The BadNews virus’ now infamous infiltration of the Google Play store is just one example of how security isn’t keeping up with innovations in online and mobile technology. BadNews is particularly interesting because it used a relatively new mobile phenomenon – an app store – to exploit an aging and oft targeted channel, Premium SMS. Do a quick search for terms like “site hacked” and it becomes obvious that the authentication schemes online services utilize to protect their users are too easily compromised. When Wall Street suffered a flash crash because the Associated Press’s Twitter account was hijacked, it became abundantly clear that better security mechanisms are needed now. Despite possible patent infringement issues, Twitter announced that it will institute out-of-band authentication (OOBA) to shore up its login process. OOBA lends itself extremely well to a society where practically everyone has a mobile device – an out-of-band authentication channel – in hand at all times. Because it seems like OOBA will be widely adopted, it may be a service (OOBAaaS) from which mobile operators could generate substantial revenue on the B2B side of the two-sided business model.
Why CSPs Should Care
The Premium SMS vulnerability that BadNews exploited is of particular concern to CSPs because it’s essentially a back door into telco billing systems. It is one of the few channels in widespread use by which third parties can send charges directly to subscribers’ wireless bills. But with increasing interest in mobile payments and direct operator billing, it’s obvious that we need better security mechanisms to protect users and CSPs from abuse by outsiders and wrongdoers. We can’t afford to have mobile payments and services like social sharing of mobile data (i.e. send your remaining data allotment to a friend) compromised if we want them to blossom into new, high value revenue streams. Furthermore, if trust is an asset, as we’ve argued many times here in BillingViews, then CSPs must both defend and leverage their position as keepers of the public trust.
How Out-of-Band Works
StrikeForce Technologies is an emerging company with a big patent. It holds the patent for “Multichannel Device Utilizing A Centralized Out-of-Band Authentication System (COBAS)”; put more simply, if you want to do out-of-band authentication with a mobile device, you need to talk to these guys. In concept, how it works is relatively simple. Picture yourself logging into a social network like Twitter, Pinterest, or Facebook. Now, consider that there’s an increasing trend to use something called “linked authentication;” this is a form of single sign-on where online services will permit user access based on the authenticated credentials from a site like Facebook or Twitter. In other words, if someone hacks your Twitter account, they might also be able to access your eWallets across a host of shopping sites and wreak havoc on your credit cards.
Instead of just using a simple, easy to hack username-password combination, OOBA uses a separate channel to authenticate a user. It might dial a call or send a text message or email to a user’s wireless phone and would require an authentic response in order to permit the login to proceed. The same concept could extend to any transaction being conducted after initial authentication; in other words, you may be logged into Twitter, then try to buy something on another site that logs you in based on your Twitter authentication. To complete the purchase and authorize the transaction, OOBA process would be triggered.
“This additional step would increase the chance of not being the next reported data breach by over 80 percent, as stated in Verizon’s 2013 Data Breach Investigations Report,”says StrikeForce’s CEO Mark Kay. He adds that, as The Guardian recently reported, more than a billion OOBA transactions are already processed every week. The approach became far more popular after RSA encryption was hacked in March 2011 and companies realized that security tokens, while two-factor, use codes that are too easy for hackers to predict and, for that reason, are highly vulnerable. OOBA, on the other hand, uses “OATH compliant one time passwords which are 100 percent random,” explains Kay.
Though increasingly applied for security, OOBA should make sense for financial transactions as well. In 2011, Forbes reported that credit card fraud alone was a $190 billion problem. More recently, Practical eCommerce reported that for every $1 million in revenue generated, online retailers lose at least $9,000.00 to various forms of fraud, particularly credit card fraud and identity fraud due to stolen credentials.
The beauty of out-of-band authentication, and the reason it is needed, is that it’s very difficult to defeat. Login-password combinations, and now security tokens like RSA, are child’s play for hackers. These linear approaches are relatively easy to defeat; once a hacker breaches the perimeter, there’s virtually no looking back. But while out-of-band uses technology, it’s really more of a philosophy that’s tough to defeat; make sure the user is who the user claims to be. Though no mechanism can be perfect, there is some simple wisdom in an idea that says, “unless you call me on my phone and confirm that I’m the one who is logging in, don’t permit the login.”
Naysayers will argue that there are all sorts of ways to defeat this concept, but the bottom line is that there are many fewer ways to defeat it than there are to defeat passwords, and those ways are complex enough to turn off all but the more, or most, committed perpetrators. StrikeForce’s Kay adds that keystroke encryption, as a complement to OOBA, would fill “the security gap any authentication product might have” and would “prevent over 90 percent of the data breaches” identified in Verizon’s report (StrikeForce also provides real-time keystroke encryption and anti-keylogging technology).
CSPs’ OOBA Revenue Play
If the mobile device is part of the security scheme, it adds value to all of the things a mobile operator knows about a device at any given time – where it is, how it’s being used, and whether or not it is allowed to connect with the network. That puts the CSP in an even better position to secure the out-of-band authentication device; detect fraudulent usage patterns that may point to a compromised device; shut down a device that has been stolen or forged; and follow up with customers directly to inform them that their interests are being protected by – who else ― the worthy keeper of the public trust.
In other words, out-of-band authentication is not just something a mobile operator should use to protect its customers, services, and billing infrastructure; it is a value-added service it can offer to anyone in the digital economy that relies on mobile access to engage users and conduct transactions. As Kay notes, that ultimately includes “every enterprise and consumer across the globe.” Even if that’s a slight overstatement, it would seem like the potential addressable market to which CSPs could deliver “OOBAaaS” is as large as the global mobile market itself.