Friday 16 November 2012

Is mobile banking the most secure way of banking yet?


In the world of security there is often a tendency to accentuate the negative. This can often be justified. Malware can lead to data/identity theft and financial fraud and a DDoS attack can create havoc by denying access to a web site or service etc.

However, security can also be a positive factor – an enabler. For financial services, each time we use our debit or credit cards in an ATM or POS terminal in a retail store or use them on an eCommerce website we have a fair level of assurance that all parties are protected from fraud - where would eCommerce and financial transaction integrity be without cryptography?

Security technology coupled with sound risk management has been at the heart of the financial services industry for many years. This combination of security technology and risk management must be applied to new methods of providing financial services to bank customers including one of the hottest channels for providing financial services – Mobile.

Mobile devices, from feature to smart phones and from tablets to phablets, have become a vital endpoint for accessing banking services. The mobile banking channel is viewed as one of the most important channels for delivering financial services to bank customers. These are the same bank customers that are rapidly adopting these ‘smart mobile devices’ and are using them as their primary digital device – the first screen for consuming work/leisure digital content.

With the rush to mobile by financial institutions for banking and payment services there have been serious questions asked on whether mobile is secure enough? There is no denying that smart mobile devices are increasingly being attacked for financial fraud and identity theft. A combination of platform vulnerabilities and an increased desire from hackers and fraudsters to attack has led to a situation where mobile devices are under threat. Mobile malware is on the rise, especially affecting Android, and banking services, including some mobile-based Two-Factor-authentication (2FA) services, are under targeted attack.

Much has been commented on mobile vulnerabilities and whether security vendors are creating scare stories to make mobile users install their products but my experience tells me that much of this is not FUD but FACT. As money moves onto mobile devices than it is inevitable that the criminals will follow.

This has to be one of my favourite quotes (although the quote may in fact be an urban legend) and I apologise for repeating it again here but it is such an important message and provides context for this blog. One of the US’s most prolific bank robbers from the 1920s to the 1950s was a man named Willie Sutton (AKA “Slick Willie”). In his 40-year ‘career’ he robbed over one hundred banks and stole an estimated $2 million (a big number in old money). When asked why he robbed banks he replied “because that’s where the money is”. Why is this important to today’s ever mobile world? Well I think it is pretty obvious. Soon there will be more mobile phones than people on this planet and every one of these devices has the capability of banking (including full transactional banking). From the streets of Nairobi, Kenya, to the avenues of New York, USA, people are accessing their bank accounts and transferring money using mobile devices – be it an old Ericsson ‘brick’ or the latest Apple iPhone; using SMS or a mobile App. Its where the money is…

So, is mobile banking a secure method for banking and is it the most secure yet? I believe that mobile banking has the ‘potential’ to be more secure than traditional online banking and comparable with other banking channels. Whether current deployments of mobile banking are secure enough at the moment is another question. The key word is ‘potential’. Mobile phones and smart mobile devices have the capability to offer very good levels of security for banking purposes. Whether it is leveraging the hardware security capabilities and trusted environment that the Secure Element (SE) offers or adopting strong mobile-based Multi-Factor Verification (MFV), mobile devices can play an important part in ensuring trust between the bank customer and their bank.

In a recently published report from Goode Intelligence written by Ron Condon, Senior Analyst, “Mobile Banking Security Insight Report”, we investigate the risks to mobile banking, how banks are securing the mobile banking and analyse the state of security for this channel.

We have interviewed some of the leading lights in the world of banking security and have asked them to recommend ways in which mobile banking can be a trusted channel for financial institutions – actionable steps that banks can adopt to ensure that their customers are secure when banking on their mobile devices.

I can share some of this advice here. When designing and deploying mobile banking solutions financial institutions should, at a minimum:
  1. Use the power of the mobile phone to create an encrypted communication channel between user and bank
  2. The phone’s “fingerprint” should provide one factor in authenticating the users (the PIN provides another)
  3. Consider using the other facilities on the phone for stronger authentication (biometrics, geolocation)
  4. Monitor apps stores for any rogue apps that purport to represent your company – and kill them quickly
  5. Introduce a plan for updating mobile banking apps
  6. Ensure that mobile banking apps are security tested
  7. Integrate mobile apps with other banking channels, so that security lessons learned in one channel benefit the others
  8.  Educate users about system hygiene when upgrading their handset, and disposing of an old one

I hope this blog has been useful for you? Please feel free to contact me to find out more about mobile banking security and our research. You can follow us on twitter @goodeintel.



