Android malware variants are fairly common and tend to affect a large number of users at once. It was recently discovered that CepKutusu.com, an alternative Android app store in Turkey, has been serving a banking trojan to all users who download an app. In addition, in June 2017, the CopyCat malware infected over 14 million devices mainly in South East Asia, with the threat actors behind the malware pocketing approximately $1.5 million in two months. To compliment these reports, a recent study shows that the heaviest mobile user group (age 18-24) still lacks good security practices, creating a large target set for threat actors to potentially exploit.
The Research and Innovation (R&I) team at Nettitude recently created an online survey to capture users’ smart phone habits. A series of questions shed light on the usage of online banking platforms, biometrics and attitudes towards security. Our survey results suggest that 74% of users are at risk of a mobile-based malware attack.
Basic Understanding of biometrics
The term “biometrics” refers to some measurable physical or behavioural trait of a human that can be used for person identification. Both sets of traits have their advantages and disadvantages. Behavioural biometric samples include gait, signature and voice, whereas physical biometrics are used to confirm who a person is and are commonly used in criminal investigations. Typical physical characteristics include DNA, ear, face, fingerprint, hand geometry, iris and retina. The deployment of a biometric security solution depends entirely on the requirements of the system it supports.
Several banks and financial institutions already incorporate biometrics into their security practices and authentication processes. Cecabank, a wholesale bank that specializes in treasury, securities services and bank services, supports e-signatures, an initiative that it started in 2014 with the help of the Autonomous University of Madrid (UAM). The university created an e-signature customer ID and verification solution for Cecabank and it hopes to sell that software to CECA members, who themselves account for 41% of the Spanish financial sector, as well as other independent banks. The technology has been rolled out to 55,000+ pads at 15,000+ branches across Cecabank and CECA members. It supports 600 million signed operations annually and has been used by 15 million customers. The reason for choosing signature recognition was due to it being perceived as less invasive than other biometric samples.
According to IBM, its latest product Trusteer Pinpoint Detect, helps protect online banking sites against account takeover, fraudulent transactions and can detect end user devices infected with high risk malware. One of the key features included in the new release is behavioural biometrics, a system of monitoring mouse movements in real time to analyse behaviour against learned patterns and known fraud patterns. It aims to add an additional layer of security, without any extra steps for the customer.
Barclays announced in August 2016 that they have introduced voice security technology for its telephone banking service in bid to move away from passwords. Customers who register for the service will have samples of their voice recorded and used as a template for future identification. The 100 unique characteristics that make up a persons’ voice are used to verify the individual and create a greater barrier against fraud.
Each person has unique biometric qualities. Even identical twins do not have the same fingerprints and their voices will differ sufficiently to tell them apart. Retina scans create an error rate of 1 out of 10,000,000 which means that false acceptance rates and false rejection rates are incredibly low. Another benefit of biometric samples is that the end user always has the sample on their person (something you are). There is no requirement for a dongle (something you own) or a password (something you know).
Several major financial institutions have already introduced biometrics into mobile banking solutions. HSBC supports Touch ID for its HSBC Mobile Banking app as long as customers possess an iPhone 5s and are running iOS 8 or above. First Direct stipulate the same criteria as HSBC and support Touch ID for their customers. Tangerine Bank in Canada allows customers to access their online accounts using either their fingerprints, eyes or voice. They have aimed their banking application at a broader user base by supporting iPhone, iPad, iPod touch, Android phone and tablet, Windows phone and tablet and BlackBerry 10 phones.
Mobile devices have two main limitations, namely computational power and battery life. Currently RSA encryption is the standard of choice for secure data transmission. RSA asymmetric encryption requires a user to generate a public key based on the product of two large prime numbers along with an auxiliary value. The presumed difficulty of RSA is based around factoring the two large prime numbers, which itself is considered the RSA problem. Asymmetric encryption is computationally intensive and is therefore only used only to establish a secure session between a client and a server, thereafter which 128-bit TLS symmetric encryption is used. Another possibility in respect of mobile security is the adoption of Elliptic Curve Cryptography (ECC). The benefit of ECC is that the key size is significantly smaller, which results in less data being transmitted between the server and client during the SSL handshake. A 256-bit ECC key is equivalent to a 3072-bit RSA key and a 521-bit ECC key is equivalent to 15,360 RSA key.
