Two factor authentication and the safety of mobile-based payments
In most industry sectors, employees would want to have access to all their apps from any mobile device, including their own personal devices. This has accelerated expansion of modern mobile apps beyond conventional tools and use cases such as mobile email, calendar and contact management. In fact, last year, Gartner, Inc predicted that:
- In 2015, more than 75% of mobile applications will fail basic security tests
- By 2017, the focus of endpoint breaches will shift to tablets and smartphones
- Through 2018, a variety of devices, user contexts, and interaction paradigms will make “everything everywhere” strategies unachievable
Mobile Computing and Security
Today, for many people worldwide, mobile banking or mobile device initiated transactions have just become natural—more people than ever before are managing their finances from their smart mobile device. It is also worth to note that everything people do especially on their mobile, they do it expecting it to be secure.
Last year, a research presented by KPMG, reported that—roughly 25% of the world’s population will have a mobile banking account by the end of 2018; and mobile banking growth is fastest in developing countries, but its security remains a major concern. With the booming adoption of mobile payments, online fraud is has also continued to surge, especially within the financial industry. But the escalating reliance upon mobile computing has introduced many new security risks hence satisfying mobility requirements is becoming more challenging. For instance, allowing users to access all their apps and data from untrusted devices and unpredictable locations raises significant security concerns and also pose new challenges for information security and privacy.
Key challenge in Information Security
More employees than ever are demanding access to applications and data that help them achieve maximum productivity outside the office; moreover mobile devices like smartphones and tablets offer new mobility and flexibility for people and IT. But the escalating reliance upon mobile computing has introduced many new security risks hence satisfying mobility requirements is becoming more challenging. For instance, allowing users to access all their apps and data from untrusted devices and unpredictable locations raises significant security concerns and also pose new challenges for information security and privacy.
In most case, to do significant damage in the mobile world, malware would need to act on devices that have been altered at an administrative level. End-users practices like ‘jailbreaking’ for iOS or ‘rooting’ for Android devices escalate the user’s privileges on the device, effectively turning a user into an administrator allowing users to access certain device resources that are normally inaccessible ( in most cases performed deliberately by users), but they also put data in danger. This is because they remove app-specific protections and the safe ‘sandbox’ provided by the operating system allowing malware to be easily downloaded to the device and being open to all sorts of malicious actions, including extraction of enterprise data. The ‘Rooted’ or ‘jailbroken’ mobile devices also become prone to brute force attacks on pass codes.
Apps Security and the evolving business risks
Mobile applications are changing the way business is done today, offering instant access to services for end-users. As enterprise employees download from app stores and use mobile applications that can access enterprise assets or perform business functions, IT security must evolve security programs to adapt to new forces like cloud, mobile communications and social media. This is because these applications are exposed to attacks and violations of enterprise security policies.
Defending against possible attacks from mobile platforms
Enterprises that embrace mobile computing and bring your own device (BYOD) strategies are vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance.
Most enterprises are inexperienced in mobile application security, even when application security testing is undertaken; it is often done casually by developers who are mostly concerned with the functionality of applications, not their security. Attackers are taking advantage of this and the many complexities created by the mobile ecosystem to exploit vulnerabilities, resulting in sophisticated fraud schemes and theft of sensitive data.
In this article we argue that the best defense mechanism for mobile security is to keep mobile devices fixed in a safe configuration and follow a mobile device management (MDM) policy or an enterprise mobility management baseline for all mobile devices. Meanwhile, IT security leaders also need to use network access control methods to deny enterprise connections for devices that exhibit potentially suspicious activity and deploy strong identity authentication mechanisms to prevent possible attacks on the core network infrastructure.