Article:

Three steps to fight the Mobile Security status quo

50 minutes per day. That’s the amount of time an average user spends on Facebook, Facebook Messenger, and Instagram. There are lots of reasons for the “stickiness” of these social networking apps, but a big part of their appeal is what they don’t have—friction. When a user taps the Facebook app on their phone, it opens to their newsfeed immediately. They don’t even need to key in their username and password—Facebook already knows who they are.Logging into an online banking app should be this frictionless. But instead, users are forced to jump through multiple hoops to prove their identities, inputting not just a username and password, but a one-time password (OTP) generated by a dongle or sent over SMS. Though it increases security, this tedious process costs users time—and banks money. According to McKinsey, one major bank that optimized its digital channels to decrease friction and increase personalization raised its margins by $300 million. Any bank that’s not striving to make its app as frictionless as Facebook’s is leaving that money—and more—on the table.

And yet, many financial institutions aren’t striving whatsoever. They’ve accepted a status quo that sacrifices user experience for increased security—even when that security is itself unreliable (we’ll get to this below). This is a huge missed opportunity. Mobile digital identity is quickly becoming central to an entire suite of online services, including not just banking but enterprise and government functions. Institutions willing to challenge the status quo and work toward creating frictionless, secure mobile solutions will set themselves up to prosper and grow—while those that don’t doom themselves to fall behind.

But if companies want to challenge the status quo, where should they start? Below, we describe three oft-ignored areas of research that could yield revolutionary innovations in mobile fraud prevention—and make today’s friction-filled user experiences a thing of the past.

1. Build a software security token that works

Many banking institutions have accepted the inconvenience of hardware-based security solutions as the non-negotiable price of preventing hacking attacks. However, these solutions aren’t as foolproof as their complicated structure makes them seem. As the famous 2011 hack of RSA tokens goes to show (or the more recent case in Singapore where 50 smartphones were hit by malware targeting mobile banking customers), hardware dongles don’t guard against one of the simplest of all hacker tactics: phishing. Because the dongle is totally isolated from the software, the user can be tricked into providing a OTP for an action different from the one that they think they are engaging in. In the case of a financial transaction, the attacker is then able to alter the payee, the account number, or other information in order to divert funds away from the victim’s account and to another source.

A software security token that displayed the OTP on the device screen next to the prompt for the associated action to be taken, or that sent it directly to the mobile banking server from the user’s device, would solve this problem by connecting the generated code and the action. It would also eliminate the need for a friction-inducing hardware dongle. However, even today’s state-of-the-art software security tokens are relatively easy to crack—a committed attacker can gain access to one within 2-3 days, provided they have physical possession of the device.

That’s not to say, though, that a more secure software solution is an impossible dream. With all the focus on hardware security over the past decades, innovation on the software side has been neglected. By investing into a new platform that replicates hardware security in software, a forward-thinking company could come up with a new solution—one that would make phishing attacks a thing of the past.

 

2. Design an OS that apps can trust

Every smartphone on the market today has a secure hardware element or elements. The iPhone has a secure enclave where the Touch ID fingerprint is processed, for instance, and encryption for GSM calls is processed through a secure element on the phone’s SIM card. However, mobile applications can’t access any of these secure hardware elements directly. Instead, they have to trust the phone’s underlying OS when it tells them that a user has been authenticated.

This is very problematic for application providers. Any app will be rolled out to millions of mobile devices, at least some of which will be jailbroken, rooted, or infected with malware. In these cases, the assumption that the application can trust the front line operating system doesn’t actually hold. The current solution of providing hardware dongles is a workaround for this issue—but as noted above, it’s not a foolproof one. If a company could design a secure element that apps could safely access—verifying identity directly instead of trusting the OS—it would eliminate the need for such workarounds, and open up the possibility of near-frictionless logins for secure apps.

