Earlier this week, AdaptiveMobile released a blog post which examined application-to-person (A2P) SMS banking scams, specifically as they relate to identity theft. Attackers are increasingly using creative social engineering led approaches to trick individuals into giving away personal information, allowing an attacker to impersonate a victim resulting in financial gain for the perpetrator. The post also looked at the recent Barclay’s TV advert which examines the same topic. Robert Capps, VP of business development at NuData Security commented below.

Robert Capps, VP of Business Development at NuData Security:

Robert Capps“The lack of standard trust indicators in SMS, coupled with the seemingly organic deployment of SMS as a messaging and authentication channel for online transactions, has not only led to consumer confusion. It’s also opened a wide channel for fraudsters to socially engineer consumers into disclosing their personal information.

It’s also not an unique attack. Other convenient forms of consumer communication like email and telephone calls have been utilised by cyber criminals in similar ways in the past, so perhaps it’s no surprise to find creative uses of the same old trick being employed.

At the root of this issue, is the continued reliance on the traditional (but tired) username and password authentication framework. It’s still the sole method of verifying consumer identity in many non face to face transactions. Coupled with weak auxiliary authentication schemes that have been duct taped on top of this framework, such as SMS challenges, and secret questions and answers, it’s no wonder that consumer authentication is a mess.

Traditionally, online authentication boiled down to a choice between “effective”, “easy” and “low friction”, where you can only pick two options. Execs are always biased toward tangibles, so the option usually left on the ground was customer experience (friction). Growing respect for the value of customer experience, plus advances in behavioural techniques and evaluation of human interactional signals, has injected new life in to these tired techniques. The great part about these new behavioural authentication technologies is that they provide real security for customers and their accounts, without negatively impacting the customer experience.”

Information Security Buzz