February 19, 2015 By Yishay Yovel 3 min read

Enterprises are deploying enterprise mobility suites to manage risks to mobile enterprise content. However, mobile devices can also access sensitive enterprise back-end systems. Security-conscious organizations are now deploying mobile authentication to secure access to enterprise applications and monitor all the transactions that follow, such as updating sensitive financial or business data.

Mobile authentication and access security deal with a fundamental question: Was the authentication or transaction initiated by a genuine employee or customer?

This question addresses two types of threats. First, a cybercriminal could access the user’s credentials (using a phishing attack, for example) and then use his or her mobile device to gain unauthorized access to the enterprise system. Second, a user’s mobile device may be compromised by malware that could tamper with specific interactions created by the genuine user or effectively bypass strong security measures.

Mobile Authentication: The Criminal at the Door

The challenge of detecting a criminal at the door or an account takeover attempt isn’t new. However, mobile devices make that challenge even harder. Historically, risk-based authentication technologies relied on desktop and laptop “fingerprinting” to determine whether a given device had been previously used by the genuine user or whether a new device is being introduced. Step-up authentication measures were triggered for new devices to ensure the real user is using that device.

Unlike desktops and laptops, mobile devices look very similar to server-based device fingerprinting solutions. It is very difficult to distinguish one mobile device from another, especially when iPhones, which are identical within a particular model, are used.

Therefore, mobile access security must evolve to get an accurate device fingerprint that can uniquely identify the device. One way to achieve this is to use a secure mobile browser or embedded mobile risk detection capability within sensitive apps to capture a hardware-based device fingerprint. Used as an access enforcement point, a secure mobile gateway can consider this device fingerprint in conjunction with additional context such as geolocation and time of access to flag or stop high-risk access.

Malware-Infected Devices

A compromised device contains malicious software — or malware — that has privileged access rights to the device’s operating system and core functions, such as SMS. Most mobile malware to date comes packaged into benign applications downloaded from third-party app stores and granted privileged access by the user during the installation process. Similar to phishing, mobile malware can capture credentials and interfere with SMS-based strong authentication by intercepting and redirecting one-time passwords. Another capability that is seen on jailbroken or rooted devices lets malware tamper with transactions on the fly. For example, it could change a payee account in a money transfer.

The Device Is the Weak Link in the Chain of Trust

The ability to trust access depends on the ability to trust the device. Access from a compromised device simply cannot be trusted. By extension, malware and jailbreak detection should be part of the mobile access risk assessment. A device-side component can dynamically detect the state of the device and communicate it to the secure mobile gateway, thus broadening the context used to evaluate the access and enforce corporate policies. Similarly, even if the device isn’t compromised, other contextual data such as location and time of access can help organizations determine whether the access is suspicious and invoke measures to mitigate risk.

Context and risk awareness are key to enabling effective mobile authentication and access security that address risky transactions without degrading the overall user experience. For employees, risk-based authentication can be used to prevent access for devices that are not presenting the proper security posture. Or, if access is allowed, it can restrict specific transactions until the device is brought back to compliance. For customers and other third parties, transactions can be silently flagged for review and the customer service team can follow up on the small subset of activity that exhibits suspicious attributes before it is allowed to execute.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today