Friday 9 November 2012

A Smart Mobile Identity for our smart mobile lifestyle


I must admit that I didn’t come up with the term Smart Mobile Identity. For that I have to thank Joey Pritikin at AOptix who I was lucky enough to meet at the recent Biometrics exhibition and conference in London during the last week of October 2012. I first came across the term in a presentation that Joey gave at last year’s Biometrics conference where he discussed how standard smart phones can be leveraged for biometric purposes, including user authentication and  identity verification [Presentation: Smart Mobile Identity – Beyond Single Purpose Handheld Biometric Devices].

In my opinion, the term Smart Mobile Identity really sums up the next generation of mobile-based authentication and identity verification solutions – something that I have been involved in for the best part of ten years through various roles including my current one as Managing Director of Goode Intelligence.

To me, Smart Mobile Identity is about leveraging the capabilities of a modern smart mobile device (SMD) to ensure that our identities are proven or verified when identity proof (authentication if you like) is required. Not only for proving identity when accessing digital services through a desktop computer but also for mobile initiated access and even when we present ourselves in the physical world; at a country border or when accessing health or social security services. I also include proving our identity when accessing digital services using other connected devices, such as gaming consoles, automobiles, smart TVs etc; adaptive and agile authentication and identity verification to support the Internet of things. As someone who owns an Xbox 360 Kinect device, the idea of using a voiceprint or a facial scan to access Xbox LIVE is a realistic possibility.

For mobile device-based authentication and identity verification solutions, the simplest scenario is being sent a one-time-password (OTP) via SMS when authenticating ourselves into a network-based service, e.g. Google’s Authenticator or 2-step verification process. However, this is changing rapidly and we are in the midst of an evolution in mobile-based authentication and identity verification solutions; moving away from porting existing, non-mobile centric, services to the mobile to designing solutions specifically for mobile. Using the microphone for voice biometrics, a GPS sensor for Geo-location, a combination of the accelerometer and touchscreen for continuous behavioural assessment, securely storing digital certificates in the SIM or Secure Element (SE) and the camera for facial and eye vein biometrics (take a look at start-up EyeVerify for this). All these examples work with standard SMDs now; no need for any specialist equipment.

In addition to these examples, new opportunities are being presented with the next generation of SMDs that contain new types of embedded sensors, including NFC, embedded fingerprint and voice recognition sensors. You can also adapt existing SMDs with add-on sleeves that enable fingerprint recognition (Precise Biometrics Tactivo sleeve) and can support smart cards and NFC. The need for single-purpose devices to capture and verify biometrics in the field may become obsolete as a result of these developments.

Smart mobile devices offer so many opportunities for authentication and identity verification and this blog can only scratch at the surface of what can and will be offered – some of the solutions even encroach into the realms of science fiction. I was fascinated to come across the iTravel patent from Apple detailing what the Cupertino tech giant believes to be the possibility of using a mobile wallet for travel purposes. Managing the end-to-end travel process from reservation, to ticket receipt/validation, check-in and baggage claim through to identification at border control. I think all but the last scenario achievable now but I believe that we are far off from using our mobile devices as virtual passports.

That said, perhaps we are seeing pieces of the jigsaw that tell us how Apple will integrate the recently acquired fingerprint sensor technology from AuthenTec – an agile, and very personal, way to protect our wallets or in Apple’s case our Passbook. Swiping a finger to lock and unlock our digital wallets.


Every discussion that I have with technology companies involved in this space, and this includes many of the major authentication and biometric vendors, involves how best to utilise the smart mobile device for authentication and identity verification purposes. My recent attendance at the RSA Europe conference and Biometrics Conference, both held in London, was largely occupied with meetings with clients and tech vendors that were investing serious R&D resources into this area of technology.

A number of forward looking organisations and technology vendors are already leveraging the capabilities of the smart mobile device for authentication and identity verification purposes. Through my work at Goode Intelligence I have been exploring the capabilities of mobile devices for authentication and identity verification and this includes the recent publication of two free-to-download white papers; Two-Factor Authentication Goes Mobile and The Case for Mobile MFV.

Goode Intelligence will continue to track this market and you can expect some new publications covering smart mobile identity in the coming months.

Please get in touch if you want to discuss this further or are a technology innovator working in this exciting field. 

