Digitization has increased the demand for strong digital identities. His recent McKinsey study1 reports that the Covid-19 crisis has significantly accelerated the pace of digitization around the world. Most respondents revealed that at least 80% of user or customer interactions are now digital in nature, compared to just 58% before the pandemic.
For banking, financial services, or e-government apps, this means implementing a form of 2FA (two-factor authentication). Usually, this means his OTP (one-time password) based on SMS, or a code generated by a hardware token or mobile authenticator app.
Unfortunately, this has also led to an increase in cyber attacks on organizations of all kinds, mostly in the form of ransomware attacks and hijacking of online and financial accounts. This has fueled the growth of the multi-factor authentication market, valued him at $10.64 billion in 2020 (expected to reach $28.34 billion by 2026).
Unfortunately, SMS OTP has proven to be insecure and vulnerable to eavesdropping and phishing attacks. Hardware tokens are expensive to deploy, not user-friendly, and require regular replacement. Mobile authenticators are considered the most secure and convenient option.
Most concerningly, if the authenticator itself is untrustworthy, digital services are vulnerable to manipulation by malware and reverse engineering by malicious actors, leading to account takeover, data breaches, fraud, or worse.
This is because the cryptographic keys used to generate the OTP code are often protected by special hardware built into the phone, known as a Trusted Execution Environment (TEE). However, “most secure” doesn’t necessarily mean “perfect,” and new research on previously overlooked design flaws bears this out well.
Singapore-based V-Key, the software-based digital security company that developed the world’s first virtual secure element, recently showed that most mobile authenticator apps can actually be targeted by malware. published a paper.
This is true regardless of any hardware-based protection offered by the phone. Most authenticator apps use cryptographic keys to generate user identification codes. These apps can be likened to treasure chests that only these keys can open.
If these keys are stolen, the hacker’s “booty” is the ability to authenticate transactions or sign documents on your behalf. For this reason, most authenticator apps try to use the most secure storage available for these keys. For many developers, this means a trusted execution environment for mobile phones. On Android phones this is known as the StrongBox keystore. For Apple, this is the iOS Secure Enclave (with companion software called Keychain that stores encrypted data such as passwords).
Er Chiang Kai, his CTO at V-Key, said: “We discovered that malware could be used to obtain a target’s authentication keys, allowing hackers to perform fraudulent transactions or sign forged documents. This is especially true for jailbroken phones.
News Summary:
- Most mobile authentication apps have a design flaw that allows hacking.
- Check all news and articles from the latest Security news updates.
