Will context-sensitive security improve mobile banking?
Security often fails in the real world when users bypass it for the sake of convenience. Smart applications should adjust dynamically.
Security often fails in the real world when users bypass it for the sake of convenience. Smart applications should dynamically adjust security protocols based upon the user’s context, writes Clayton Locke.
A colleague of mine recently received an important phone call from his bank as he set off on his annual family holiday. The bank called as he was waiting in an airport queue – an automated voice informed him that the bank had noticed some suspicious transactions.
The transaction amounts were too tiny and too long ago to be memorable and the voice didn’t explain which of his multiple accounts was involved or which of the joint account holders’ cards were used. Without recognising any of the transactions he was faced with a stark choice; be honest and raise the alarm and hope to get it sorted out again before he left the country or lie and say he recognised them.
On the basis that the payments were small and sounded reasonable, he lied. Admitting that he didn’t recognise the small payments would have incurred a cost in hassle and time that outweighed any security concerns. The bank’s systems put him into a situation where he was forced to make this awkward choice for minor payment amounts. Surely the system should be context aware, and could make a better decision before placing the automated security call.
Security vs usability in software development
We’ve all been in similar situations and they undermine one of the dogmas of modern software development; that security and usability are opposing forces.
It’s easy to make things difficult to use in the name of security but compromising usability for the sake of security in theory can lead to a rapid failure of security in practice – as neatly illustrated by the story. Delivering effective security outcomes means striking an appropriate balance between usability and security, but finding the right balance can be a challenge – and actually the right balance changes depending on the user’s context. The balance is not the fixed point that we see in most systems today, where the security protocols are the same no matter what the context. To improve usability and security, our security protocol must become more dynamic and responsive the user’s context.
Smart applications should be context aware and make sophisticated, rule-based decisions that strike the right security balance in real time. Smart applications will also monitor the user’s context, using the sensor data available on the mobile devices, to increase security whilst improving usability.
Not all actions carry the same risks
This type of security responsiveness recognises that not all actions carry the same risks and arises from an application asking itself two questions about a user:
- Who are you?
- What are you trying to do?
These two questions are just the beginning of a truly context-sensitive security model for applications – by asking more questions an app will be able to make smarter choices. Projects like OWASP’s AppSensor supplement this basic model by asking not only Who are you? and What are you trying to do? but also:
- What else have you done recently?
For example: if you walk into a bank and try opening random doors, you will be identified, led out of the building and possibly arrested. However, if you log into an online banking application and start looking for vulnerabilities no one will say anything.
De-escalating security when you’re on safe ground
When we’re at home we relax and rely on the security and access control provided by our front door. An application with access to WiFi, GPS or iBeacon data could determine when it’s at home and relax its own authentication requirements for the same reason you do.
An application that’s context-aware could also make use of a device’s various sensors (or those of a paired device) to enforce, as well as inform, its security policy. An application in a relaxed security mode might identify a user by facial recognition or a fingerprint scanner so that they’re already authenticated by the time they’ve picked up the phone. If the user’s context changes, the same application might determine that a passcode is now required or even escalate to a multi-factor authentication.
The trade-off between usability and security does not have to be a zero-sum game. We should deliver something smarter.