Friday 27 July 2012

What does Apple's acquisition of AuthenTec tell us about biometrics on mobile devices?


I am not surprised with the news that Apple has acquired mobile security and fingerprint sensor vendor AuthenTec in a deal worth $356m. 

I have been following the mobile security market since 2004 and this has included the publication of a report for my research and consultancy company, Goode Intelligence, on mobile biometric security published in June of 2011. Smart Mobile Devices (SMDs), a term that we use to define smart phones and tablets, have become the portable computer of choice for both personal and business use. However, questions remain as to the effectiveness of security controls for these devices with the recent Black Hat conference in Las Vegas being dominated by presentations that detail the vulnerabilities of these devices. 

Apple's acquisition of AuthenTec, who are not just about fingerprint sensors, is a positive move by the Cupertino-based company and could lead to next generation Apple products having embedded security controls, both hardware and software-based. 

As seen in the Goode Intelligence annual mSecurity survey report, Apple iOS has become the number one choice for the enterprise. This position will be well and truly cemented if Apple strengthens its security as a result of the AuthenTec acquisition. 

Will this mean embedded fingerprint sensors in next generation Apple products including the iPhone and the iPad? With the acquisition of AuthenTec this has become more likely. I interviewed AuthenTec as part of my research into the mobile biometric market and back in May 2011 they said this; “the integration of fingerprint sensors into wireless smart phones, feature phones and tablets is in its early stages and will accelerate.” Accelerate as a result of being in every iPhone and iPad? A distinct possibility.

Embedded fingerprint sensors on mobile devices are being used to protect the phone (augment standard phone lock as my Motorola Atrix 4G admirably does) and to provide authentication to support NFC-based transactions, including payments, at physical locations. AuthenTec has been doing well in this market since 2004 when it first supplied fingerprint sensors for Fujitsu mobile phones to be used to secure mobile payments for NTT DoCoMo in Japan. With rumours that the next generation iPhone (iPhone 5) will support NFC, will Apple be combining biometric authentication through the use of an embedded fingerprint sensor for mobile payments at the physical point-of-sale?

I was pretty cautious when forecasting the growth of mobile biometric security products and services back in 2011, predicting that the market would grow to 39 million users by 2015. This quote from the report highlights this"The market is currently slow; but pressure is growing. Things could change rapidly, from an interesting concept to a 'must have' for all smart mobile devices."

I did go on to make a conditional statement that is very relevant with this news;

"However, this could all be thrown on its head with the introduction of embedded biometrics on mobile devices by one of the major manufacturers – and not just a single product line but standard on all mobile phone products. The market is always eagerly waiting for the next generation of Apple iPhones and rumours are circulating that Apple iPhone 5 may include some form of biometric technology."

Could this news be the catalyst to accelerate the adoption of biometric security onto smart mobile devices - there is now much more of a chance of this happening. I look forward to seeing how Apple build on AuthenTec's success in the mobile security world.

For news, opinion and analysis on all things mobile security follow me on Twitter - @goodeintel





Friday 25 May 2012

Lies, damned lies, and statistics… What do statistics tell us about the real risk from mobile malware?


The Evidence
Mobile malware, in particular Android mobile malware, is rising. This is a fact.

It has been rising slowly since 2004, as the figures below from McAfee detail, and the rate has been accelerating since autumn 2011 when a number of high-profile cases of Android mobile malware hit the press. This included Google’s official Android Appstore, then called Market now called Play, being used as a method to distribute Trojanised apps to unwitting customers. GGTracker [1], SuiConFo [2] and RuFraud [3] were all Trojanised Android apps that were attempting to defraud consumers largely by attacking the Premium Rate Service industry through the unauthorised sending of Premium Rate SMS messages.






Mobile Malware Explodes, Increases 1,200% in Q1/2012

Source: McAfee Threats Report: First Quarter 2012


“A comparison between the number of malicious Android application package files (APKs) received in Q1 2011 and in Q1 2012 reveals a more staggering find — an increase from 139 to 3063 counts.” Mobile Threat Report Q12012, F-Secure

Figures from Goode Intelligence’s annual mSecurity survey back this up with a rise in the number of reported mobile malware incidents – read infection – in the workplace from 7% in 2009 to 24% late in 2011; nearly a quarter of all organisations. This figure is alarming.

GI mSecurity Survey: Has your organisation experienced a mobile malware incident?