 

3. Process private information in the device itself

From banks to governments, more and more institutions today are looking at biometrics like fingerprints, retinal scans, and facial recognition to identify end users. This approach has many friction-reducing advantages: it eliminates the need for the user to type in (or memorize) a password or to carry around a dongle in order to prove their identity. However, it also raises serious privacy concerns. Under the current system, biometric information collected by a device usually must be cross-referenced with existing records, i.e. a driver’s license database, on an outside server. This creates multiple vulnerabilities to a hacking attack, as well as compliance concerns for companies storing such sensitive information on their backend.

However, all is not lost. If the authentication process happened entirely inside the device—in a secure element that apps could access directly, without having to trust an OS, for instance—the privacy issue with biometrics could be avoided entirely. Logins to mobile apps could finally be both frictionless and secure: users would just have to press down their fingerprint or snap a selfie.

There you have it: a roadmap to creating an app as frictionless as Facebook, but more secure than today’s most hacker-proof online banking platform. For too long, mobile security has focused myopically on hardware; it’s time for mobile app providers to reverse that bias and begin exploring potentially transformative software innovations. Their users’ privacy and security—and their own companies’ bottom lines—depend on it.

With contribution from the Hippo Thinks research network.

 

Other articles:
Article
Beyond OTPs: The Shift to Passwordless Authentication in Banking

The Bangko Sentral ng Pilipinas (BSP) is considering phasing out one-time passwords (OTPs) for digital banking transactions, citing the growing vulnerabilities of this method. BSP Deputy Governor Elmore Capule emphasized that the agency is exploring stronger security measures to make digital banking more resilient, with biometric authentication and other advanced technologies being evaluated as secure alternatives to OTPs.

Article
V-Key Continues to Expand in Australia to Strengthen Digital Identity and Authentication

V-Key strengthens its presence in Australia by participating in the FIDO Alliance events in Melbourne, reinforcing its commitment to digital identity and authentication. With discussions on passkeys, step-up authentication, and regulatory updates, V-Key highlighted how V-Key ID enhances security and trust. As digital transformation accelerates in Australia, V-Key continues to support enterprises in financial services, payment gateways, and government with innovative mobile security solutions. Expanding its local team, V-Key is dedicated to enabling seamless and secure digital interactions through advanced authentication technologies.

Article
Why Passwordless Authentication is the Future of Security

Managing passwords can be challenging. They can be difficult to remember, and often, people reuse them across multiple sites, which makes them a target for cybercriminals. In fact, according to the 2023 Verizon Data Breach Investigations Report (DBIR), over 50% of data breaches are linked to stolen or compromised credentials. This exposes sensitive data, whether it’s banking details, emails, or personal information, to potential risks. 

Article
Protect Your Business All Year with V-Key ID and FIDO2

Lunar New Year is a time for celebration for many people around the world, but it’s also a good opportunity for scammers who are always trying to entice victims to grab the next cheap online shopping deal. A common technique that scammers use is to lure a victim into installing a malware app that can then be used to phish user’s credentials, capture SMS OTPs, or even remotely control the phone to perform banking transactions. 

Article
V-Key’s 2024 Journey in Advancing Digital Security and Empowering Seamless Digital Experiences

As we reflect on 2024, V-Key is proud of the milestones we’ve achieved and the innovations we’ve introduced in the field of digital identity and mobile security. This year, we have remained steadfast in our mission to protect digital experiences and empower businesses with advanced solutions. From key industry events to groundbreaking technological advancements, we’ve continually strived to meet the evolving needs across various sectors.  

Article
5 Simple and Effective Ways to Secure Your Mobile App with V-OS App Shield

For businesses, especially those handling sensitive data or financial transactions, ensuring app security is no longer optional. The risk is real: attacks on mobile apps can lead to reputational damage, regulatory fines, and the loss of user trust.  

V-OS App Shield is a reliable solution designed to safeguard mobile applications. Beyond the basics of security, it offers a cost-effective approach that combines robust protection with ease of use. Here are 5 ways V-OS App Shield can enhance your mobile app security and deliver real-world benefits. 

