, Gartner, August 31, 2009.
... in the mobile
environment, where the
expectation is for instant,
unobtrusive communication,
end-user security and
strong authentication needs
to be simple, quick and
transparent.
”
“
7
© Entrust Inc. All Rights Reserved. 7
Financial institutions are targeted by advanced malware threats that leave many traditional safeguards ineffective. Instead of phishing attacks that lead to fake websites designed to harvest usernames and passwords, the techniques are now more sophisticated and effective against previously deployed defenses. Whereas once such attacks were the domain of amateur hackers, sophisticated cybercrime groups have emerged as online fraud leaders, targeting consumer- and commercial-banking users alike. The United States now has the highest concentration of websites that host the ZeuS crimeware package. And the merger of the ZeuS crimeware toolkit and its one-time rival SpyEye has not only brought together two crimeware toolkits, but also two different bot networks.
12
But at the same time, traditional phishing attacks continue to be a problem. While the number of these attacks is still down from the peak in August 2009, the number of domain names and URLs used for phishing attacks has increased. Yet the proliferation of mobile devices offers financial institutions an opportunity to leverage the device itself to strengthen both online and mobile security, while addressing customer demand for extended mobile banking services.
The Proliferation of Online Threats While many safeguards are deployed within financial institutions, criminals are evolving their techniques rapidly. Phishing, smishing and spear-phishing attacks are now designed to deploy malware, which takes over users’ browsers and mobile devices to execute malicious transactions.
13 The malware is crafted to avoid detection by antivirus
tools. The result is known as a “man-in-the-browser” attack. The man-in-the-browser (MITB) attack leverages what is known as a Trojan Horse (or simply a Trojan). A Trojan is malicious software that is somehow installed — often initiated by various social engineering tactics — and resides concealed on the user's computer, frequently undetectable by traditional virus-scanning.
12
“Enhanced SpyEye Trojan Poses New Threat,” Mathew Schwartz, Information Week, February 8, 2011. 13
A spear-phishing attack is a highly targeted form of phishing, using specific messages and information tailored to a particular user or small user group.
8
© Entrust Inc. All Rights Reserved. 8
It is commonly in the form of a browser helper object, user script or Active X control. It wakes up when the user visits a target site, and functions by transparently capturing and modifying information as it filters communication between the browser's user interface and the Internet. This is but one example of several variations that are active man-in-the-browser attacks "in the wild” today. The net result of all of forms of attack is a loss of funds for the end-user or business, and a loss of credibility for the financial institution. Most traditional defenses are rendered completely ineffective because the Trojan is difficult to detect through standard virus-scanning. It has direct access to authentication data (e.g., static and one-time passcodes or even biometrics) and details of the transaction.
The New Frontier: Mobile Threats While most malicious activity targeted at mobile devices still involves rogue messages and fake charges, the number of malware-related attacks is increasing — by one account by as much as 46 percent in 2010 over 2009.
14
The dramatic growth of mobile devices and smartphones, shipments of which have now surpassed PCs, makes them a logical target for malware. And although wide-scale adoption of mobile banking is still some time off, more than an estimated 20 million users in the United States are already leveraging their mobile device for some form of mobile banking.
15
14
“Malware Exploding, Especially on Mobile Devices,” Joan Goodchild, CSO, February 8, 2011. 15
Higdon, p. 3.
The browsers may look identical. But underneath one, a Trojan is lurking — undetected by virus-scanning and
ready to steal a user’s identity as part of a man-in-the-browser attack.
9
© Entrust Inc. All Rights Reserved. 9
Mobile devices are particularly susceptible to attack for a number of reasons: First, the distribution of applications to the devices, via third-party app stores, makes them susceptible to the distribution of malware. While all major devices and operating systems have been targeted, observers believe that the Google Android platform may be more susceptible to attacks than other devices because the apps can be distributed anywhere on the Web. The ZeuS/Geinimi Trojan appeared in late 2010, inserted into legitimate Android applications and games, and allowed hackers to manipulate text messages to visit malicious websites and steal data.
16 Another variant of
the ZeuS Trojan is specifically targeting mobile devices. Users are regularly checking email on mobile devices and the current limitations of mobile browsers make it more difficult to identify fraudulent messages and sites. This increases the risk of clicking on or being duped by fraudulent messages. While larger screens on mobile devices and the gradual adoption of device identification will help mitigate these risks, the tendency for quick communication and instant response reinforces the risk.
