Enterprises are deploying enterprise mobility suites to manage risks to mobile enterprise content. However, mobile devices can also access sensitive enterprise back-end systems. Security-conscious organizations are now deploying mobile authentication to secure access to enterprise applications and monitor all the transactions that follow, such as updating sensitive financial or business data.

Mobile authentication and access security deal with a fundamental question: Was the authentication or transaction initiated by a genuine employee or customer?

This question addresses two types of threats. First, a cybercriminal could access the user’s credentials (using a phishing attack, for example) and then use his or her mobile device to gain unauthorized access to the enterprise system. Second, a user’s mobile device may be compromised by malware that could tamper with specific interactions created by the genuine user or effectively bypass strong security measures.

Mobile Authentication: The Criminal at the Door

The challenge of detecting a criminal at the door or an account takeover attempt isn’t new. However, mobile devices make that challenge even harder. Historically, risk-based authentication technologies relied on desktop and laptop “fingerprinting” to determine whether a given device had been previously used by the genuine user or whether a new device is being introduced. Step-up authentication measures were triggered for new devices to ensure the real user is using that device.

Unlike desktops and laptops, mobile devices look very similar to server-based device fingerprinting solutions. It is very difficult to distinguish one mobile device from another, especially when iPhones, which are identical within a particular model, are used.

Therefore, mobile access security must evolve to get an accurate device fingerprint that can uniquely identify the device. One way to achieve this is to use a secure mobile browser or embedded mobile risk detection capability within sensitive apps to capture a hardware-based device fingerprint. Used as an access enforcement point, a secure mobile gateway can consider this device fingerprint in conjunction with additional context such as geolocation and time of access to flag or stop high-risk access.

Malware-Infected Devices

A compromised device contains malicious software — or malware — that has privileged access rights to the device’s operating system and core functions, such as SMS. Most mobile malware to date comes packaged into benign applications downloaded from third-party app stores and granted privileged access by the user during the installation process. Similar to phishing, mobile malware can capture credentials and interfere with SMS-based strong authentication by intercepting and redirecting one-time passwords. Another capability that is seen on jailbroken or rooted devices lets malware tamper with transactions on the fly. For example, it could change a payee account in a money transfer.

The Device Is the Weak Link in the Chain of Trust

The ability to trust access depends on the ability to trust the device. Access from a compromised device simply cannot be trusted. By extension, malware and jailbreak detection should be part of the mobile access risk assessment. A device-side component can dynamically detect the state of the device and communicate it to the secure mobile gateway, thus broadening the context used to evaluate the access and enforce corporate policies. Similarly, even if the device isn’t compromised, other contextual data such as location and time of access can help organizations determine whether the access is suspicious and invoke measures to mitigate risk.

Context and risk awareness are key to enabling effective mobile authentication and access security that address risky transactions without degrading the overall user experience. For employees, risk-based authentication can be used to prevent access for devices that are not presenting the proper security posture. Or, if access is allowed, it can restrict specific transactions until the device is brought back to compliance. For customers and other third parties, transactions can be silently flagged for review and the customer service team can follow up on the small subset of activity that exhibits suspicious attributes before it is allowed to execute.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read