Javelin: Many issues with mobile security
12 November, 2014
category: Biometrics, Corporate, Digital ID
The weakest link when it comes to mobile security isn’t operating systems or application but the owner of that device, according to report from Javelin Research and Nok Nok Labs. Password reuse – a security issue no matter where an consumer is logging in – is prevalent among all mobile used with at least 60% of respondents saying they use the same password for multiple sites.
Handset manufacturers are offering consumers other ways to protect their devices and data with fingerprint scanners and other biometrics. Android, iOS, and Windows users most prefer fingerprint scanning — 34%, 38%, and 30%, respectively.
Samsung’s partnership with PayPal and Apple’s recent announcement of the use of Touch ID to authenticate mobile wallet transactions will have a effect on this trend as well. Once consumers become comfortable with this technology it will replace PINs for securing mobile devices, the report predicts.
Some sites offer two-factor authentication via text message as an extra security factor. But this is not without its own set of problems. More than 40% of iOS and Android users have two-factor authentication via SMS set up for access to financial accounts.
SMS‐based OTPs are being targeted and compromised by mobile malware and this represents a threat to the integrity of any consumer’s account that relies on OTPs, but in particular to the 41% of Android users who use OTPs to protect their financial accounts. Greater security can be achieved by using OTPs delivered through a dedicated app rater than a text message.
The report offers a number of recommendations for mobile users and enterprises:
- Use the authentication capabilities of the mobile device. To protect mobile users and their accounts from the vulnerabilities associated with the use of passwords, take advantage of hardware integrated into mobile devices to protect all channels. More secure solutions, such as those based on biometrics, can be delivered directly to consumers without the cost of providing additional hardware, such as face or voice biometrics.
- Encourage the use of comprehensive security software. Comprehensive mobile security software can help prevent a variety of threats. Anti‐malware capabilities can protect users from malicious apps designed to glean account credentials and other sensitive personal information. Other features can include the ability to remotely wipe the device.
- Be mindful of how OTPs are being used and sent. One‐time passwords sent by SMS are vulnerable to being intercepted and rerouted by mobile malware, while those delivered through email could also be stolen should the account be compromised. When using OTPs to protect valuable accounts, such as online banking, avoid sending OTPs through either of these methods.
- Educate consumers about how biometric data is protected and used. Fingerprint scanning benefits from its long history, including its use by law enforcement and in commercial applications and its popularity in film. Consumer concerns about the privacy and effectiveness of a biometric solution can be relieved through education, giving other modalities an opportunity to close the gaps in public awareness and comfort.