Why Mobile Banking and Payment Apps Need Strong Authentication

Here we provide a short overview of why strong authentication is seriously needed to provide security for mobile banking and payment applications. 

We refer to the term “mobile banking” for both online banking and payment apps in a mobile context.

European Banking Authority’s Official Point of View

The European Banking Authority (EBA) published an opinion on the elements of strong customer authentication (SCA) under the revised Payment Services Directive (PSD2). 

This 10-page document addresses the following points:

• The security risks relating to electronic payments have increased;
• Payment security requirements are formalised by PSD2 inside a national law;
• Strong Customer Authentication (SCA) is required by PSD2;
• SCA is defined classically as the multi-factor authentication: “something you know” (knowledge) and/or “something you own” (possession) and/or “something you are” (inherence).

In the context of mobile security, the following points are of interest:

• § 25 : “a device could be used as evidence of possession, provided that there is a ‘reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device.”

“the possession element ‘would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number.”

• § 26 : “The EBA is of the view that approaches relying on mobile apps, web browsers or the exchange of (public and private) keys may also be evidence of possession, provided that they include a device-binding process that ensures a unique connection between the PSU’s app, browser or key and the device. This may, for instance, be through hardware crypto-security, web-browser and mobile-device registration or keys stored in the secure element of a device. By contrast, an app or web browser that does not ensure a unique connection with a device would not be a compliant possession element. “ [ed.: PSU=payment service users]

Common Techniques Used in Mobile Banking to Perform SCA

Knowledge

• A password, either static or a one-time “throwable;”
• The answer to a question;
• A 2D or 3D pattern;
• How to solve a puzzle or a riddle;
• A PIN;
• Personal data like birth date, a residential address, credit card number, etc. 

Possession

• A mobile phone;
• A smartcard;
• A secure element;
• An HSM;
• Any Device with physical unclonable function (PUF);
• A SIM card;
• An EMV credit card.

Inherence

• Biometric fingerprint identification;
• Voice identification;
• Facial identification;
• Keystroke signature and behavioral biometrics, in general;
• Other types of biometric identification (iris scan, heartbeat, etc.).

Main Threats Against SCA

Knowledge is the most fragile authentication factor. A static password is not difficult to discover by using brute force, a keylogger, or an HTTP protocol analyzer to intercept it. Answers to questions such as “Where did you spend your childhood?” can be guessed by knowing personal data from the user using social networks. All proof-of-knowledge authentication that use personal data like birthdates are extremely weak 

Many third-party websites (especially those in the United States) make money with online advertisements that expose personal data, including:

• Voters records;
• Resident database;
• Background checks.

There are many of these websites, which also include social websites (VK, Facebook, etc.). It is not difficult for an attacker to guess personal information from a user’s profile to steal knowledge that could be used in SCA.

Dynamic one-time-passwords or PINs that are blocked after three incorrect tries are more secure than static passwords. However, they must always be used in combination with a hardware device, implying possession. 

Proof of possession is not as fragile as knowledge. However, it is the most problematic to define and rigorously implement. 

Proof of possession often reverts to the device proving that it knows something on behalf of the user. This can also be connected to the PUF. Since it is supposedly unclonable, accessing the PUF in a proven way often means possession of the device that contains the PUF. Additionally, possession can be proven by computing a unique device signature that can be a mix of hardware and software parameters.

The EBA’s opinion paper mentions that knowledge of a code contained in an SMS does not necessarily prove the ownership of the SIM card that is linked to it. For instance, a technique like SIM swapping could be used. It gives away reasonable assurance that the knowledge of that code is bound to the possession of the SIM card attached to the number that received the SMS. 

If a mobile application is just computing a device fingerprint, an attacker could potentially intercept the device’s fingerprint value and reuse it with another device to fraudulently pretend to have the possession.

The proof of inherence is usually the strongest, most secure, and most difficult to attack because it involves biometrics. Nevertheless, biometric devices may be costly. Most mobile phones are not equipped with a biometric fingerprint device or an iris scanner. Therefore, the primary technique is to take a picture of the user with the device’s built-in video camera and compare it with a registered ID that has been scanned previously or with the user’s photo that has been previously uploaded to the bank servers.

That technique is not very secure. The mobile phone could be hacked by a trojan to allow a virtual video camera to be used that is loaded with pictures that will match the user’s face on the servers.

Behavioral biometrics are a bit better because they are done “silently.” For example, they could capture the user’s keystrokes and compare their frequency to a registered keystroke pattern signature on the server. However, these methods could have high numbers of FRR (False Reject Rate) and FAR (False Acceptance Rate).

Biometric systems with high FRR can cause real problems for customers. The most secure method is biometric fingerprint authentication. However, mobile phone manufacturers are not ready to equip their devices with a built-in scanner.

Finally, the main threat against SCA that shows the limits of such techniques is simply a physical attack with constraints. The entire SCA architecture collapses if the user has been coerced by superior physical strength to give up his knowledge, his possession, and eventually cooperating to perform biometric identification. Unfortunately, such a scenario is not unheard of in Mexico or some South American countries.

Conclusion

Strong authentication is needed to create security in a mobile banking context. However, it must be used along with other techniques to protect data.