Why Two-Factor Authentication (2FA) on Mobile is Not Secure Enough

By Yael Macias, Product Marketing Manager, Endpoint and Mobile Security

For several years now, and after a wide array of massive data breaches where passwords were compromised, single-factor authentication – or authentication by means of a password theoretically only known to the user – has become a thing of the recent past, making way for two-factor or multi-factor authentication.

Multi-Factor Authentication (MFA) is a security system that verifies a user’s identity by requiring multiple credentials. Rather than just asking for a username and password, MFA requires other additional credentials, such as a code from the user’s smartphone, the answer to a security question, or any sort of biometric authentication.1 Two-factor authentication (2FA) is probably the most common form of MFA today. It requires two types of information from the user: one that the user knows (ID number, password, phone number,…), and one that the user has, such as a one-time password (OTP) that they would typically receive via SMS.

We are all using 2FA almost on a daily basis for all sorts of web-services authentication and registration, whether it’s to access our bank account online, to verify a newly created account, or to confirm a money transfer. In some cases we don’t even realize how fast we have adopted this new security authentication mechanism, and we robotically input what is requested from us – unbeknownst that this information may be available to malicious actors too.

While 2FA has proved to be far more secure than just user names and passwords – very often the subject of phishing attacks allowed by password re-use, or by brute-force attacks – 2FA is still far from being secure.

We have recently heard about a new variant of TrickBot, a banking trojan that targets sensitive information and acts as a dropper for other malware. These campaigns send unsolicited emails that direct users to download malware from malicious websites or trick the user into opening malware through an attachment. This past March, researchers of IBM discovered that the operators of TrickBot had developed a malicious app called TrickMo, which intercepts the OTP codes that banks send to customers for authentication, without knowledge of the user.

How Check Point Prevents Credential Theft that Bypasses 2FA

A multi-layered approach to Mobile Security is needed in order to prevent attacks that aim to abuse accessibility permissions and ex-filtrate data from the device, with disastrous consequences to the end user and the service provider.

  • Safe Browsing and Anti-Phishing (or Zero-Phishing) capabilities: when the user receives any link to their mobile device, which can trigger the download of a malicious app to the device, Check Point SandBlast Mobile inspects the link for maliciousness based on a variety of parameters, to determine whether the user is being taken to a legit site or not.
  • Malicious app analysis: once there is an attempt to download an app (whether it’s with the knowledge of the user or without it), SandBlast Mobile will run the app on its behavioral risk engine, to determine whether the app has malicious content in it or not, even if the malware is in stealth mode.
  • Anti-Bot: should there be a malicious component installed on the device, attempting to ex-filtrate data from the device – such as the OTP – the Anti-Bot feature would block this communication between the device and the malicious actor.

Try SandBlast Mobile today, and start securing your mobile workforce with Check Point.


Sources:

1Wikipedia: https://en.wikipedia.org/wiki/Multi-factor_authentication