One of the overriding issues surrounding biometrics is trust. It seems that hardly a week goes by without reference to a data breach and the subsequent loss of customer’s Personally Identifiable Information (PII). Whereas passwords can be reset and new email accounts can be created, biometrics are permanent and once compromised, are impossible to change.
Every biometric authentication device and application performs four major functions from image capture through to feature extraction, template creation and storage and finally comparison. The template that is created, say from a fingerprint, is not actually a replica of that fingerprint image. Instead, the template is generated from key reference points in that sample that are subsequently encrypted and hashed. They contain the unique characteristics of the biometric information and act as a master copy. All subsequent biometric samples are compared to the master template for authentication.
The beauty of biometrics is that they portray a universal language. At some time or other people will have experienced the difficulty of paying for items in a foreign country. Certain credit cards or currency are not accepted, leaving people feeling despondent and ruing the decision not to buy travelers cheques or more of the local currency. That issue is overcome with biometrics. Regardless of where you are in the world, biometrics are, technology permitting, accepted.
The Biometrics Institute is one of a few organizations that is attempting to create a Biometric Privacy Trust Mark issued for a biometric product or service. The ultimate aim is to deliver a mechanism by which businesses and organizations can provide assurance to customers that they meet an accepted standard of good privacy practice. It will also reassure customers that those who hold the Trust Mark that they can reasonably protect biometric information that is collected and/or used. Other than PCI DSS, which refers to biometrics as a method of Two Factor Authentication (2FA), there is no international compliance standard for biometrics within the Financial Services sector.
The overall response was extremely positive with 300 people taking part in the survey. 62% of respondents were male and 38% were female. A huge thank you to all those who took part. There were seven questions focused around smart phone use, security awareness and acceptance of biometrics as a security feature.
Figure 1: The vast majority have used their smart phone for online banking
The statistics reflect a shift in societal banking practices. In this connected age, people are less prepared to visit a branch of a bank, instead choosing to conduct financial transactions from the comfort of their homes or whilst they are on the move. 77% of respondents have indicated that they are comfortable enough to use their smart phones to access their online accounts, as depicted in Figure 1.
Figure 2: The majority of respondents do not have AV installed on their smart phones
Interestingly, 74% of respondents either do not have some form of Anti-Virus (AV) installed on their smart phones, or are not aware of the security features installed on their devices. As seen in Figure 2, of those that answered ‘no’ or ‘don’t know’, 37% were female. AV solutions exist for both iPhone and Android and offer an added layer of protection. Opinion is divided as to whether AV solutions offer a greater level of protection for smart phones, specifically Android devices. Having AV on your smart phone is not necessarily a bad idea, though it is only one aspect of good user practice. Installing software from reputable sites is highly recommended, with Google Play being the default site for Android smart phones. That said, Google Play is still a relatively open environment, and despite Google introducing its Bouncer (an automatic analysis tool to approve each application which is submitted to the Google Play Store) malicious applications still exist. Users should inform themselves about the latest security features and a good place to start is AV-TEST. They publish bi-monthly insights into the latest security features for Android devices. In addition to AV solutions, users should incorporate lock screen security and a remote wipe option to complement existing security features.
Figure 3: Some respondents chose not to install security updates
Messages warning people to update their security settings can be infuriating. They generally appear just as you are in the middle of a task and more often than not, get silenced or the box “remind me later” is checked. As annoying as they may be, they are designed to protect the devices you are using. By delaying a security update, you are making it easier for malicious actors to compromise your device. When a patch is released, malicious actors look to see what vulnerability it fixes and they can then attempt to compromise devices that are not yet patched. Figure 3 shows that 23% of respondents will install a security update within one month or longer, with some choosing not to install updates at all. It is this group of respondents that are at the greatest risk of having their devices compromised. When Apple issued a software update for iOS 9.3.4, it was due to the discovery of spyware took control of three previously undisclosed weaknesses its Operating System (OS). It is recommended that users allow their smart phones to automatically install security updates. This not only protects the device from the latest vulnerabilities, it also removes that good-intentioned, yet mildly annoying pop up that asks whether or not a user would like to manually install the latest OS update.
