A Logical Defense Against Attacks on Mobile Devices

A Logical Defense Against Attacks on Mobile Devices

When it comes to mobile security, pairing biometrics with device authentication is a logical defense against attacks.

As increasing numbers of businesses and consumers alike rely on mobile devices to engage and transact, exchanging sensitive financial and personally-identifiable information (PII) along the way, it has become imperative that new approaches to mobile security be deployed.

There are nearly daily headlines about security breaches at some of the world’s top firms. Long the norm for years, simple username and password protocols for authenticating users are no longer enough for mitigating financial and reputational damage due to fraud.

Many financial institutions, payment service providers (PSPs), retailers and other enterprises looking to leverage the mobile channel to increase customer engagement already realize the inherent weakness of usernames and passwords and are beginning to investigate superior means of authentication. Yet they are also concerned about inconveniencing customers. Businesses of all types are recognizing the benefits of a multi-layered approach to mobile security including the latest biometric and device authentication measures to reduce friction, improve the customer experience and still create a strong defensive posture against attacks.

The Problem with Passwords

Passwords have been considered problematic within the information security community for a decade. According to a study by KeeperSecurity, the most popular password in 2016 was 123456, with the word “password” in the top 10. In addition to guessing, fraudsters can steal passwords through phishing, keylogging and network interception.

The reason for simplistic passwords and password recycling (using the same or slightly varied password across different sites) is consumer frustration with forgetting their passcodes. As mobile and online adoption continues to increase, organizations have begun to embrace fingerprint biometrics as a way to reduce password fatigue, eliminate the headaches involved in dealing with stolen credentials, and to reduce friction along the transaction lifecycle.

Fingerprints: Leading the Biometrics Revolution

Biometrics are typically broken into two distinctive categories, physiological and behavioral. Physiological characteristics include fingerprints, DNA, irises, faces, and even odor. Behavioral characteristics include typing rhythm, gait and voice.

First out of the gate to the mass market has been fingerprints. According to a study by Juniper Research, fingerprints are the most common form of biometric authentication – and consumers like it.  Research by Gigya showed that 80 percent preferred biometrics and perceived them as more secure than usernames and passwords, which they, of course, are. Gigya also found that nearly half of the millennial respondents used one or more forms of biometric authentication. Fingerprint scanning was by far the most used at 38 percent, with voice recognition at 15 percent, facial recognition at 11 percent, and iris scanning at 5 percent.

Fingerprints are popular with consumers because they are convenient.  Other forms of biometric authentication, such as attempting voice recognition by speaking into a phone in a noisy or public environment, for example, are not always convenient or easy, but using a thumbprint is both quiet and inconspicuous.

User authentication via fingerprints solves customer frustration and strengthens security simultaneously, but fingerprint authentication alone is not the silver bullet for mitigating fraud.

Device Authentication: The One-Two Punch

Deploying one layer of biometric authentication may not be enough to secure mobile transactions, however. Biometrics fulfill the “something you are” component of multi-factor authentication (MFA), and while deploying more than one mode of biometric authentication can fulfill MFA requirements, to strengthen authentication further, organizations should also employ “something you have” or “something you know” conditions – but that can re-introduce points of friction into the transaction workflow for consumers.

The biometric login by itself only proves that the enrolled user is attempting a transaction. Unfortunately, this login gives no insight into the relative security of device itself—in other words, the environment in which the biometric is operating. The device housing the biometric data may be infected with unknown threats, such as application hooking, malware and crimeware designed to bypass the biometric or compromise the information after the biometric authentication is performed.

To truly strengthen security, exceed MFA requirements and ensure a smooth user experience, organizations need to deploy device authentication, fulfilling the “something you have” condition of MFA. When the device itself is authenticated, the environment surrounding the transaction is secured. It is only when one can fully trust the device and confirm the user’s identity that the ultimate device security weapon against fraud—a trusted security token—can be created.

Multi-Layered Security – Your Ultimate Defense

The logical conclusion in the search for the strongest form of mobile device security, then, is for organizations to employ a multi-layered approach that combines the right device authentication solution with biometrics that delivers maximum trust not only in the user, but also in the device itself.

With multi-layered digital device security in place, mobile-optimized businesses can perform device recognition and advanced fraud detection in real time to distinguish trusted users from potential fraudsters. This real-time risk assessment allows businesses to make more confident transaction decisions in a way that is most often invisible to the customer, striking a perfect balance between combating fraud, while continuing to provide a frictionless experience for trusted customers using their preferred device.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3