In a mobile security report, a significant number of Android users said they make use of one-time passwords (OTPs) for mobile banking, but experts believe an over-reliance on the authentication measure is exposing consumers to fraud.
On Monday, a report (PDF), called “Smartphones, Tablets, and Fraud: When Apathy Meets Security,” was released, revealing that 41 percent of Android users utilized OTPs to manage their financial accounts last year. While one-time passwords are meant to thwart attacks that take advantage of static passwords, such as replay attacks, cybercriminals have adapted crafting mobile malware capable of intercepting the unique passwords used to complete transactions.
“Besides being able to access a device's internal storage, some mobile malware (such as the Bugat trojan or the mobile variant of the formidable Zeus trojan, called ZitMo) can capture and redirect SMS texts, allowing criminals to circumvent authentication schemes that rely on this channel to deliver one-time passwords,” the report explained.
The study, conducted by Javelin Strategy & Research and sponsored by online authentication solutions firm Nok Nok Labs, polled more than 5,600 U.S. adults in 2013 to determine their mobile habits on Android, iOS and Windows devices.
While mobile users' “heavy reliance on one-time passwords,” was named as a major concern for Android users, the report noted that both iOS and Android users “face a significantly higher rate of fraud than the average consumer” – though the contributing factors leading to fraud differed.
Interestingly enough, the study found that, despite the plethora of malware targeting Android devices, more iOS users experienced identity fraud in the 12 month period leading up to the survey. The gap was slight, but 7.3 percent of iOS users fell victim to identity fraud, while 7.1 percent of Android users did in the same time period.
“Users in both camps display similarly poor password and security habits, which are contributing to their risk of being victimized,” the report said. “More specifically, it is mobile malware that is spurring the fraud experienced by Android users, while the attractiveness of iOS users' income has placed them in the crosshairs of fraudsters.”
Al Pascual, senior analyst of fraud and security at Javelin, told SCMagazine.com in a Monday interview that attackers targeting Apple users may be taking advantage of a number of factors to commit fraud, from weaknesses in encryption to use of weak passwords or users connecting to unsecured Wi-Fi networks.
“For Android [users], it was kind of easier to connect the security behaviors to fraud,” Pascual said. “iOS [devices] are not malware proof, but the total number of iOS malware is teeny compared to what we see on Android. Attackers are opportunistic and demographics are a driver," he added.
Providing recommendations to thwart fraud, Javelin advised that mobile consumers be educated on authentication alternatives, such as biometric technology to secure their data. (Fingerprint authentication, for instance, was found to be the most preferred biometric option for Android, iOS and Windows users in the report). The use of comprehensive mobile security software was also advocated in the report, and experts recommended that users avoid sending OTPs by SMS or email, when possible.