The convenience offered by the Internet and the ever increasing availability of tablets and mobile devices continues to change the way people and organizations interact with each other all over the world. However with greater online accessibility and usage, organizations and users are at risk of their personal information being compromised. It is becoming increasingly more difficult for organizations to know if the person accessing their service across the digital channel is truly the intended user.
To this end securing online transactions on personal computers (PCs) using various techniques, such as risk-based authentication, browser and device fingerprinting, statistical modeling, and behavioral-based validation, provides some assurance by virtue of the diverse nature of the PC and world-wide web network infrastructure. When applying these similar protection techniques to mobile devices, however, there is much less heuristic data that can be gathered due to the rapid and dynamically changing nature of a network-connected mobile device, further increasing the difficulty of authentication.
Traditional device-based security solutions are not enough in dealing with various modern attacks. For example, a password-plus-PVQ (Personal Verification Questions) scheme adds a second “what you know” factor and provides a higher level of security as compared to pure password-based solutions, however, it is still vulnerable to various types of attacks such as man-in-the-middle, cloning, social engineering and authentication protocol attacks. Phishing, an example of a social engineering attack, can deceive a user into exposing all login credentials including PVQ answers to the hacker. Once exposed, an illegitimate user can easily access the account.
Although device security certificates are commonly used, they are not immune to device cloning attacks. Out-of-band one time password (OTP) token solutions for two-factor authentication on high risk transactions effectively reduce the risk for cloning attacks, but are still vulnerable to man-in-the-browser (MITB) attacks and short-message service (SMS) intercept. In this scenario a hacker can still intercept communication and pass the user credential, including the OTP value, simultaneously back to the real website simply changing the purpose of the transaction. What the user sees and authorizes is different to what is actually happening in the account.
Risk-based security solutions detect abnormal online and mobile behaviors based on heuristic data analysis. The unusual behavior is identified by comparing it with the learned user profile or a device fingerprint. However, due to the technology makeup of mobile devices, device fingerprinting is not very reliable as there is less meaningful data that can be gathered. There are fewer factors that can be used to differentiate user behavior on mobile devices, and heuristic techniques become a guess at best, rendering the solution ineffective.
The strongest level of protection available for personal computing devices (PC or mobile) is security that is rooted in hardware. An example of this is the hardware Secure Element (SE), which is a storage environment, used to securely host applications and their cryptographic credentials. The typical implementation of an SE requires a dedicated secure hardware module, such as a smart card, an embedded Secure Element (eSE), or even a removable SIM within a mobile device.