Cybercriminals were said to have deployed a multi-vectored methodology to bypass security used by mobile apps to access users’ banking systems. Reports say 34 banks across Europe have been targets of a sophisticated spear-phishing and malware campaign.
Researchers at Trend Micro called their investigation “Finding Holes: Operation Emmental” because of the Swiss (full of holes) cheese aspect of the Android app security process. They said that the cybercriminals developed a complex but effective method of attacking the latest security countermeasures that protect online banking.
Unfortunately these types of attacks are likely to continue.
According to Scott Goldman, authentication expert and CEO of TextPower (www.textpower.com), “This method of intrusion is an obvious consequence of a process that sends the key (aka the OTP) to the user in a way that can be intercepted. Malware and social engineering will only increase in effectiveness and nefarious intent.”
“Any security process that incorporates sending the OTP to a mobile number will forever be exposed to this kind of hack,” he explained.
“Until organizations that require the highest levels of security turn their process right-side-up by requiring the user to send the key – including a PIN – from their mobile instead of sending to it, these episodes will become increasingly common,” said Goldman.
Goldman described how TextPower has developed a method to secure website and VPN logins using the world’s most commonly used phone app, SMS, that is three times more powerful than any other solution in the market. The company recently launched TextKey™, the world’s first Omni-Factor Authentication™ (OFA) system that provides an unprecedented seven factors of authentication that is activated by the user simply sending a standard text message from their cell phone.
Using a cell phone as an authentication device isn’t unheard of, but as we see, hackers continue to find ways to exploit conventional SMS-based authentication or install malware on mobile devices, both of which undermine confidence in using mobile devices for authentication.
All current SMS authentication services use the ‘MT’ (mobile-terminated) method, which means the authentication code, link or other identifier is sent to the phone and then the user is asked to enter the code onto a web page for authentication, which is less secure.
TextKey turns that process upside-down and by doing so makes it more secure and easier to implement. Specifically, TextPower’s patent-pending “MO” (mobile-originated) methodology allows text messages to be used for authentication in a virtually unhackable manner. TextKey™ authenticates users by having them send a text message from their authorized cell phone — TextKey verifies that the authentication message was sent from a legitimate (i.e., not spoofed or hacked) phone, from the correct mobile number, that the message contains the correct OTP and the correct PIN, and that the message is sent to the correct SMS short code or phone number. The software can be licensed for large institutions or the entire system can be used on a cloud-based SaaS platform which doesn’t require the website to have any additional servers, appliances, software or remote hosting.
About TextPower
TextPower, Inc. provides alerting and authentication solutions to a variety of industries worldwide using text messaging (SMS). The company’s software and text messaging services help companies enhance their revenues, decrease costs and improve customer service. TextPower’s authentication product, TextKey™, provides seven-factors of authentication to protect websites, VPNs and mobile apps. This makes it more secure than regular two-factor authentication (2FA) and replaces the smartphone app, hardware token or security fob previously needed to verify the identity of online users for password-protected applications. TextPower’s mission-critical infrastructure employs geo-redundancy for the industry’s highest reliability, providing delivery to virtually every cell phone in the United States and connections to most recognized wireless operators around the world.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.