We are also seeing evidence from other sources including telecommunications regulators. In the UK, the country’s premium rate regulator, PhonepayPlus, has been involved in investigations into premium rate fraud directly caused by mobile malware.



With the assistance of Goode Intelligence, (providing research and analysis into the link between mobile malware and PRS fraud), PhonepayPlus are proactively tracking instances of mobile malware that are attacking PRS.

One of these investigations hit the news recently and resulted in a hefty £50,000 fine for a mobile aggregator, A1 Aggregator Ltd based in Latvia, for managing the SMS shortcodes that were used in the RuFraud malware attack. From late November 2011, after receiving 34 complaints from consumers of unauthorised PSMS charges on their phone bills, including an individual losing around £80, the regulator investigated further and tracked the fraud down to Trojanised versions of Android Apps distributed via Android Market (Play). The fake apps included Trojanised versions of Angry Birds Assassins Creed and Cut the Rope. Consumers had no knowledge of three PSMS messages being sent every time the Trojanised app was started. Each PSMS message was costing the unwitting user £5.00.

In this one case 1,391 mobile numbers in the UK were affected and an estimated £27,850 worth of fraud was attempted. Due to the swift action from the regulator, the shortcode was suspended and none of the £27,850 of UK consumer’s money was able to reach the fraudsters.

PhonepayPlus found evidence of the RuFraud Trojan operating in 18 countries.  Thankfully the UK has a regulator that is well advised and has put into place procedures to ensure that this emerging area of PRS fraud is actively monitored. What about the other 17 countries that were targeted by this malware? How many consumers have been affected and how much financial damage has been done in regions where regulation is not so proactive?

The Risk
There is evidence from multiple sources, including our own, that mobile malware is rising and it is targeting consumers for, amongst other reasons, financial fraud.

On the face of it, it seems that the risk of malware infection is getting stronger and both consumer and enterprise mobile users should take preventative measure to counteract that threat. These preventative measures include being cautious when downloading Android apps from appstores, including Google Play and from third-parties, and checking the permissions carefully. There is also the option of protecting your mobile device with a mobile security product that is proven to be effective in preventing mobile malware.

Android is being targeted as it has a more open platform for downloading and installing apps and it is becoming the number one mobile platform around the world. This makes it the number one target for malware in today’s mobile market.

However, we should also be cautious in assessing the current risk to both consumers and enterprise users from the threat of mobile malware. Apple’s iOS has been free of malware and there have been very small numbers of malware that have been known to affect BlackBerry devices. 

Additionally, Google should be applauded in acknowledging the threat from Trojanised apps in Play by deploying a solution, Bouncer [4], which attempts to detect mobile malware on upload. Bouncer was announced early in 2012, although it has been running during 2011, and it is probably too early to state how effective the solution is in preventing mobile malware on Play [5].

There is also an acknowledgement from third-party Android appstores that security is important as a business differentiator. Goode Intelligence surveyed a number of the third-party appstores and was pleased that over two-thirds of the respondents (68 percent) replied with a ‘yes’ to the question “Do you think there is a commercial benefit for an app store to offer malware detection and prevention technology?” The tools are available for these third-party Android appstores with AVG [6] amongst the vendors offering specific security solutions aimed at preventing the spread of malware from these appstores.

Yes the statistics do tell us of double and triple digit growth in mobile malware, mainly targeting the Android platform. However, the risk is still relatively low and the financial fraud that is being committed as a result of mobile malware is currently low in value. These are still early days in the history of malware targeting mobile platforms and indications are that the business drivers for attacking these platforms is growing which could result in the situation getting worse – especially in the short-to-medium term.

And in answer to the question of attacks on Apple iOS, will this happen? You betcha! As the famous US bank robber, Willie Sutton, said in response to the question why he robbed banks; "because that's where the money is." Whether they will succeed is another matter and the topic for another blog.

