Imagine some horrible criminal has stolen your banking app PIN and password. Chances are he’ll have a script on a browser somewhere entering the details into your account.
But what if the bank security system coud check whether the PIN was being entered on a mobile device? With real human fingers?
If it could detect whether the handset was moving slightly – as it would when a regular user enters their details – then the bot-based criminal would look very dodgy.
Well, this is exactly what InAuth’s tech does.
The mobile security specialist has developed an SDK that builds up a picture of how a device is used. And from this, it is able to flag up suspicious activity.
Its data points include accelerometer use (which tracks the movement of the phone). But this is merely one of hundreds.
The firm’s UK EVP is Ed Hodges. He chatted to Hot Topics…
What is the basic idea of InAuth?
Basically, InAuth is a mobile identity and risk platform. It uses a small SDK that creates a device identity, checks the integrity of the device, and also looks for irregular patterns that might suggest suspicious usage.
One of our core capabilities is our ability to create a permanent device ID. So, even if a fraudster wipes a handset and reinstalls the operating system, we can still identify it and know that it’s a compromised device.
OK, so how does it do this?
On a mobile device, we identify a huge number of data points that can be analysed to know and recognize the device. We can even identify the riskiness of a device the first time we see it.
For example, a fraudster will alter a mobile device or install an app to hide suspicious elements; we can detect those anomalies, and conclude ‘this has got crimeware on it’ or ‘this is not the way this device normally behaves’.
What’s an example of a data point?
Take the accelerometer. If we detect that the handset never moves, that suggests that there’s a script that’s firing compromised account details. After all, it’s virtually impossible to enter a PIN and password without moving the handset in some way.
We also provide deep location look-up to assess whether the device is being used in a region associated with fraud. Or we can cross-reference to confirm that the device is located where it claims to be located.
Battery life is another useful mobile security data point. If it’s constantly at 100 per cent it’s highly likely that the mobile device is part of an organized bot farm always plugged in.
We can also check elements such as the OS language. So, while the browser may be configured in English, the OS language could reflect something different and risky. That’s another flag for us.
How is your approach different from other anti-fraud specialists?
Other mobile security providers tend to come from a browser background and they look at how the browser behaves in the mobile space.
We look at it from the device’s point of view.
So traditional approaches collect 20+ data points, compared to the 1400 data elements we capture and analyse. Essentially, we identify good and returning devices and we isolate suspicious devices.
So what’s the standard security approach of banks and e-commerce providers?
To date, they’ve been very focused on PIN and password protection. We don’t even think about PINs and passwords because they’re so easily attacked.
To use an analogy, banks are focused on building walls around their castle. But there has to be a gatehouse to let people in. So when a fraudster arrives at the gatehouse with stolen details, the bank can’t recognize this and drops the drawbridge – and in they come.
What we do is put sensors on the drawbridge and ask ‘is this the person’s correct gait and weight that’s unique to them?’ as they cross the bridge.
These are things that ignore the stolen details but still enable us to identify you.
Why are PINs and passwords so weak?
Passwords themselves aren’t the problem – it’s that the credentials are constantly being compromised on non-mobile devices with malware and phishing.
Alongside data breaches, criminals are also getting better at social engineering. They can browse your social history and communicate as if they know you.
Even if you stop short of giving out your PIN and password, they may have gathered enough info about you to represent you when talking with the bank or they pretend to be the bank and ask you for more of your personal details.
So what will work better than passwords?
A multi-layered approach combining the best security features with the most secure technology.
Longer term, biometrics could play a role in mobile security. Again, though, they can be vulnerable. There is always the potential that hackers will wait for biometrics to be digitised and then steal the ones and zeroes instead. So my hunch is that behavioural biometrics will have the most potential.
Behavioural biometrics such as…
There are ideas around detecting how you move your finger across a screen, for example. If you’re given a word to enter, there’s a particular unique way you’d do it with angles and pressure.
If you change the words regularly, that could be pretty secure.
It’s the same with voice. If a system can identify a unique voice and associate that with a password only you know, and then combine that with the kind of on-going device protection InAuth provides, you have a very strong 3 factor set-up.
How many live services are running InAuth services?
Many of the top ten banks in the US are working with us. We are also engaged in the merchant and mobile wallet industries.
What happens when a user buys a second hand device? Doesn’t that mess up your systems?
No, because roughly 70 per cent per cent of what we pick up tells us immediately whether there could be an issue.
To explain, when you buy a second hand phone you will set it up how you want it. For instance, maybe updating the OS, assuming you’re at the installation stage.
Basically, you’ll make it yours, and you’ll load up a regular number of apps, be active in a location not associated with mobile security fraud, have variable battery life and so on.
We can conclude almost immediately that this device is associated with legitimate activities and that you’re a regular user.
What about rooted devices?
We are very good at detecting rooted or jailbroken devices, and then it’s up to the customer’s own policies whether they will allow their apps to be used with that device.
A rooted or jailbroken device isn’t always an indicator of fraud, but it is a factor that should be taken into consideration and compared to other data elements when profiling a customer.
Ultimately, we have a permanent device ID, so even if a fraudster wipes it, we can still identify it and know that it’s a known compromised device.