Article
Securing Mobile Apps and Why It’s Critical for Businesses

Mobile devices continue to become indispensable, with the average smartphone user spending around 88% of their day interacting with apps. This surge in mobile usage highlights an escalating need for businesses to ensure their apps are secure, as the stakes of app security have never been higher. From retail businesses to e-commerce platforms, mobile apps handle sensitive user data and provide access to essential business systems. The consequences of a breach can be devastating, both for businesses and their users. 

Article
Introducing V-OS App Shield: Connect, Deploy and Protect your App in Minutes

Mobile applications are key to daily business operations, customer engagement, and overall functionality. According to Google, the average smartphone user interacting with nearly 10 apps daily and spending about 88% of their time on mobile, the need for strong mobile app protection has never been more pressing. Introducing V-OS App Shield, a revolutionary solution designed to secure your mobile apps fast and easy.

Article
V-Key partners with Bridge Alliance to build a Safer Digital Ecosystem

V-Key, renowned for its advanced security solutions has proudly joined Bridge Alliance as their technology Partner,  solidifying their commitment to innovation and excellence in mobile security. This partnership opens doors to explore new avenues for enhancing authentication experiences and mitigating cybersecurity risks.

Article
Making 2FA/MFA robust against smishing and related attacks

2FA/MFA was introduced to make it harder for attackers, by requiring two or more proofs of identity – also known as authentication factors. These can take many forms, but can be boiled down to: something you know (e.g., a password), something you have (e.g., a cryptographic key), or something you are (e.g., a biometric ID that is unique to you) [1].

However, 2FA/MFA is not a universal panacea that can be picked off a shelf and thrown in to solve any and all challenges presented by attackers.

Article
How do we determine the effectiveness of mobile apps’ security systems?

With the spate of remote working regime due to Coronavirus pandemic, the reliance and growth for video conferencing platform has been exponentially escalated. However, most mobile apps today are nowhere near as secure as we would like them to be.

Article
Is the detection of jailbroken/rooted phone sufficient against threats?

Functions that detect jailbroken/rooted devices are most commonly added to transactional mobile applications, serving as the most basic defense against threats. However, this is nothing but a drop in a bucket.

Article
Why Existing Mobile Software Protections are Insufficient

Recognizing that existing mobile software protections are insufficient against today’s cyber threat landscape, we take a closer look at the main types of software protections in the market.

Article
V-OS Protection against CPU vulnerabilities

Virtually every computing device in the world is made unsafe by the latest disclosures on Central Processing Unit (CPU) vulnerabilities. Find out how the virtual secure element technology is protecting millions of mobile application users against such vulnerabilities.

Article
V-OS Protection against Android Plugin malware

There has been a recent surge in Android malware abusing Android Plugin Frameworks for malicious behavior. DroidPlugin, Parallel Space and VirtualApp are several plugin frameworks that have been abused by malware in recent months to spread Android malware.

Article
Cryptography in V-OS

V-OS is the world’s first virtual secure element. Cryptography plays a dual-role in these; to secure and manage the secrets kept within V-OS, and to provide a lightweight yet comprehensive cryptographic library.

Article
Building V-OS with HSM

V-OS is the world’s first virtual secure element, a software solution with security built into the firmware code. These include secret cryptographic parameters and data, which need to be randomly generated and securely persisted, and are then transformed into code and data files.

Article
How does a Virtual Smart card protect a customer if they lose or change their mobile phone?

From banks to government agencies, many organisations are intrigued by and exploring software security solutions such as mobile tokens and mobile identity systems for individual identification, authorisation and authentication.

Article
Is software-based Biometrics Authentication the solution to ASEAN’s regulatory challenges?

Banks in Southeast Asia should look towards software-based biometrics as the way forward to navigate the regulatory differences in the region and secure their customers’ transactions.

Article
Infographic: The next frontier in Banking transformation

As technology evolves, banks and financial institutions have no choice but to innovate. However, when it comes to security, many still rely on traditional, costly methods.

Article
Mobile Security that works for everyone

Safe, convenient and simple.

Article
The next wave of Finance: Singapore’s growing Fintech market

With global cumulative investment in financial technology (fintech) forecast to exceed US$150 billion in three to five years, economies around the world are vying to attract fintech innovators and cash in on this growing industry.