SMS & OOB threats Despite the limitations associated with character lengths and its awkward interface, SMS has been adopted by a limited number of financial institutions to add security to the online channel by providing out-of-band (OOB) authentication or out-of-band transaction verification. This is typically done via three approaches:
1. A one-time passcode (OTP) is sent to the mobile device via an SMS message; the OTP code is used to authenticate and complete the online banking session by typing the code into the browser on the PC.
2. An OTP and transaction details are sent to the mobile device via an SMS message and this code is used to authenticate and complete the transaction on the mobile device itself. The validation and completion of the transaction is done entirely out of band — the user is, essentially, verifying that the transaction is valid.
3. To complete a transaction online, the bank (or a third party) places a call to the mobile device to verify the transaction, assuming the user is in possession of the mobile device.
16
“Security to Ward off Crime on Phones,” Riva Richmond, The New York Times, February 23, 2011.
Fraudulent attacks via SMS are
leveraged to compromise online-banking
accounts — and sometimes may be
used to distribute malware to take
control of a customer's desktop.
10
© Entrust Inc. All Rights Reserved. 10
Whenever authentication is done in an unprotected browser session on the desktop it is going to be susceptible to fraud attacks from threats like ZeuS/SpyEye. And while out-of-band transaction verification leveraging the mobile device — whether via an OOB OTP sent to the device or an actual OOB phone call — provides significantly better protection against fraud, the SMS channel is also open to attack. In its simplest form, text alerts can be sent to mobile devices that incent users to click on a link that leads to a site where they end up downloading malware, which then compromises the device/SMS channel — potentially including that device as part of a much larger botnet.
17
Attacks from every vector But mobile threats are becoming more complicated with combined threats from multiple vectors — email, Web, SMS and voice — to obtain information that would enable control over devices.
18
In a more nefarious and directed mobile banking attack, a user’s mobile device may be compromised in conjunction with an attack on their desktop. The user is first tricked into placing malware/crimeware on their desktop, enabling the fraudster to gain information about their mobile device.
In turn, the mobile device is sent a SMS message, as an example, which prompts the user to click on a link and download malware onto their mobile device. Once in control of both devices, fraudsters can initiate and complete a financial transaction regardless of any online authentication or SMS-related OOB authentication or transaction verification.
19
Finally, SMS messages used in conjunction with OOB caller authentication have also been compromised and used in fraud attacks. While phone phishing has been around for some time, Gartner analyst Avivah Litan projects that the proxying of phone services so fraudsters can fake the caller’s unique device ID will be one of the top threats and trends in 2011.
20
In this type of attack, a fraudster gains access to the user’s device ID and is able to change that information, effectively hijacking the device. In combination with control over the user’s desktop, the fraudster can initiate and complete a financial transaction on the desktop. Because they control the mobile device, they can intercept an OOB notification sent to another device and falsely verify that the fraudulent transaction is legitimate.
21
17
“Android Phones Targeted by Trojan,” Alison Diana, Information Week, January 3, 2011. 18
“Compound attacks identified as the next mobile threat,” Dan Raywood, SC Magazine UK, February 8, 2011. 19
“Zeus Strikes Mobile Banking: Security Experts Confirm Threat to Mobile Online Users,” Tracy Kitten, BankInfoSecurity, October 13, 2010; “ZeuS Mitmo: Man-in-the-Mobile,” David Barroso, S21sec, September 25, 2010. 20
“Blog: Top Ten 2011 Threats and Trends,” Avivah Litan, Gartner, December 15, 2010. 21
“ZeuS attacks mobiles in bank SMS bypass scam,” John Leyden, The Register, September 27, 2010.
11
© Entrust Inc. All Rights Reserved. 11
Enhancing Security for Online & Mobile Users Against this backdrop of online and mobile fraud, the Federal Financial Institutions Examination Council (FFIEC) is calling for stronger measures to be taken to enhance security for commercial and customer online banking. These measures include the adoption of more effective authentication techniques, including strong authentication, and improved fraud detection and prevention techniques. Even if a technique is ineffective against some of the latest threats, such as MITB, it is not to say that it is ineffective against other threats; the technique may still be suitable and provide an incremental layer of defense.
The need for stronger authentication In 2005, the FFIEC released guidance to financial institutions that called for the adoption of stronger authentication for Internet banking. While the majority of US banks are in compliance with the 2005 guidance, many of the authentication methods in place today are no longer adequate to deal with the latest online threats. The most prevalent form of stronger authentication for online banking remains either challenge-response (or questions and answers) or device identification. In response to the 2005 guidance, many institutions simply implemented static device tagging with cookies or a flash object that identified the user at sign-in, and then supplemented that with knowledge-based authentication (KBA) — simple questions. Whether posed directly in an online session, or asked out-of-band by a call center, most of the Q&A authentication draws on information that is largely available in the public domain, or easily obtained using social-engineering attacks. But a December 2010 report by Gartner concluded that as many as 25 percent of retail customers view KBA as inconvenient or useless.
