Thursday, June 2, 2011

Man-in-the-Phone Attacks and Mobile Malware

McAfees latest threat report has noted a dramatic increase in mobile malware. This is a great opening for the possibility of conducting Man-in-the-Phone attacks, also known as Man-in-the-Mobile or MitMo attacks. Man-in-the-Phone attacks can thwart relatively weak security such as SMS OTP (one-time password) and out-of-band authentication. Online-based authentication is susceptible to interception, and the weak authentication can be relayed back to the fraudsters. A better and stronger approach is to have the authentication done OFFLINE and employ mutual authentication (aka two-way authentication). Additionally, transaction-specific information can be repudiated by using challenge-response and transaction data signing. This dark new reality will start to confront institutions in the immediate future. They should preempt this emerging new class of attack vectors by future-proofing their security needs today. Otherwise, IT departments will continue to play a game of cat-and-mouse with quick-footed cyberattackers. Hackers are never slowed down by bureaucracy or quarterly budget concerns, cost cutting, or meeting analysts earnings calls.

Institutions can continue to rely on one-time passwords and SMS OTPs, but the harsh reality is that we have already passed their half-life and they will soon be radioactive. Avoiding the Chernobyls of breaches requires a comprehensive well thought out strategy from today and employing much stronger user and embedded transaction authentication and signing.

No comments:

Post a Comment