Over the last few years, there has been a steady focus on vulnerabilities in mobile phone networks.
As far back as 2014 systemic vulnerabilities on the SS7 protocol for SMS was a well-known problem presented by security researchers, but now there appears to be real attacks on bank accounts using One-Time-PINs (OTPs) over SMS for transaction verification procedures utilizing these vulnerabilities.
“This latest SS7 attack once again sheds light on the insecurity by design and lack of privacy in the global telephone network protocol, making it clear that real-world SS7 attacks are possible. And since the SS7 network is used worldwide, the issue puts billions of users in danger.
The incident also underscores the risks of relying on SMS-based two-factor authentication.
Although the network operators are unable to patch the hole anytime soon, smartphone users can make some changes to help. Avoid using two-factor authentication via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor.”
Protectoria Secure Mobile Platform (PSMP) provides mobile banking and payment applications with a Dynamic and Personalized Trusted Execution Environment (dpTEE), considered unbreakable due its extreme entropy. The dpTEE limits the attack surfaces through unpredictable morphing where it is practically impossible for attackers to circumvent potentially vulnerable parts of your banking or e-Commerce app. This is not a self-declaration by Protectoria, but verified independently by a 3rd party security evaluation bureau: SRC GmbH. Independent security evaluation is a requirement of PSD2. No other mobile security software technology has passed this level of security compliance.
Parts of the value proposition for the PSMP are:
1. Avoid using two-factor authentication via SMS texts for receiving OTP codes.
- Cyber-criminals have now started utilizing the phone network vulnerabilities in real life attacks against users’ online banking applications.
- This enables criminals to get away with fraudulent transfers with little risk of being caught, since they immediately remit the stolen money through mule accounts, or set up fake companies in countries with weak regulations and compliance, allowing for the creation of ‘legitimate’ bank accounts.
- Customer protection with OTP over SMS is poor, and with PSD2 the liability shift will push all risks of weak security onto banks and payment service providers exposing them to systemic risks, which cannot be insured.
2. Instead, rely on PSMP cryptographically-based security keys as a second authentication factor:
- Cryptographic keys are not by themselves enough, they’re only a starting point. Payment security must be built on factual security of the most sensitive parts of the application, dynamically linking transaction details to the right user’s device and authentication means.
- Cryptographic keys have to be managed within a Trusted Execution Environment, if not, it is only a matter of time before these become equally vulnerable to criminal activity.
3. Build your security strategy for payments on PSD2 security compliance.
- PSD2 requires banks and payment service providers to build their transaction security solutions on independently security-evaluated technologies. Consequently, self-declared security is no longer allowed under PSD2.
- PSMP is currently the only technology that has passed such a security evaluation. Any other mobile software security solutions suffer from fundamentally unsolvable design flaws of smartphone operating systems as documented by FAU security researchers in Germany, that published these papers:
The most interesting observation by the researchers is not that these two prominent solutions in the market fail, but that any other with similar design as a stable software based security app generally fail too, and cannot be fixed with better programming.
PSMP is designed as a dynamic software security app and therefore circumvents the generic design flaws of every other stable software based security app.