Multi-factor authentication is being pushed as a solution for better access control for sensitive information and applications. But new malware for stealing one-time-passwords from voice phone calls shows that two-factor authentication is only as strong as the devices supporting it.
With greater use of two-factor authentication, there is more incentive in the hacker community to attack these systems, says Mark Kanok, senior director of product management at TeleSign, a mobile identity security company. One of the most common second-factor schemes is the use of out-of-band communications, such as a text or voice call, to deliver a one-time password to a user or confirm a transaction. But if users do not secure their mobile phones and are not careful about the software they load on it, bank accounts can be left open to fraud.
One of the newest threats to these transactions is Android.Bankosy, malware observed by Symantec late last year. Originally used to intercept one-time passwords or passcodes sent by text, it has been modified to intercept voice calls as well. When installed on a target Android phone, the malware’s command and control server enables call-forwarding on the phone and puts it into silent mode so that the user does not realize that an incoming call is being forwarded.
This allows a hacker with the victim’s account information and original log-in credentials (probably a user-name and password) to initiate a transaction, then receive the voice call with the one-time password to complete it.
This is pretty clever, but it has some restrictions. It will only work if the criminal has account information and original authentication factors, and it works only on Android phones. This means it is probably a targeted attack and is dependent upon the hacker getting the victim to download the malware. This highlights the strength and weakness of this type of two-factor authentication: It is as strong as the victim’s mobile phone security.
A mobile-phone user who uses antivirus and is careful about what links he clicks on and what he downloads probably is safe. But far too many users fall outside this category. Android developers could also help with security. Call forwarding is not often used on mobile phones because the whole point of a mobile phone is to keep the user connected wherever he or she is. Enabling this feature could raise a red flag and require some kind of user confirmation, making it more difficult for the hacker.
“Nothing is fool-proof,” Kanok said. “But there are a lot of opportunities for two-factor authentication.” More routine use of multi-factor authentication would make it more difficult for bad guys to collect account information and credentials in the first place.
Out-of-band confirmation, using either text or voice, is probably the easiest way to implement an additional factor because phones are almost ubiquitous. Biometrics typically require some additional hardware or software, although some types of passive recognition using existing camera capabilities are becoming more common. A person to who chooses to do a confirmation over a land-line phone probably is more secure, because malware will not work against an old-fashioned desk set.
What it all comes down to is the need for users of mobile devices—both individuals and organizations—to have strong policies and practice good security hygiene for the devices. There is no reason to make this type of attack easy for the bad guys. Treating a mobile phone like the powerful computer it is will go a long way toward improving security.
“A little bit of diligence can help avoid this kind of pain,” Kanok said.