In an era where our phones control everything from home security to financial transactions, the vulnerabilities found in these devices becomes increasingly apparent. While traditional mobile device theft focused on resale value of a stolen device, the real prize now lies in gaining access to the myriad apps that control our lives...and our money.
The lock screen, the initial line of defense, is the gateway to a plethora of applications. Unfortunately, many app developers concentrate on just the applications, focusing primarily on user experience and neglect the broader mobile user experience and security. Ensuring the app is easy to use helps drives user adoption but the implications of poor user protections can have a long-term impact on brand and revenue.
The dilemma between convenience and security is obvious in app design. Most notably, payment apps tend to prioritize user convenience over stringent security measures. Strong verification processes are often lacking during app start-up or when users engage in high-risk activities like payments or changing user details. Take SMS OTPs – used in several ways, including authenticating a person on a device. However, sending an OTP to a phone that is in the possession of an attacker does not provide any security controls at all.
The peril of unprotected apps
Thieves are now targeting devices with the understanding that important apps remain unprotected beyond the phone lock screen. Developers assume that Face ID or fingerprint scans suffice as validation, leaving users exposed when their phones are left unlocked or snatched while in use. We also know this reliance on device native security in itself poses risk as more than half (52%) of people don’t password protect their mobile devices.
Payment apps, holding direct access to bank accounts, emerge as a significant concern. While traditional banks invest extensively in balancing convenience and security, newer payment service apps often lack the sophistication required to fend off attackers. The majority of apps on our mobile devices have three approaches to security:
- Device-level face / fingerprint verification: widely available on every new device, face ID is particularly growing in prominence due its hands-free approach to unlocking our devices. However, not all devices are made equal. Some devices have depth perception and liveness checks, while others fall to a basic photo unlocking a device. This creates a unique problem when solely relying on device-native biometrics for account security.
- PIN (Personal Identification Number): Often a more UX friendly approach to passwords, a PIN is probably the most common second layer of security. Used as a fallback when device biometrics are not available or incorrect. However, a large population still use variations of 123456 as their PIN making it inherently vulnerable as a security mechanism. This is also vulnerable to social engineering or shoulder surfing, when not using behavioral protections.
- SMS OTPs: If someone has gained access to a victim’s device, many banks and payments apps use SMS OTPs to ensure an extra layer of defense when making a transaction. However, these are sent to the very device that might be in the hands of a fraudster making a fraudulent transaction.
This all shows why we cannot rely on device security and traditional methods to protect payment and banking apps. Each application needs to consider the broader mobile experience and layer in protections, without making assumptions that the device is in the right hands.
We need to design with security in mind, in synergy with UX. This can be done passively with additional layers of security beyond PIN with device, location and behavior.
Global realities: instances of phone theft
Instances of attacks on payment apps are not isolated; they are a global phenomenon. In places like Brazil, thieves have exploited the vulnerability of individuals distracted or dependent on navigation apps while exploring a city, demonstrating the real-world implications of this security gap.
This is not just local to Brazil, of course. In the UK a mobile phone is stolen every six minutes in London. And, in one recent story a victim saw criminals access her bank accounts after stealing her phone from the gym. This same activity is trending upward in the United States as well.
Here in the US, Manhattan District Attorney Alvin Bragg and the Consumer Financial Protection Bureau (CFPB) are taking action against this security weakness. Bragg is pushing for meetings with major apps, demanding enhanced controls, while the CFPB is adopting a regulatory approach to ensure compliance with federal consumer protection laws.
In the meantime, individuals can take steps to enhance their own security. Being aware of your surroundings, especially in public spaces, and considering additional protections for your most critical apps. Protections such as device and app-level PIN codes or discreetly moving important apps, like payments apps, into hidden folders or renaming, can deter potential threats.
A long-term solution for enhanced security
This is a use case that Callsign’s approach to security is specifically built to protect. Through a unique approach of focusing on passively identifying the genuine individual at the time of a transaction, Callsign strikes the balance between security and UX. Rather than building walls of security with MFAs, Callsign's approach ensures that the right user is recognized through their behaviors in the way they type, tap or swipe, naturally exposing, and blocking fraudulent users.
As our phones evolve into indispensable hubs of control, the need for heightened security measures becomes imperative. By understanding the risks and implementing practical precautions, users can better navigate the evolving landscape of mobile security.
