Implementing Cybersecurity Strategies to Counteract Scams during Lunar New Year
With Lunar New Year around the corner, experts have warned of an anticipated surge in scams due to the increased online shopping activities. We need to be aware of two major types of attacks. First is the “easy way out”, which is the use of social engineering to fool users into doing things that they should not be doing. That is generally considered easier because people can be easily manipulated. The second type of attack is to circumvent technology defenses. This is where the use of insecure technologies can give you a false sense of security.
We have seen lots of scams these days where victims were enticed into installing malware in their phones. Once installed, such malware can either start snooping for user login passwords/PINs and One-Time Passwords (OTP), and send these private information to the attacker; or remotely control the victim’s phone to perform fund transfers. Even antivirus software may not be able to block all such attacks as these malware continuously morph themselves to evade detection. The solution is for banking and authentication apps to defend themselves by detecting malicious behavior and stopping transactions when that happens. This approach has been proven to be very successful in Singapore in blocking such attacks.
Although self-defense in apps can reduce scams, there is a much more insidious problem known as Trust Gap that affects most apps that rely on Android or iOS to secure their authentication keys. As explained in a V-Key white paper, most mobile authentication apps can, in fact, be breached by malware. This is regardless of any hardware-based protection provided by a phone. Most authentication apps use cryptographic keys to generate the codes used for user identification. If these keys are stolen, a hacker’s “loot” is the ability to authenticate transactions or sign documents on a user’s behalf. This is why most authentication apps try to make use of the safest storage available for these keys. For many developers, this means a mobile phone’s Trusted Execution Environment (TEE).
Unfortunately, there is a general flaw in their architectural design which hackers can exploit. We call this design flaw the Trust Gap because the TEE has no way of determining the identity of the app and relies on the OS to do so. But if the OS is compromised, the keys in the TEE can also be misused. This is an insidious and sophisticated attack as the targeted authentication app does not even need to be running or be tampered with to be compromised.
Many people have the misconception that a system is secure as long as two-factor authentication (2FA) is implemented. We already know that SMS OTP is no longer considered secure. How about hardware OTP tokens? They are actually pretty secure, in the sense that they make sure that the secret for generating the OTPs cannot be stolen or duplicated. However, they are still susceptible to social engineering attacks. Imagine someone posing as a bank employee and calling an unsuspecting customer, “Hey, I’m from Bank 123. We notice some suspicious activities and so we’ve frozen your account. Can you tell me the OTP displayed in your token so that I can unfreeze it?” Most people who do not know much about security would simply comply with the instructions. Nowadays, many banking apps deploy software-based tokens, or soft tokens in short. As mentioned earlier, many of these may be vulnerable to the Trust Gap attack. Those should not be used. In some implementations, the soft token also has the ability to detect whether the app has been tampered with. For example, if some malware on the phone tampers with the UI to show that $5 is about to be transferred when, in fact, the transaction is $5000, the soft token should be able to detect that and block the transaction. All these security features can make the soft token even more secure than a hardware token as there is no way a hardware token can know what’s happening inside the app.
Ultimately the best solution is to provide a means to securely identify each endpoint in a Zero Trust environment — whether they be users, apps, or servers. A secure element bound to every app and user, such as V-Key’s App Identity and Smart Token solutions, can serve as proof of identity of the app and user without the need for any external authenticators, and without compromising the user experience.
As we delve into cybersecurity strategies, let’s also celebrate the joyous occasion of the Lunar New Year, extending warm wishes for a prosperous and joyful Year of the Dragon to all!