4. Device-Level Protection: Dusting for Device Fingerprints
Banks and their service providers are under competitive pressure to develop applications for all of the major mobile ecosystems.
The good news is that making cross-platform mobile applications has gotten slightly easier over the short history of mobile web development. “A few years ago financial institutions would have to perform integration for each platform,” says Mercator’s O’Brien. “Now, apps are being written to a platform level, where if you write for one, you can extend it with some minor adjustments to another.” The bad news is that you still have to customize security for each platform, and the approaches you need to take will be much different than what works on the website.
Banking sites on the Web commonly create unique device identification tokens for each computer that accesses the site. By doing so, the website can detect whether a customer is logging in using a PC not seen before. If so, the site may require answers to additional challenge questions or auxiliary authentication using an out-of-band channel.
However, the absence of Flash on Apple iOS makes this technique much harder to accomplish. “It’s extremely difficult to generate a reliable device identification token on an iPhone, because the browser and the environment will not let you access anything deeper into iOS, such as screen resolution, installed software, installed fonts, time zones and various other things that are normally invisible to the user,” says Forrester’s Cser. “The iPhone is more secure, but it also represents a big headache when trying to develop a device fingerprint.”
Purportedly to protect the privacy of users from third-party ad networks, Apple’s security practices have had unintended consequences. “Some things that are very effective for fraud prevention are not possible, by technology or by policy, in mobile,” says Aite’s Conroy-McNelley. “There are other unique properties associated with mobile devices, but it requires app makers to get closer to the telecom providers.”
By contrast, the Android ecosystem allows Flash, and therefore supports unique device identification tokens for user device fingerprinting. However, with Android there are fewer policy restrictions for available apps. “It’s so open and so popular that it has become an attractive target for malware,” says Conroy-McNelley. “Apple has a safer environment at this point in time, but it doesn’t mean that someone who’s using an iPhone should feel that they’re immune from malware.”
One thing that banks are generally able to detect is whether the user has a jailbroken iPhone; in other words, if they have gained root access in order to install applications and services other than from the Apple App Store. “It’s a lot harder to secure a jailbroken iPhone or an Android phone,” says Cser. “If you want to secure it you have to install some sandboxes or additional software, which your customers may not tolerate or like at all.”
[Next: 5. Defense-Minded Devices: Building a Better Data Fortress]
