Soft tokens, hard security: the best way to beat online banking threats

There are drawbacks to this approach, however. Firstly, it pushes extra costs onto some end users, particularly in North America, where they have to pay for the SMS they receive. Secondly, it is subject to network coverage, network latency and SMS delivery issues, which creates uncertainty over whether the SMS will be delivered quickly, or at all.

And finally, it doesn't address the Man-in-the-Middle problem – an SMS is not generated in the backend and sent via the network, so there's greater chance it will be intercepted. Fraudsters have successfully launched targeted attacks using SMS-related malware. For instance, perpetrators of the Zeus Botnet Eurograbber attack stole $47 million (around £31 million, AU$61 million) in assets from more than 30,000 corporate and private banking customers.

Another way to implement mobile authentication is to turn the mobile phone into a "soft token" by installing software that generates OTPs on the device itself. The most common OTP generators are for phones, including BlackBerry, iPhones, Android and Windows.

OATH-compliant HMAC-based algorithms (HTOP) or time-based OTP algorithms (TOTP) can be used. A unique combination of time and event-based algorithm is considered more secure. While not as seamless as SMS OTP from the rollout and support standpoint, mobile OTP offers advantages in terms of cost and usability.

The advantages of the soft token approach are that it:

  • Is simple to use – once the software's installed. As far as the customer is concerned, this method works in essentially the same way as SMS OTPs, except that instead of waiting to receive an automatically generated SMS, the user runs the OTP application on his/her phone, generates an OTP, and uses it instantly.
  • Incurs no extra costs aside from the software download. As the user does not use any airtime or carrier services to generate the OTP, this method doesn't cost users anything. Depending on the carrier and download method, customers may have to pay to download the app. And unlike SMS delivery, which only cares about the number on the SIM card and not which handset the SIM card is in, customers who get a new mobile will need to download and install the application again.
  • Is immune to coverage, latency, and delivery issues. Doing everything on the phone itself very nearly completely immunises users from the vagaries of mobile networks – making the soft token approach a better choice for mobile payments and authentication.

Defending against key threats

It is important to note that mobile OTP generators, if poorly implemented, are susceptible to fraudster attacks. Ensuring OTPs are generated securely only for intended users requires advanced technologies to mitigate key threats:

Phishing: Ensure that each software token is bound to the device of the user on which the application is installed.

Keystroke logging: Preclude attackers from capturing OTP's using key-logging. Even with a captured PIN or activation code, the attacker will be unable to generate an identical (clone) mobile software token.

Static code dump/Patch runtime debugging: Even if the unique device IDs are spoofed, the mobile software token must have sophisticated levels of code obfuscation and symbol stripping, as well as an additional security layer in the form of a PIN, built-in. These measures ensure that even through reverse engineering by an attacker, an OTP will not be generated.

System resource manipulation: In order to conduct this type of attack, a jail-broken or rooted device is required. The mobile software token does not operate on such a device thereby circumventing such an attack.

Brute force: The mobile software token must be PIN protected and designed to self-destruct after 5 incorrect entries entered consecutively. The mobile software token can also be protected with a layer of PIN camouflaging. In this case, an incorrect PIN will be accepted and an invalid OTP will be displayed. The attacker has no way of knowing if an input PIN is correct or incorrect.

Dynamic memory access: In order to conduct this type of an attack, the device would need to be in a vulnerable state such as jail-broken or rooted. The mobile software token should implement sophisticated layers of verification to determine if the device is compromised and ceases to operate.

Chosen plain text brute force: The attacker will not be able to mount this attack as it is computationally not feasible to obtain the token secret key in brute force.

Screen capturing: It should be possible to deploy the mobile software token with the configuration to generate OATH compliant time-based OTP and Challenge/Response with a short time validity for making it ineffective to capture and relay.

Additionally, all strong authentication solutions should be implemented as part of a larger, multi-layered, context-based security strategy that also includes device profiling, malware forensics, transaction verification, and mutual authentication between the user and the application. This requires an integrated versatile authentication platform with real-time threat detection capabilities. The advanced fraud prevention seamlessly integrates with all major banking platforms and the threat detection piece is transparent, so that there is no software for the user to install.

The security benefits to the financial institution are immediate and provide customers with the peace of mind that their online banking provider has taken steps to provide a secure environment in which to conduct their financial transactions conveniently.


Financial transaction security must continue to evolve in order to withstand existing and evolving threats while accommodating growth in digital banking. By providing customers with strong authentication capability on their mobile devices, they are able to generate their own OTPs for online banking in an easy, fast and secure manner – and the same strong authentication functionality can be embedded to secure mobile banking platforms for even more frictionless anytime/anywhere banking, as well.

This enables financial institutions to adopt consistent security across multiple service channels efficiently, comply with regulatory mandates for multi-factor authentication, and satisfy growing customer demands for convenient services, while potentially increasing revenue streams as adoption of digital banking increases.

  • Christy Serrato is responsible for banking partner ecosystem development and solutions marketing for the Identity Assurance business at HID Global