22 And if
customers don’t see the value in these extra steps, they’re unlikely to embrace them. The growth of online threats, such as the ZeuS and SpyEye Trojans, and man-in-the browser attacks, is driving increased losses among business, which banks are under no obligation to cover. And because many North American banks simply met the minimum criteria of the 2005 FFIEC guidelines, the regulatory agencies are motivated to revisit the 2005 guidance with stronger, updated requirements.
22
“Good Authentication Choices for External User Access,” Ant Allan & Avivah Litan, Gartner, December 1, 2010.
12
© Entrust Inc. All Rights Reserved. 12
While many of the more sophisticated online threats today are able to circumvent methods of strong authentication and hijack a user’s session through their browser, strong two-factor authentication remains the first pillar in a layered defense strategy to address online fraud. But for wide-scale consumer adoption, strong authentication needs to be easy to use, relatively transparent to the user experience and cost-effective for organizations to deploy.
Mobile soft tokens A soft token on a user’s mobile device is an effective, easy-to-use form of stronger authentication that allows banks to leverage physical devices that are widely deployed. This out-of-band OTP is generated on the device and is used in conjunction with an individual’s username and password to strongly authenticate an online banking session. In some instances, a mobile soft token may be generated on the device as part of the mobile banking login process and submitted without user intervention. This approach provides a seamless and transparent user experience, adding security and convenience to a mobile banking session. While out-of-band strong authentication on its own is still susceptible to man-in-the-browser/man-in-the-mobile attacks, it increases the level of security in today’s transactions that are relatively unprotected.
Out-of-band transaction verification Banks can also use the mobile channel to send details of a transaction out-of-band to a user to confirm a transaction made in an online session on their desktop. This is best done in conjunction with an out-of-band OTP, such as a mobile soft token. For transactional verification, the user is sent three pieces of information:
An OTP via out-of-band communication (e.g., soft token, SMS or voice channel);
A summary of the transaction that’s about to occur;
And a confirmation code. As an example: “Wire transfer $15,325 from acct 132382 to 482763. Confirmation code 193713.” The user can then review the details in a separate communication channel, and only proceed in their browser if they recognize the details.
Proven out-of-band transaction
verification is an effective method of
leveraging mobile devices to increase
the security of Web-based transactions.
13
© Entrust Inc. All Rights Reserved. 13
As we have seen, SMS and voice channels have been susceptible to attacks, but effective out-of-band transaction verification can still add a significant level of security to an online or mobile banking session. Given the current mobile threat environment, financial institutions must take care to protect against easy reset of the out-of-band contact details (e.g., mobile phone number) or the malware will do this first then attack successfully. If out-of-band confirmation is sent to an initialized mobile application — versus simply SMS to a phone — a reset becomes an inherently more elaborate and protected process. There are approaches, specifically using a dedicated mobile application, that address vulnerabilities in OOB transaction verification. At the same time, using a mobile application enables some of these functions to be performed seamlessly in the background by embedding security functions in the application itself. Given the current mobile threat environment, financial institutions must take care to protect against easy reset of the out-of-band contact details (e.g., mobile phone number) or the malware will do this first then attack successfully. If out-of-band confirmation is sent to an initialized mobile application — versus simply SMS to a phone — a reset becomes an inherently more elaborate and protected process. There are approaches, specifically using a dedicated mobile application, that address vulnerabilities in OOB transaction verification. At the same time, using a mobile application enables some of these functions to be performed seamlessly in the background by embedding security functions in the application itself.
Solutions for Effective Mobile & Online Security Given the link between those who have adopted online banking and those who are embracing the mobile environment, it’s important that financial institutions address the security concerns around both channels. At the same time, as Tower Group pointed out in a recent study, “success in mobile delivery of financial services is predicated on understanding that mobile is not ‘Internet-lite’ but a unique channel with distinct characteristics and hence, the potential for a value propositions differ from that of online banking.”
23
In terms of security, therefore, banks need to adopt solutions that not only help increase confidence in the online channel, but are also designed to address the unique requirements of mobile banking applications.
23
Tubin, p. 2.