Alan Goode
May 2012









[2] Although this article from Andy Greenberg on Forbes questions how effective Bouncer is: http://www.forbes.com/sites/andygreenberg/2012/05/23/researchers-say-they-snuck-malware-app-past-googles-bouncer-android-market-scanner/
[3] Press release in the partnership between AVG and Livewire: http://www.avg.com.au/news/Livewire-Mobile-partnership/

[5] Covered by Denis Maslennikov of Kaspersky Labs in this blog: http://www.securelist.com/en/blog/208193261/SMS_Trojans_all_around_the_world
[6] Covered by Lookout Mobile Security in this blog: http://blog.mylookout.com/blog/2011/12/11/european-premium-sms-fraud/

Friday 11 May 2012

Why 2012 is the year of Public Key Infrastructure


We are regularly bombarded by news stories that announce the death of this or the death of that. From memory, we have seen “the death of cash”, the “death of the PC” and the “death of the token”. Usually, these predictions are triggered by some sort of an event, perhaps the publication of a new report or after a security incident, e.g. The RSA Security breach. But, after the dust has settled and the crisis teams have moved onto the next event, what impact, if any, is felt on the product or technology that has been affected?

In a guest blog, Calum MacLeod, EMEA director, Venafi, explores the role of PKI in a post-Comodo world and suggests that 2012 could be “the year of Public Key Infrastructure”.

Alan Goode May 2012

Why 2012 is the year of Public Key Infrastructure

Comodo, Sony, RSA Security and many more have been badly breached recently - but does that mean the death toll for PKI? Calum MacLeod, Venafi EMEA director, cautions on ringing that bell yet

Recently, the IT security world was shaken to its very core. Established and trusted organizations fell from grace as they became victims of hacking. In the case of Comodo and StartSSL the resultant outcry has seen many quick to declare that public key infrastructure (PKI) is dead or dying. However, I believe it is the best we’ve got and it will not be replaced any time soon – to argue otherwise is a waste of energy. In fact, I actually think the reverse and that 2012 is the year of PKI.

I could spend ages telling you about the various hacks and what went wrong but - as many others have already done that – including myself. Let’s assume however you either know or have read about it elsewhere.

Instead, let’s focus on the critical role certificates and PKI play in securing data and authenticating systems across all types of organizations. And think of all the systems that now leverage (and very effectively I might add) PKI, including the traditional IT data center infrastructure, public and private clouds, and an exploding number of mobile devices that require authentication, to name just a few.

Within a PKI, a certificate authority assigns each system or user a unique identity - a digital certificate - that allows the certificate holder to work within the protected environment. This allows organizations to let customers, partners, and employees to authenticate to systems and users. I would argue, perhaps controversially, that PKI delivers a virtually seamless experience for users while providing trusted security.

And it is the word trusted that many of you will scoff at.

How can they be trusted?
To pretend that they’re infallible is churlish. Instead, what needs to be recognized is that the world we live in is imperfect and, a bit like a car, we need more than one security feature if we’re to prevent ourselves flying through the windscreen.

Let’s use the car analogy to illustrate the point. Cars have brakes to stop them in an emergency. Yet, all too often, there are accidents. Has anyone pointed the finger at the braking system and declared it dead? Of course not. Instead, the designers have worked tirelessly to improve the overall safety of vehicles, installing impact bars and roll cages, seatbelts, and an airbag just to make sure. An organizations security should be approached in much the same way.

To do this, we need to first understand the challenges faced. Depending on the IT environment where keys and certificates are being deployed, some or all of these risks may apply:

  • Certificates that are not renewed and replaced before they expire can cause serious unplanned downtime and costly outages
  • Private keys used with certificates must be kept secure or unauthorized individuals can intercept confidential communications or gain unauthorized access to critical systems
  • Regulations and requirements (like PCI-DSS) require much more stringent security and management of cryptographic keys, and auditors are increasingly reviewing the management controls and processes in use
  • The average certificate and private key require four hours per year to manage, taking administrators away from more important tasks and cost hundreds of thousands of dollars per year for many organizations
  • If a certificate authority (CA) is compromised or an encryption algorithm is broken, organizations must be prepared to replace all of their certificates and keys in a matter of hours
  • The rollout of new projects and business applications are hindered because of the inability to deploy and manage encryption to support the security requirements of those projects
Manage Certificates Properly
As this highlights, certificate and encryption or private key management can be complicated. The fact that there are typically several people involved in the management of certificates and private keys makes the probability of error even higher.

By clearly defining roles and responsibilities so that everybody knows what they’re responsible for can significantly decrease the likelihood of failure and make it easier to work out how to improve processes when something does go wrong. In some areas, system administrators will manually enroll for and install certificates. In others, a central system may be used for automated installation.

The last thing you want as an organization is to be running around trying to figure out who is responsible for a key or certificate when an issue arises. Compile a list of responsible groups and/or individuals for each key and certificate in your inventory and develop a method for keeping the information current.

