On a gray winter day, a man dressed in a long, heavy coat and carrying a large suitcase approaches a border control checkpoint. A stern-looking guard at the checkpoint inspects the man briefly and asks for his passport and ID papers for identity authentication. Calmly, the traveler pulls out the papers from his pockets and hands them to the officer. As the latter reads through the traveler’s papers, he neglects to notice how the expression on the man’s face changes as he suddenly pulls out a gun.

I remember this scene from a movie I saw as a teenager some 30 years ago (oops, just gave my age away!), and it reminds me of today’s online data loss and fraud risks. Vendors require users to go through cumbersome authentication solutions, all while the most important baselines in the authentication process — trust before authentication — are neglected.

Mobile Security Challenges

The Internet puts so much data and so many services at our fingertips that make our lives easier and streamline our work. Mobile networks and smartphones have entered that sphere to extend the Internet’s presence in our lives to virtually everywhere at anytime. It allows us to view our medical records in real time, manage our finances or book tickets to a concert, all while taking a walk in the park.

However, to provide us with this wonderful access and visibility, the mobile services we enjoy rightfully demand to know who we are. They require us to follow authentication protocols to prove we are their legitimate customers and should be allowed access.

That being said, it is unfortunate to note that many of these services — much like the border control officer in the movie — fail to start by qualifying whether they can trust the party performing the authentication even before checking its actual credentials. Recent IBM research revealed nearly 60 percent of leading mobile dating applications evaluated on the Android mobile platform are vulnerable to potential cyberattacks that could put personal user information and organizational data at risk.

Trust Before Authentication

Skipping trust establishment before authenticating users — a seemingly small loophole — can allow many Internet wolves in sheep’s clothing to use compromised devices to hide their true identity and impersonate someone else. While the Internet’s essence does allow people to use false identities, the devices they use for authentication can tell service providers the truth. Fortunately, mobile devices have many telltale signs that can be used to identify a mismatch between the faker and the real owner of the credentials that come knocking.

By transparently scanning devices (mobile or desktop) for various risk factors and suspicious signs even before challenging users for their credentials, online services can proactively establish trust with the authenticating device to avoid performing authentication without trust.

To establish this trust, service providers can use a range of integrative solutions to scan devices. This silent scan allows both mobile apps and Web applications to gain important insight about the authenticating device’s risk state and define whether they trust it before proceeding to the actual authentication. For example, the app on a mobile device can “know” whether the device is infected with malware or is using an unsecured Wi-Fi network. Then, it can “decide” in real time whether authentication or other sensitive operations should be allowed.

Going back to the movie scene, had the border control officer scanned the man more closely for the telling signs of heightened risk, or had he checked for concealed weapons to establish basic trust before performing passport authentication, the scene would have ended very differently. If you want to keep criminals and impostors out, always remember you should have no authentication without trust.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today