14
© Entrust Inc. All Rights Reserved. 14
To achieve this successfully and cost-effectively, financial institutions should consider solutions that provide the broadest range of capabilities to address the online and mobile fraud threat. As a minimum, there are three areas that should be addressed.
Embrace Versatility Financial institutions should deploy a versatile authentication platform that supports a broad range of authentication options. This provides banks with the flexibility to deploy different methods of strong authentication depending upon the type of user (e.g., commercial banking with high-value transactions or a consumer solution), as well as the type of banking and transactions they are doing, without requiring a second authentication infrastructure. This helps address the entire community of online and mobile users. A software authentication platform should support transparent authentication (e.g., IP-geolocation and device authentication), offer physical methods of strong authentication (e.g., physical tokens or grid cards) and support soft tokens that leverage mobile devices. This provides flexibility and is the most cost-effective option for broad commercial and consumer deployment of strong authentication.
Mobile Verification Financial institutions should look at out-of-band transaction verification using a mobile application that leverages a versatile authentication platform. Integrating strong authentication and transaction verification into a mobile application is one of the most effective forms of out-of-band transaction verification technology — and is effective against attacks that compromise stronger authentication. While out-of-band transaction verification using SMS or voice dial-out transaction provides some protection against fraud attacks, these approaches rely on baseline telecommunication technology that has already been compromised. But using a mobile application to provide transaction verification isolates it from the type of mobile attacks that have targeted SMS messages. In addition to support for traditional SMS-based transaction verification, banks can deploy a mobile application that provides a message in which transaction details are provided in conjunction with an OATH-compliant signature — users confirm the transaction, providing an encrypted, digitally signed transaction confirmation.
15
© Entrust Inc. All Rights Reserved. 15
Embed Security Financial institutions should look at solutions that provide the capability to embed security features of the authentication platform directly into a mobile application, improving security within mobile banking applications while making it transparent and easy for users. Applications are already available that enable the developers to easily build security natively into their mobile banking applications. Banks should embed strong authentication directly into a mobile banking application so it’s provided seamlessly and transparently for users, providing enhanced security for transactions without requiring the user to enter a one-time passcode. Additional functionality should also be provided to embed out-of-band transaction verification into the mobile application — again, extending the functionality to the mobile environment. By not requiring a separate security application on a mobile device, banks can provide the desired security while maintaining their distinct brand.
16
© Entrust Inc. All Rights Reserved. 16
Summary While mobile banking applications have yet to be adopted by mainstream users, they are being deployed by financial institutions around the world and are being used by early adopters for basic transactions, such as checking account balance, paying bills and transferring money. On a limited scale, they’re also providing banks with an avenue for improving the security for transactions done online (e.g., using text messaging to confirm transactions). But there is a clear relationship between those doing their banking online and those early adopters of mobile banking. And the security of online banking and mobile banking, which remains a concern for both, is a distinct barrier to growth. With the frequency and complexity of fraud attacks increasing — and the morphing of traditional fraud attacks into the mobile space — financial institutions need to become more aggressive in implementing online and mobile security; and they need to look beyond traditional security measures that don’t apply in the mobile environment. On the other hand, with their ubiquitous deployment, mobile devices can actually be leveraged by financial institutions to enhance security for these users. Mobile devices now offer an effective approach to provide stronger online authentication, mobile authentication and fraud protection that can be deployed easily as a standalone mobile application, or as an embedded capability in banks’ mobile applications.
17
© Entrust Inc. All Rights Reserved. 17
Company Facts Website: www.entrust.com Employees: 359 Customers: 5,000 Offices: 10 Globally
Headquarters Three Lincoln Centre 5430 LBJ Freeway, Suite 1250 Dallas, Texas 75240
Sales North America: 1-888-690-2424 EMEA: +44 (0) 118 953 3000 Email: [email protected]
Entrust & You More than ever, Entrust understands your organization’s security pain points. Whether it’s the protection of information, securing online customers, regulatory compliance or large-scale government projects, Entrust provides identity-based security solutions that are not only proven in real-world environments, but cost-effective in today’s uncertain economic climate. A trusted provider of identity-based security solutions, Entrust empowers governments, enterprises and financial institutions in more than 5,000 organizations spanning 85 countries. Entrust’s award-winning software authentication platforms manage today’s most secure identity credentials, addressing customer pain points for cloud and mobile security, physical and logical access, citizen eID initiatives, certificate management and SSL. For more information about Entrust products and services, call 888-690-2424, email [email protected] or visit entrust.com.
24285/4-11