SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Why relying on your mobile to access your online accounts is a risky approach

Thu, 17th Nov 2022
FYI, this story is more than a year old

We rely on our mobile devices to work, communicate, keep us entertained, do our banking and they even provide different ways to access our online accounts. It is like a digital data extension of us that provides us with convenience and a sense of security – until it is broken, lost or even worse, stolen.

The recent State of Global Enterprise Authentication Survey 2022 found that nearly 40% of the 16,000+ survey respondents admitted that within the last two years, they had broken their mobile phone and nearly 30% have lost theirs.

Whilst mobile devices have many uses and provide much convenience, they are not created for online security purposes. The perception that using a mobile is a reliable and secure method to authenticate account logins is one that needs to change. 

It is easy to understand why many of us assume this to be the case because these tools are the most commonly offered by organisations to employees and so it is accepted as a secure method of authentication for business and in our personal lives.

Many companies still use legacy authentication methods, such as passwords or mobile-based authenticators, to secure access to sensitive applications and data. It was concerning to discover in the State of Global Enterprise Authentication Survey 2022 that 62% of the respondents said the primary way they accessed business accounts was via their mobile, with either One Time Password (OTP)/Push Authenticator apps or Mobile SMS-based authentication. 

Mobiles are great devices to have but from a data protection and cybersecurity perspective, the problem they have is that mobile-based authentication such as SMS, one-time codes (OTP) and authenticator apps are highly susceptible to phishing.

Another limitation is that there are selected secure workplace environments where mobile authentication is simply not possible due to a lack of mobile coverage or security restrictions. This includes call centre environments, manufacturing shop floors, financial trading desks, energy control rooms and in distribution centres. 

According to the ACCC's Scamwatch statistics, for the nine-month period between January and September 2022, over 50,000 cases of phishing attacks were reported, worth almost $14 million. 

Recent high profile corporate phishing attacks include the ones at Uber and Twilio, who fell victim to simple social engineering tactics that gave hackers easy access through persistent and repeated text or two-factor authentication (2FA) push notification requests. 

In these cases, experts cited a breakdown in the security culture within these organisations and their targets' lack of knowledge about how to verify whether someone or a website is whom they say they are.

Not all Multifactor Authentication Methods (MFA) are created equal however modern authentication methods, such as using a security key, is a phishing-resistant solution and recommended by ACSC for the most secure form of MFA. And the tech giants are backing this move too.

Microsoft recently announced the release of three new solutions that enable organisations to deploy Azure Active Directory (Azure AD) to fight phishing attacks in Azure, Office 365, and remote desktop environments. One of the solutions refers to new authentication policies, including phishing resistant MFA. This new feature enables organisations to fight phishing attacks by implementing specific user authentication policies. 

Companies can restrict authentication to their requirements, which includes enabling enterprises to use security keys for phishing-resistant MFA for FIDO-based passwordless (FIDO2/WebAuthn) or certificate-based authentication to enforce that the security keys are the only authentication solution allowed resulting in the removal of an entire attack vector for users and safeguarding their most critical assets.

Change isn't easy, especially for the many people who assume they need to be tech specialists to understand cybersecurity protection methods. Adopting phishing-resistant mobile MFA by using a security key is not a difficult process and there are many tech companies such as Google, social media giants, Amazon and password manager providers (to name a few) who enable and accept the use of security keys for MFA. 

However, this is where the supply and demand factors come into play. Having many tech companies offering MFA is the "supply" solution to better protecting accounts but at the core of the "demand" spectrum is the user experience. 

Whether a workplace introduces IT policies that require employees to adopt and use security keys to access accounts or whether an individual chooses to use one willingly, making the adoption method a convenient one that doesn't require a lot of set-up or referring to different devices or codes really simplifies the process. 

Convenient and easy use of phishing-resistant solutions such as security keys ultimately leads to a happy user experience and one which comes with the added bonus of secure online access.

When it comes to making phone calls, sending messages, using apps for entertainment or accessing the web for information, mobile devices are excellent but when it comes to securing our identity and our data, our access methods should be treated like our health – a priority. As mentioned before, change is never easy, but it is possible when it is stress-free, convenient, provides protection and eliminates phishing.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X