It has been coming for a long time. The industry has been talking about “M-Banking”, mobile-based two-factor authorisation (2FA) and Near Field Communication (NFC) enabled phones for at least the last two years but what does it mean and what are the implications for the security industry?
Well, it has to be said that the security industry has been a bit slow in coming forward, largely because without established markets for the underlying technology, there isn’t very much for them to sell as yet.
However, these mobile-enabling technologies are now on the cusp of widespread adoption and, as pointed out by banking security experts Trusteer in their report published by us today, the malware writers are already two steps ahead of the security industry.
The two driving technologies that are involved are Two-Factor Authentication and Near Field Communications so we’ll look at these in a bit more detail:
Authentication of identity can take many forms and could be a password, PIN code, access card, RFID fob, biometric feature or some other token. Taken singly, these are all insecure to varying degrees. To enhance security, two methods of identification can be used by adding a second factor such as a password and a thumb-print.
A mobile phone can be used as a second factor for identification and is already being used in some web-applications. If you perform a transaction on a web-site, the site can send a text message to your phone with a confirmation code which you then enter into the web-site proving that you’re in possession of the phone that was registered.
Since most people are in possession of a mobile phone and it is personal to them, it makes the phone ideal as a token or second factor for authentication purposes. This is the principle behind M-Banking. The problem? Smartphones have internet connectivity and malware can be loaded onto them meaning that authentication type SMS messages can be intercepted.
The technology of NFC brings huge potential for increasing the scope of use of mobile phones. The telephone effectively becomes an enabling device that can integrate the functions of any operations that are carried out on smart-cards currently. This includes existing SIM card functions, access control cards and bank cards. The full set of uses of an NFC enabled smartphone could possibly allow the user to carry just one device which can be touched against a door reader to provide access to the workplace and which can be “waved” near a POS terminal in a shop to perform a retail financial transaction. Combined with the 2FA functionality mentioned earlier, this has the potential of being a very secure and convenient alternative to carrying multiple cards.
It can be seen from these two technologies, that the potential for smartphones in the near future is very large and with a small excursion of imagination, the potential uses for phones is vast. Cyber-criminals have been very active in imagining the possibilities and preparing for them. The security industry is way behind.
Let’s look at the security industry in a little more depth.
Desktop computers the world over are being constantly attacked. Users are falling victim to fraud, phishing and identity theft. The computers themselves are being infected with viruses and recruited into global Botnets. This is a huge problem despite there being a vast and increasingly effective security industry to reduce these threats. Companies within this industry include such big names as Sophos, Symantec, Check Point and Kaspersky Lab. The vast majority of the affected computers run operating systems from two companies – Microsoft and Apple.
The smartphone industry is different. There isn’t a dominant operating system. There’s Android, iOS, Blackberry, Symbian and others.
Can you name one Android security company? Errrr....
OK, an easier question, can you name one smartphone security company?
So how is this invisible industry going to combat a threat that will potentially have an effect on every smartphone user on the planet?
Desktop computers are becoming harder and harder to compromise so once so many insecure smartphones are given applications for online banking, retail transactions and access control, it will be open season for the cyber criminals