Prepare for it
If you act on the principle that you’re going to be hacked – it’s just a matter of time – then at least you’ll be prepared should happens.

Just like brakes in a car, encrypt everything. Ensure that your encryption systems provide the security they are designed to deliver while simultaneously reducing operational risk and administrative workload. Finally, know where everything is.

PKI and SLL are sensible platforms for certificate management. Abolishing them and putting something else in their place is not feasible – the vehicle already exists and it is not going away anytime soon. Instead, organizations need to recognize the challenge of using them and decide how they’re going to handle the coming explosion in certificates.


Sunday 29 April 2012

Back from Infosecurity Europe: Highlights from Europe’s largest Information Security show


I think a kayak would have been a more suitable mode of transport in getting to Infosecurity Europe 2012 this year. Europe’s largest information security trade show, held each year in London, certainly drew in the crowds despite the deluge of rain that greeted them each day.

I have been coming to Infosec for far too many years to count, both as an information security professional and latterly as an industry analyst and even to my trade show-weary eyes was impressed with the buzz that emanated from the show.

This blog is my take on the show with an emphasis on mobile security.

Focus not on technology but people and process
I always enjoy my regularly catch-up meetings with William Beer, Director, One Security, PWC, and our meeting at Infosec was no exception. It was a great start to the first day of the show and pulled me back from just concentrating on the technology – an easy trap at such a technology-dominant show. 

We both agreed that the trend of mobile BYOD was here to stay and that organisations were well down the road to building this into IT strategy. As with all emerging trends there will be mistakes made and technology that may solve one immediate problem may be shelved as business owners and IT functions begin to understand some of the new dynamics that face them. 

We both agreed that organisations need well informed and balanced advice on how to support mobility and in particular the conundrum that employee-owned mobile devices can introduce to organisations large and small.

I look forward to my next catch up with William and I am sure that, as always, there will be plenty to discuss.

Smart ways to authenticate on smart mobile devices – the next wave of mobile authentication/identity solutions

I am always on the lookout for new and innovative methods of authenticating people on mobile devices and was lucky to catch up with three innovative vendors operating in this space. ActiveIdentity (part of the HID Global), BehavioSec, and Live Ensure

ActiveIdentity
I have been speaking with ActiveIdentity since first researching the market for mobile device-based authentication solutions back in 2009 and have been keeping a close eye on them ever since. They are now part of HID Global, a leader in physical access control. 

I caught up with Alan Davies, Vice President Identity Assurance Sales EMEA, to get an update on their mobile solutions and to see how far they had come with enabling both physical and logical access control using a mobile device (something that their smart card solutions have been enabling for some time now).  The pairing of ActivIdentity and HID Global has created solutions that allow mobile phones to be used to enter physical buildings and to gain access to computer services. NFC is being leveraged to enable this to happen and I was pretty impressed with the NFC sleeve that they are using to enable iPhones to benefit from this technology (come on Apple get NFC on iPhone 5 please). This technology is not just the preserve of the enterprise and government user; the lock manufacturer Yale (owned by ASSA ABLOY) showcased NFC-enabled locks for the consumer market at CES 2012. Definitely a technology to watch and something that could even be ported to cars.

BehavioSec
I met Hans Bergman and Olov Renberg from BehavioSec at their stand and was given a demo on their mobile product, Behavio Mobile. Up until recently, I feel that have we seen mobile authentication v 1.0, where existing, non-mobile, authentication solutions have been ported to mobile phones without a great deal of thought as to a. the uniqueness of the form factor and b. how to authenticate the mobile channel, e.g. in-app. With solutions such as Behavio Mobile we are now entering the second stage of authentication on mobile devices where the design of the authentication solution is centred on mobile – not solely shoehorning a smartcard or a token solution onto a mobile phone.

Behavio Mobile uses a technique that the guys at BehavioSec are calling Behaviometrics (behavioral biometrics). Behavio Mobile collects behavioural statistics of the normal usage pattern of using a mobile device, e.g. entering or swiping a PIN-code on a touch-screen and then comparing this with previous usage to decide if the users is who they say they are. Based on these biometric inputs it can then accurately determine if the person tapping/swiping away on their smart mobile device is the legitimate owner of the device or the correct mobile bank customer is attempting to access their account details. The solution has another great feature in that it can interact with BehavioSec’s own risk engine or interface with third-party risk solutions, for example RSA’s Adaptive authentication product. This could be a really interesting solution for the type of ‘step-up’ verification that online banking is crying out for.

