Freely subscribe to our NEWSLETTER

Last week a sophisticated Android Trojan application that specifically targeted
Facebook users made the headlines. Facebook users logging into their account via an
infected PC, were invited to enter their mobile phone number as ’an additional
security measure’ in order that Facebook may ’authorise them’. Upon so doing, the
user is sent a link via SMS encouraging them to download what is, unbeknownst to
them, a piece of malware.

Once installed, one of the main goals of the malware is to intercept one-time-codes
(OTCs) that are frequently used by banks and other financial institutions to
authenticate users when accessing online or mobile banking. And once a hacker has an
authenticating OTC, they can usually take full control.

What’s interesting about this particular Trojan is the number of potential points of
failure it is prepared to accommodate. The hackers infect a desktop PC, then hopes
that the user will access Facebook, submit their phone number, download the
application, then use a mobile banking app that utilises an OTC function via SMS.
For many (most?), receiving an unsolicited download link is enough to set alarm
bells ringing, but this certainly isn’t the case for all.

This may seem like an awful lot of trouble for the crooks, but pair this thought
with Facebook’s colossal audience and it starts to make more sense. It also
demonstrates just how sophisticated the hackers’ methods are becoming and really
should make the banks take a moment to consider just how secure these OTCs really
are.

But it’s not just the banks. Sending OTCs as an additional level of authentication
is a popular method used by many companies. What’s clearly now needed is a means of
utilising an OTC in a way that would render it useless if it is intercepted by a
third party. Fortunately help is at hand.

Some of the more flexible authentication platforms available offer a third layer of
security which can guard against this eventuality; Swivel’s PINsafe is one such
example. Users combine a 10 digit security string with a four digit PIN in order to
generate a unique OTC. This ensures the end result is never communicated or
transmitted at the point of login, thus combating the risk of common threats such as
phishing, key logging, man-in-the-middle or shoulder surfing attacks.

What can we learn from this latest Trojan? Firstly it’s clear that the hackers have
realised that the size of the target audience can correlate with the number of
acceptable ’points of failure’ in the deception. The higher the exposure, the better
the chances that someone will see the whole process through to the end.

But more importantly, this Trojan highlights that the web’s predators are growing
increasingly tuned to how consumer behaviour carries through the traditional desktop
web experience and into the mobile world. As these two worlds continue to converge,
more care is needed than ever before to ensure our personal data remains secure.

Finally, it shows that strong authentication is not a yes / no decision but one that
needs to take account of the changing risks in the IT environment.

[1] http://www.thestreet.com/story/12679702/1/facebook-earnings-live-blog.html