Proving presence and locality to mitigate compromised smartphone scenarios

Abstract

This research delves into the evolving landscape of smartphone security and authentication technologies. While the scope of threats and security measures is applicable to mobile computing in general, the study focuses primarily on mobile banking, a sector particularly vulnerable to evolving threats. As online services are shifting to fully mobile solutions, malicious actors have evolved their tactics from traditional Account Takeovers (ATO) to more sophisticated attacks performed directly on the victim’s device. These threats, known as On-device Fraud (ODF), are able to compromise existing authentication mechanisms, including possession-based verification controls. In this work, we postulate that the problem lies in the weak verification of user presence and locality. Current security measures, particularly smartphone possession verification methods, do not effectively ensure that the users are both present and in local physical possession of the smartphone. As a result, remote attackers are able to mimic the required user interactions to bypass possession verification processes despite not physically possessing the device. Throughout this work, the impact of remote attackers targeting state-of-the-art possession verification controls is demonstrated through forensic footprint analysis. The introduction of the Remote Device Takeover (rDTO) threat model formalises this attack category, explaining how advanced malware can bypass existing security measures, particularly smartphone possession verification methods, by granting remote attackers a form of possession over the compromised device. To mitigate the significant security gaps revealed by the rDTO threat model, this research proposes Proof of Presence and Locality (PoPL), a novel security model aimed at verifying both user presence and locality. The verification of user presence confirms that a user is intentionally interacting with the device, while the verification of locality ensures that this interaction occurs within close physical proximity to the device. Successful verification of both user presence and locality strengthens smartphone possession verification methods. The effectiveness of the proposed PoPL security model in mitigating rDTO attacks is demonstrated through reference implementations. Crucially, these security enhancements, offered through the introduction of PoPL, are achieved without significantly impacting the practicality or usability of mobile device-based authentication systems. Through PoPL, this research is the first to present a usable authentication method capable of mitigating rDTO enabled ODF attacks without resorting to the practice of requiring separate hardware devices. This thesis demonstrates that strong smartphone possession verification requires the verification of both user presence and locality, and that this security enhancement can be achieved without significantly impacting usability.