Mobile Risk Analysis: Take Your Mobile App Security to the Next Level

Mobile Risk Analysis: Take Your Mobile
App Security to the Next Level
Charley Chell
Security
CA Technologies
Security Product Management
SCT24T
@CharleyChell
#CAWorld

2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type of
warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation

Abstract
The mobile application is becoming the primary
interface between your enterprise and end
users — but what will be used to secure this
access? Come learn how to leverage data from
mobile devices to help identify the legitimacy of
a user attempting to login or perform a sensitive
transaction.
Charley Chell
CA Technologies
Advisor

Agenda
A BRIEF LOOK AT HISTORY
MOBILE DEVICE AUTHENTICATION
CAUTIONS
RAISING THE SECURITY BAR FOR AUTHENTICATION
1
2
3
4

Authentication – Traditional Ideas
Something
that you
KNOW
Something
that you
HAVE
Something
that you
ARE

Before Mobile

The Mobile Device
 Brings together something
that you HAVE and
something that you ARE
 Is your mobile separate
from you?

Something About Mobile Devices
 Everyone has one
 Everyone has their own
 Everyone (almost) has just
one (may change from time
to time, but one current)
 And, it is not shared!

Mobile Devices and Authentication
Authenticate
WITH
Authenticate
TO
Authenticate
THROUGH

Authentication Schemes
Lifelong
Thumbprint
Drivers License
Years
Work badge
Credit/Debit Card
Days
Hotel room key
Boarding Pass

Authentication Schemes – Cautions
Lifelong
Thumbprint
Drivers License
Years
Work badge
Credit/Debit Card
Days
Hotel room key
Boarding Pass
Fraudulent
Online Check In
Stolen
Sophisticated
fraud if the
value is there

Mobile Device for Authentication – Significant benefits
 Multi-mode Usability
 Visual – something user can view and enter
 Interactive – direct interface at POI
 Automatic – backend without user interaction
 Retention of usage history
 User audit possible
 But, not without risk checks
 Wealth of data
 Identify legitimate behavior

General Pattern for Risk Assessment

Authentication for Browser-Based Access
 Assessment generally at key points like
login, accessing a new application,
sensitive requests
 Authentication has evolved
– From Username / Password
– Evolved to Strong 2FA primary credential,
like a HW or SW Token
– Now Evolving to Username / Password +
Out-of-Band One-Time Password (OOB OTP)
CA Auth ID
Q&A OATH Tokens
OTP – Out of Band
CA MobileOTP

Considerable discussion on new
authenticators. However, there has been
little progress on eliminating the password.
Many companies use hardware tokens for
some small set of users.
The decision process here is largely based on
fixed policies. However, the use of
behavioral analytics is growing.
Q&A usage is on the decline and is
being replaced by One Time
Password (OTP) over SMS or email.
Confirmation via push notification is
gaining ground.

What’s Driving the Changes?
Change 1 – Use of the Phone as
an Authenticator
– Everyone has a Phone
 Hardware tokens too cumbersome
 But need for multifactor authentication
hasn’t changed. Passwords too easy
to crack.
– It’s a personal device
 Only used by one person, always
available, rarely shared

What’s Driving the Changes?
Change 2 – Behavioral
Analytics Use
– A person’s behavior is difficult
to mimic
 Attacker must watch for a very
long time to determine behavior
 Then simulating it is still hard
– And generally, the attacker must
change the behavior in order to
accomplish the illegal act they
are perpetrating

Risk Assessment is a Strong Credential
RISK DATA AVAILABLE
Where is the user? What device is
being used?
What is the user
trying to do?
Is the action
consistent with history?
 Is the location
inherently suspect?
 Have they been there
before?
 Where were they
recently?
LOCATION
 What kind of device
is it?
 Have they used it
before?
 Has it changed since
they last used it?
DEVICE DNA
 Is this a typical action
for the user?
 Is the action inherently
risky?
 Have they taken
similar actions before?
BEHAVIOR
 Is this a normal time of
day for them?
 Is their frequency of
login abnormal?
 Is their current action
consistent with prior
actions?
HISTORY

Authentication for the Mobile App
 “Login” is different. That concept doesn’t really
exist in the app world.
 App developer has a choice
– Trust the on-phone authentication
 Touch ID
– Supplement the on-phone authentication with
something else, like
 SMS to verify that the phone is bound to the phone
number on file
– Authenticate from the app

Access generally is persistent. The app
always knows who you are.
The decision process here is largely
nonexistent today.
Therefore, the concept of risk-based
additional authentication is just emerging.
But it will take many forms ranging from
identity confirmation to transaction signing.
Most apps provide the option to require a
PIN/fingerprint at the first major activity.

Why Mobile Risk is Important
 Credentials can be compromised
– Phones may be lost/stolen
– Or simply left unlocked at the desk
 Behavioral assessment best indicator of identity
 Wealth of data available on a phone, much more than a
browser world

Let’s Take a Look at Mobile Risk Up Close
 Rich data available on mobile
 Can generate a risk score
 Can require step up based on score

Top 5 Takeaways
1. The mobile device improves the browser authentication experience
– Easy intuitive experience
– Provides a platform for security Mobility index
2. And mobile app authentication is becoming increasing important
– Organizations are looking to apps as a way to reach their customers
– Authentication is of course necessary
3. Mobile app authentication is lagging the browser
– Risk assessment not prevalent
– But will become important quickly
4. Users use multiple devices in multiple locations
– You have to tie the activity together
– Risk assessment that uses behavioral profiling and a mobility index can account for this
5. Mobile Device Identification gives us an important tool
– More precise and more data available to make a decision
– Can be done without invading the user’s privacy

CA Advanced Authentication
Versatile Authentication
CA Strong Authentication™
CA Auth ID
Q&A OATH Tokens
OTP – Out of Band
CA MobileOTP
Contextual Authentication
CA Risk Authentication™
Where is
the user?
What is the user
trying to do?
Is the action
consistentwith
history?
What device is
being used?

Recommended Sessions
SESSION # TITLE DATE/TIME
SCT21T Enable Omnichannel with Security and API Management Thurs. Nov 19 at 2:00 pm
SCT17T Strong Auth in IdM Thurs. Nov 19 at 3:45 pm

Must See Demos
Protect Against
Fraud & Breaches
CA Advanced Auth
Security Theater
Engage
Customers
CA SSO
Security Theater
Innovation – IoT
Slot Car
CA AA, APIM
Security Theater
Secure Omni-
Channel Access
CA AA, APIM, SSO
Security Theater

Q & A

For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15

Mobile Risk Analysis: Take Your Mobile App Security to the Next Level

More Related Content

What's hot

Viewers also liked

Similar to Mobile Risk Analysis: Take Your Mobile App Security to the Next Level

More from CA Technologies

Recently uploaded

Mobile Risk Analysis: Take Your Mobile App Security to the Next Level