The increased use of mobile devices highlights the tension between the ease of use of performing common tasks and processes, and the importance of maintaining an adequate level of security. Mobile phones and tablets are feeling more and more as extra body parts, and forgetting your device or going for a while without it may even start feeling like nakedness or a minor handicap. We rely on the immediacy of access to services and information, but social engineering schemes prove that spear phishing attacks are becoming more successful precisely because we are now always connected. Symantec research engineer Slawomir Grzonkowski shows how a new type of spear phishing attacks is targeting mobile users: the attackers use the email recovery mechanism to trigger a new password reset email, which will prompt the delivery of a single-use code sent to the user’s mobile phone. Then the user receives a fake notification via a text message stating that Google noticed unauthorized account access and the user is asked to text back the reset code received from the email provider. Symantec researchers note that Gmail, Hotmail and Yahoo mail users are most frequent victims of this type of attack.
Even though a multi-channel authentication mechanism is supposed to prevent such account hijacking schemes, the fact that email providers continue to rely on text-based authentication via email and mobile text messaging shows that, overall, the level of security cannot rise above the intrinsic vulnerably of text-based authentication. The principle is simple – if a password can be shared (or typed) then it can be stolen.
The smartphone, with all it’s computing power and graphic interface should not be limited to a 1960’s mainframe level of security. A touchscreen computing world is ready for a next generation of security that is based on a type of authentication credentials that cannot be shared or stolen. This is the core value proposition of Tricerion: image-based passwords offer better security without compromising usability. A password reset can generate a unique keypad with images that cannot be relayed to an unauthorized third-party. Phishing is best prevented with strong authentication that prevents the attack, not by simply adding more layers of weak security mechanisms.