A secure and scalable approach to solving bank customer identity authentication challenges

Banks and other financial services companies know that they are particularly vulnerable to cyberattacks launched against their business and their customers.

Multi-factor authentication (MFA) or strong customer authentication (SCA) solutions are a particularly effective defense, but some are better than others. This is especially true with mobile authentication solutions.

Many consumers expect the same convenient experience as with their other mobile apps. However, as convenient as they are, these solutions must also be properly secured.

Mobile authentication solutions are full of offers with significant security flaws

These flaws include solutions that use secure codes, also known as one-time passwords (OTPs), which are sent via SMS to customers' mobile phones.

Widely used for many years, this method is extremely vulnerable to cybersecurity threats. Organizations need to know their risks so they can protect themselves and their customers. They should also understand how to secure mobile authentication and transaction signing and how to use current controls and protocols to deploy secure, transparent, and scalable solutions.

Know what's at stake

There are a variety of attack vectors, including illicit text messaging services that hackers use to redirect people's texts so they can access their accounts.

For example, ReadWrite reported in May 2021 how the FluBot malware, once installed, collected all passwords and returned them to the company they came from. Even more virulent: The bot also collected all contacts and sent messages from the victim's account, infecting even more people.

In another major attack a year earlier, attackers built a network of 16,000 virtual mobile devices and then intercepted one-time-use (OTP) text messages.

According to Ars Technica coverage, IBM Trusteer researchers uncovered the massive fraud operation that used a network of mobile device emulators to drain millions of dollars from mobile banking apps in days .

Growing reliance on digital transaction channels

With the increasing use of digital transaction channels, the volume of cyberattacks has increased significantly.

As ReadWrite contributor Peter Daisyme pointed out in his 5 Ways to Improve and Optimize Your Company's Data Security Program, the April 2022 Block-Cash Enforcement Breach has possibly exposed the data of more than eight million customers.

And in early 2022, Crypto.com admitted that nearly 500 users were collectively robbed of over $30 million after a serious breach.

Using compromised user credentials is still the main way hackers launch their attacks.

In the spring of 2021, hackers exploited a multi-factor authentication flaw to steal cryptocurrency from around 6,000 Coinbase accounts. The flaw allowed them to enter an OTP via SMS and access and retrieve user account information.

Mobile authentication security provides a solution to these challenges, allowing users to take advantage of the various features of mobile devices to verify their identity before accessing an application or completing a transaction.

> How mobile authentication security works

Turning the ubiquitous smartphone into an easy-to-use ubiquitous authenticator is great, but securing the mobile authentication process is no small feat.

The industry has created baseline security standards for mobile authentication through the nonprofit Open Web Application Security Project (OWASP). However, these standards are different from those created for web applications.

Mobile apps offer many more options for storing data and leveraging a device's built-in security features to authenticate their users. Therefore, even small design choices can have a greater than expected impact on the overall security of a solution.

One option for mobile authentication is SMS verification, or SMS-sent OTP, which is gaining adoption around the world. It was the main method of authentication among financiers...