Live Ensure
I had previously met up in London with the UK team of Live Ensure for an introduction to the company and their mobile authentication solution. As their CTO, Christian Hessler, was in town for Infosec it was a good opportunity to drill down further into their product and business model. Christian is an infectious technology evangelist who really gets the reasons why authentication has to change and knows why the mobile device, in combination with ease-of-use and a true cloud experience, is its future.

In a similar manner to BehavioSec’s mobile solution, Christian and his team have developed an authentication solution that is agile and easy to use. Live Ensure is a non-persistent solution that uses a technology called Digimetrics. This features three key technologies; the first is a ‘touchless’ deep-device fingerprinting solution, the second is a one-time disposable signature and the third is a ‘smart-channel’ communication that does not user the browser, something that is prone to man-in-the-middle (MitM) or man-in-the-browser (MitB) attacks. In addition to the usual suspects, banks, government and healthcare, I can really see this being used in large social networks such as Twitter and Facebook. 

How to enable mobile BYOD in the enterprise – without compromising security and usability?
One of the biggest current challenges that face information security professionals is how to deal with the mobile BYOD trend. How to manage and securely control employee-owned mobile devices that are being used for business purposes. The recently published Goode Intelligence report, the GI mSecurity survey report, discovered that well over two-thirds, 71 percent, of organisations are allowing their employees to use their own mobile devices for business use.

This trend is turning into a major headache for information security professionals. There are many ways in which an organisation can manage this threat; mobile device management (MDM) is one. However, this solution may not be the best solutions for all organisations and I met up with three vendors that are enabling mobile BYOD in distinct ways. Cryptzone with their Director’s Portal and the partnership of Echoworx and Nitrodesk (TouchDown) for secure email on Android devices. 

Cryptzone
Cryptzone consider that, in network security, data is the key asset that needs to be protected and have developed a solution that can be used by executives on their iPad’s, the Directors Portal. 

I met up with Cryptzone’s Peter Davin to discuss the launch of the Director’s Portal solution. Peter stated that executives including board members are notoriously ‘unsavvy’ and lax when it comes to transferring, sending and reading sensitive information. This is especially the case for the new breed of Gucci kit, iPad et al, that C-level execs have brought into the boardroom. The Director’s Portal is a web-based, on-line, workspace devoted exclusively to the board to use on their iPads.  It offers directors secure access to confidential materials and is based on Cryptzone’s experience of securing collaboration and file sharing technology, in particular Microsoft’s SharePoint solution.

Echoworx / Nitrodesk
I retired to the sanctuary that was the Infosec press room (complete with door marked “Dark Room”) to speak with Michael Ginsberg, President and CEO, Echoworx, and Ronald Goins, Chief Operating Officer, Nitrodesk (Ron’s CV includes being a bicycle patrol officer in downtown Seattle and a Supreme Court-certified expert witness on interpreting body language – so I was very careful in how I presented myself to him).

These two technology companies have teamed up to develop a solution that supports secure email on Android devices (although the Echoworx mobilEncrypt ENDPOINT solution works across all major mobile platforms including iOS). Echoworx supply the cloud-based credential management solution (using PKI and digital certificates) and Nitrodesk, through the excellent TouchDown product, provide the email client.

TouchDown provides a true enterprise messaging solution that also supports a wide range of MDM solution providers (we also had an excellent discussion on the state of the MDM industry and who we thought would led the pack and who would be acquired in 2012 – I shall leave that debate to another blog – maybe). 










Tuesday 6 March 2012


Back from MWC#1: The time is right for mobile biometric security

My feet have just about recovered from the many miles walked during the recent Mobile World Congress in Barcelona – I even had to dodge the barricades put up to contain the student protesters (I counted twenty protestors and a couple of hundred Police) to congratulate Alan Giles and the team at Fiberlink after picking up a GSMA 2012 Mobile Award for “Best Enterprise Mobile Solution” for their MaaS360 MDM solution. A very worthy winner.


As a GSMA 2012 judge myself, I was honoured to be chosen to judge the "Best Technology Product or Solution for Safeguarding and Empowering Customers". This was won by Cloudmark for their Mobile Messaging Security Suite. 

