Developers and enterprises that install conventional two-factor authentication methods do so with the best of intentions. Unfortunately, in today’s world of hackers that intrude for money, bragging rights or just nefarious “fun” these methods just aren’t sufficient anymore. Recent research has uncovered a multi-vectored methodology used to bypass security used by Android apps to access banking systems. Reports say several dozen banks across Europe were the targets of this sophisticated spear-phishing and malware campaign.
It’s gotten so bad, in fact, that researchers at Trend Micro called their investigation “Finding Holes: Operation Emmental” because of the Swiss cheese (full of holes) aspect of the Android app security process. The report outlined how cybercriminals use a complex, but effective, method of attacking online banking by exploiting current two-factor authentication methods that are used by many banking and financial institutions, targeting consumers with a phishing scheme.
These types of attacks are likely to continue for one simple reason: they’ve been successful. What’s worse is that any security process that incorporates sending the one-time password (OTP) to a mobile number will forever be exposed to this kind of attack.
Until organizations turn their authentication process right-side-up by requiring the user to send the OTP – including a PIN – from their mobile instead of sending to it these episodes will become increasingly common.
TextPower Prevents How Hackers Defeat Conventional Authentication
TextPower has developed a patent-pending method to secure website and VPN logins that is three times more powerful than any other solution in the market by using the world’s most commonly used phone app, SMS, in a completely different way. TextKey™ is the world’s first Omni-Factor Authentication™ (OFA) system and provides an unprecedented seven factors of authentication activated by the user simply sending a standard text message from their cell phone.
All current SMS authentication services use the mobile-terminated (MT) method, which means the authentication code, link or other identifier is sent to the phone and then the user is asked to enter the code onto a web page for authentication, which is inherently insecure. TextKey turns that process right-side-up and by doing so makes it highly secure and easier to implement.
TextPower’s mobile-originated (MO) methodology reverses the process by having authentication messages sent from the cell phone instead of to it. The TextKey system verifies that the authentication message was sent from a legitimate (i.e., not spoofed or hacked) phone, originated from the correct mobile number, contains the correct OTP and PIN and was sent to the correct SMS short code or phone number. A total of up to seven different factors can all be verified to authenticate the user by them simply sending a text message.
The software can be licensed for large institutions or the entire system can be used on a cloud-based SaaS platform which doesn’t require the website to have any additional servers, appliances, software or remote hosting. It is the most secure authentication method available, is simple to install and easy for users to learn.
Wireless industry veteran Scott Goldman is co-founder and CEO of TextPower. A dynamic, entrepreneurial executive he has worked closely with companies globally in the development, planning and launch of innovative wireless technologies and services.