Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The use of mobile credentials is on the rise, but can they be secured?

Grant Hatchimonji | June 3, 2014
Though some basic security measures are available for protecting mobile credentials, many questions still remain in the relatively early stages of adoption.

The other side of the coin is that the threat landscape is constantly changing; the practice of using mobile credentials is only safe as long as the good guys can keep up.

"There are certainly major vulnerabilities, but we are tracking them on a day to day basis," says Asrar. "The problem is that it's like a cold war situation. The bad guys are constantly evolving and the security companies are also evolving, and we're trying to stay ahead of each other. It's an evolving field, so it's hard to say...we're focused on what was the vulnerability that got through. It really depends on that."

Also complicating matters is the fact that there are multiple ways in which mobile credentials are being used. Another popular use for storing one's credentials on a mobile device is banking and financial transactions, so it goes without saying that access control credentials aren't the only thing at risk.

To an extent, mobile wallets have some fail-safes built in to protect credentials. Some applications store the credentials on the device itself, but it's encrypted. Others, however, don't actually store users' banking information locally on the device.

"Some apps may have the ability to take the information and store it on the packet server, in case you're worried about the device going missing or getting stolen," says Asrar.

Similarly, banking credentials can be stored either in the cloud or on a secure element, much like access credentials. Even this approach, however, is not foolproof.

"[Storing information on the cloud] does ensure some security to some extent," says Asrar. "But it can be abused, and it comes down to what the transaction company has planned to protect users."

He adds that while security companies are constantly trying to determine which vulnerabilities were specifically targeted in these systems -- and subsequently patching them up -- consumers should also take basic steps to protect themselves. Security measures like installing anti-virus, immediately downloading updates, and not trying to bypass your company's security policies are all no-brainers.

While the banking data that the user enters can be secured in a number of ways, the actual application can be secured as well, says Zumerle. That way, attackers can't leverage it to fetch or record important data during transactions.

"There are certain methods you can deploy and there are vendors that supply solutions that you can embed into the app that have certain controls," says Zumerle. "For example, it can open the app in a sandbox for you and check to see if it is compromised. If it is, it will void the transaction or the application all together."

In a similarly preventative measure, many app developers are scrambling or encrypting their wallet apps before releasing them. This effectively prevents attackers from using reverse engineering to compromise software and re-releasing it to the public under the false pretense of it being a legitimate app.

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.