Global Bilgi for Turkcell Voice Verification
I was very impressed by all of the nominees in this category and was delighted that one of the nominees that made it to the shortlist was from a mobile network operator that had deployed a biometric security solution that supported mobile devices; Turkcell’s Global Bilgi for Turkcell Voice Verification voice biometric service, powered by PerSay’s VocalPassword technology provided by Nuance Communications. The solution uses a biometric speaker verification system that verifies a speaker’s identity using acquired voice samples. Samples of the caller’s voice are converted into voiceprints, or unique algorithms based on the specific characteristics of the voice that are used to authenticate and prove identity of Turkcell customers calling into their call centre. The solution replaces a 4-digit PIN-based authentication solution and has proved to be very successful with a reported four million enrolled voiceprints.[1]

My research at Goode Intelligence into the market for mobile biometric security products and services concluded that voice recognition services would be one of the biometric modalities that would be successful in what are, the pioneering stages of biometric security adoption on smart mobile devices (SMD).

VoiceVault
Another technology vendor that has developed a very interesting voice recognition product is the UK-based technology vendor VoiceVault. I was speaking with their Director of Product Marketing recently, Nik Stanbridge, who was starting to see a change in the market with “significant opportunities being turned into contracts”. Both Nik and I agree that we are seeing positive signs of growth in the mobile biometric security market, largely driven by SMDs becoming the “key entry points” for much of our personal and business lives. This trend is being accelerated by mobile voice-based solutions including Apple’s SIRI that according to Stanbridge, makes “people less reluctant / embarrassed at the thought of speaking into a mobile device”.

VoiceVault’s solutions are focussed on identity verification and transaction authorisation for two main use-cases:
  1. On the device itself (phone lock / unlock)
  2. As part of a device-based app’s mechanism for logging onto a website - a high-security replacement for a password

Mobbeel
Another vendor that was showcasing their mobile biometric security solutions during MWC was Spanish-based vendor Mobbeel. I have been following their progress for some time now and was pleased to catch up with Rodrigo Sanchez Gonzalez, CTO, and Abraham Holgado Garcia, Research and Development Director, on their stand in the Spanish area of La Fira Courtyard.

Mobbeel are a relatively young company that have become pioneers in the world of mobile biometric security. Their strength is to use the standard features of a modern mobile device; touchscreen, camera and speaker, fast processor, to support a variety of biometric modalities including signature, iris, facial, hand and voice recognition.  Unlike one of the other, much talked about, mobile technologies, Near Field Communication (NFC), their solutions are not reliant on an OEM to embed specific hardware, such as a fingerprint sensor.

I really like this company as they are not just developing ground-breaking technology but developing use-cases and stories to educate the market. Market education is sometimes extremely useful in emerging technologies such as this. Take a look at their video channel to see what I mean.

Fujitsu
Just across the courtyard area where Mobbeel were showcasing their technology was the Japanese based OEM, Fujitsu that used MWC to launch a new range of SMDs to the European market. As well as being able to take these devices into the shower or swimming with you (their waterproof capabilities were ably demonstrated by an army of suitable wet-weather attired exhibitors) these quad-core powered mobiles include embedded fingerprint sensors.

Using the same AuthenTec supplied fingerprint sensors that have been powering NFC-based physical payments in Japan through mobile network operator NTT DoCoMO, Fujitsu aims to differentiate its devices from the crowd.

As someone who regularly uses a fingerprint sensor on his Motorola Atrix 4G (another example of an AuthenTec supplied fingerprint sensor) to protect a device from unauthorised access I can definitely see the advantages of such a technology. However, Fujitsu, needs to release APIs and SDKs into the developer community to enable these devices to support other authentication and identification features. This will ensure that this technology becomes a must-have and not a maybe technology.

The time is right for mobile biometric security
One of my roles as MD of Goode Intelligence is to track emerging technologies in mobile security and to predict whether these technologies will succeed and enter the mainstream.

My research into this sector started over one year ago and resulted in the publication of an analyst report in June 2011, “mobile phone security – analysis and forecasts 2011-2015”. In the report I predicted that a biometric groundswell is building for Smart Mobile Devices. The market is currently slow; but pressure is growing.

My subsequent tracking of this market and the buzz that was surrounding this technology at this year’s MWC in Barcelona reconfirms my view that that conditions are ripe for rapid change; for biometrics to move from an ‘interesting concept’ to a 'must have' for all SMDs. 




[1] case study: Turkcell Global Bilgi Nuance VocalPassword™ Deployment Achieves Industry-Leading Adoption Rates (December 2011)