Even though the latest version is installed, it may not always prevent malware from compromising your smart phone. The Gugi Trojan is one of the latest malware to target Android OS version 6, capable of stealing users’ mobile banking credentials by overlaying genuine apps with phishing apps and to seize credit card details by overlaying the Google Play Store app. To date 93% of affected users are Russian, but with a 10-fold increase in infection rates between April and August 2016, it may not be too long before the Trojan spreads further afield.
Figure 4: Most respondents would like to incorporate biometrics into existing security practices
The results of the survey indicate that there is an appetite to incorporate biometrics into existing authentication methods. 61% would either completely trust biometrics or include biometrics to support traditional security measures such as passwords or passphrases, as seen in Figure 4. Nearly a quarter of respondents do not consider biometrics to be a suitable authentication method, which means that they are aware of its capability and would choose not to use it or they do not understand how biometrics would best be incorporated. Biometrics Research Group estimates that the global biometrics market will increase to £26 billion by 2020, up from £11 billion in 2015.
Figure 5: Fingerprint was the overwhelming favourite for respondents
As Figure 5 shows, it is interesting to note the stark contrast between perceived suitability of a biometric solution. Fingerprint recognition is the most popular which is hardly surprising considering the popularity of TouchID on Apple. Fingerprint identification systems and associated biometric technologies account for the lions share in global revenue, calculated at £19 billion in 2015. Voice recognition is the biometric sample of choice for banking call centers, where 100 behavioural and physical voice traits are analyzed in a few seconds to establish the identity of the caller. Only a handful of respondents were not enamoured at the thought of using biometrics.
Each method comes with its own costs and associated technology. However, in all instances the biometric samples provide adequate security. The camera on a smart phone will be able to capture retina and face images whereas the fingerprint sample can be obtained from the home button on iPhone 5s’ and later. The voice sample is captured via the microphone and the signature can be captured using a stylus. What must be taken into consideration is that these samples by themselves are not 100% secure. Should a sample be compromised, such as demonstrated by Tsutomu Matsumoto in 2002 when he managed to fool a fingerprint recognition device using a gummi bear, then there is little to stop a threat actor from committing fraud or other malicious acts. However, by combining several methods together, such as passwords and biometrics, security can be improved as the compromise of one doesn’t guarantee access.
Yes, as a replacement for passwords
Yes, in addition to passwords
Table 1: The majority of male and female respondents would use biometrics to access online banking
There are clear similarities between male and female respondents when it comes to biometrics and their perceived suitability as an authentication method. The overwhelming majority agree that biometrics would be a suitable security solution and would consider incorporating them into existing security practices. As seen in Table 1, females were slightly more cautious of biometrics with higher percentages recorded in answering “No” and “Don’t know”. These statistics would likely change the more exposure people get to biometrics, especially in day-to-day life.
Figure 6: There are clear differences in attitudes to biometrics between age groups
One interesting observation is that 25 to 34 years old are the most open to accepting biometrics as an authentication method, with Figure 6 providing an overview. This can be explained by the younger generation having a greater exposure to technology and biometrics from a younger age, whereas older respondents aged between 45-54 and 55-64 are possibly warier of affording too much trust to biometrics and technology. The generational gap is not wholly surprising and is indicative of an acceptance of technology. Most of us have attempted to get an elderly family member to understand the latest trends and more often than not are faced with a lack of interest or it simply takes too long to explain what the technology does!
Respondents to the survey are acutely aware that there are aspects of mobile security that could be improved. Whether the answer lies with biometrics is yet to be seen, however there is at least an appetite to incorporate them into existing authentication measures. More information needs to be made available to the general population if they are to make an informed decision around biometrics. Software updates are crucial in defending against the latest vulnerabilities and users should be proactive in installing them as and when they become available. Not having connectivity with friends and family for 10-15 minutes whilst the update takes place is a small price to pay.
 Jain, A.K., Flynn, P.J., and Ross, A. (Ed.), Handbook of Biometrics, Springer Publishers, 2007