On a gray winter day, a man dressed in a long, heavy coat and carrying a large suitcase approaches a border control checkpoint. A stern-looking guard at the checkpoint inspects the man briefly and asks for his passport and ID papers for identity authentication. Calmly, the traveler pulls out the papers from his pockets and hands them to the officer. As the latter reads through the traveler’s papers, he neglects to notice how the expression on the man’s face changes as he suddenly pulls out a gun.

I remember this scene from a movie I saw as a teenager some 30 years ago (oops, just gave my age away!), and it reminds me of today’s online data loss and fraud risks. Vendors require users to go through cumbersome authentication solutions, all while the most important baselines in the authentication process — trust before authentication — are neglected.

Mobile Security Challenges

The Internet puts so much data and so many services at our fingertips that make our lives easier and streamline our work. Mobile networks and smartphones have entered that sphere to extend the Internet’s presence in our lives to virtually everywhere at anytime. It allows us to view our medical records in real time, manage our finances or book tickets to a concert, all while taking a walk in the park.

However, to provide us with this wonderful access and visibility, the mobile services we enjoy rightfully demand to know who we are. They require us to follow authentication protocols to prove we are their legitimate customers and should be allowed access.

That being said, it is unfortunate to note that many of these services — much like the border control officer in the movie — fail to start by qualifying whether they can trust the party performing the authentication even before checking its actual credentials. Recent IBM research revealed nearly 60 percent of leading mobile dating applications evaluated on the Android mobile platform are vulnerable to potential cyberattacks that could put personal user information and organizational data at risk.

Trust Before Authentication

Skipping trust establishment before authenticating users — a seemingly small loophole — can allow many Internet wolves in sheep’s clothing to use compromised devices to hide their true identity and impersonate someone else. While the Internet’s essence does allow people to use false identities, the devices they use for authentication can tell service providers the truth. Fortunately, mobile devices have many telltale signs that can be used to identify a mismatch between the faker and the real owner of the credentials that come knocking.

By transparently scanning devices (mobile or desktop) for various risk factors and suspicious signs even before challenging users for their credentials, online services can proactively establish trust with the authenticating device to avoid performing authentication without trust.

To establish this trust, service providers can use a range of integrative solutions to scan devices. This silent scan allows both mobile apps and Web applications to gain important insight about the authenticating device’s risk state and define whether they trust it before proceeding to the actual authentication. For example, the app on a mobile device can “know” whether the device is infected with malware or is using an unsecured Wi-Fi network. Then, it can “decide” in real time whether authentication or other sensitive operations should be allowed.

Going back to the movie scene, had the border control officer scanned the man more closely for the telling signs of heightened risk, or had he checked for concealed weapons to establish basic trust before performing passport authentication, the scene would have ended very differently. If you want to keep criminals and impostors out, always remember you should have no authentication without trust.

more from Application Security

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…