In response to today’s Krebs on Security story Busting SIM Swappers and SIM Swap Myths detailing this intricate type of mobile fraud and how one victim lost $100,000 when his mobile number was hijacked, mobile security experts with OneSpan offer information on how institutions can protect their customers from this threat.
Will LaSala, Director Security Solutions, Security Evangelist at OneSpan:
“Many financial institutions are balancing the security of a solution versus the acceptance of the solution across their user base. Ease of use versus security is a classic two-factor hurdle. In today’s security landscape, banks should be looking at implementing security solutions that offer the correct level of security at the precise time. Banks can use data from many different sources throughout their interaction with their customers to allow for a better view of what the bank’s perceived risk level is. Once they have identified the risk level, they can make accurate decisions as to how to mitigate that risk. For example, does it require a PUSH notification, can a transaction simply just be processed without additional user interaction, maybe it requires an easy to use biometric like fingerprint, or maybe a more secure biometric like face or voice. All of these technologies should be on the table for a bank to use at any point within the journey of their digital users.”
David Vergara with OneSpan offers advice on preventing SIM swapping fraud, in response to recent events noted in today’s Krebs on Security story Busting SIM Swappers and SIM Swap Myths.
David P. Vergara, Head of Security Product Marketing at OneSpan:
“Many banks are implementing security solutions that enable them to present a precise level of security validation when needed, scoring a broad array of customer interaction data to inform them of the risk for each transaction. They determine whether a transaction can be completed without further user validation, whether the situation warrants a PUSH notification. In some cases, an easy-to-use biometric such as a fingerprint, or perhaps even a more secure biometric such as face or voice validation can be applied. Such multi-layered strategies only further reinforce that SMS as an authentication channel is not just obsolete, it’s unnecessarily risky.
“If their institution offers it, consumers should enable PUSH two-factor authentication as soon as possible and transition away from SMS-based authentication. SMS is fine for account notices, but it shouldn’t be used for privileged access and transaction permissions.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.