Announcement: NowSecure Launches AI-Navigator

NowSecure AI-Navigator finds mobile app risks that hide behind the login.

Learn More
NS AI Navigator Main hero image
Announcement: NowSecure Launches AI-Navigator Announcement: NowSecure Launches AI-Navigator Learn More
magnifying glass icon

Why Stolen Credentials Are the #1 Threat to Mobile Security

Posted by

NowSecure Mobile Security Advocate

Best Practices,  Mobile Security Solutions

“Cybercriminals are increasingly logging in rather than hacking into networks through valid accounts.”— IBM Security X-Force Threat Index 2024

“The use of stolen credentials remains the primary way into organizations, with 40% of breaches involving credentials as the top ‘action’ to entry taken.”— Verizon 2024 Data Breach Investigations Report

In popular imagination, hackers navigate complex code exploits. In reality, most mobile breaches stem from compromised or stolen credentials. Some occur via users divulging credentials in phishing attacks, reusing passwords from other compromised accounts (making it easy for hackers to guess) or through brute-force password guessing. Even biometrics have become less secure as hackers use AI voice cloning technology to log into bank accounts where voice can be used for verification.

Image from Verizon 2024 Data Breach Investigations Report

Multi-Factor Authentication (MFA) guards against stolen credentials by requiring users to combine multiple forms of verification. This ensures that even if one login method is compromised, the account and its data remain secure. If a threat actor attempts to use stolen credentials during an attack, MFA not only blocks unauthorized access but also alerts the organization to suspicious or fraudulent login attempts, especially when identity monitoring solutions are in place.

Because of its effectiveness, MFA reduces the risk of account compromise by 99%, according to the U.S. Cybersecurity & Infrastructure Security Agency (CISA).

MFA Weaknesses

While MFA is highly effective, not all MFA solutions offer the same level of security. The quality of MFA implementation varies greatly.  NowSecure mobile application security testing of thousands of apps across different marketplaces reveals that only half of mobile apps with MFA use a secure implementation, and fewer than 1% routinely test their MFA security.

Attackers have developed new methods in recent years to bypass legacy MFA techniques, ranging from simple MFA fatigue attacks to intercepting one-time passcodes (OTPs).To stay ahead of these evolving threats, organizations must do more than just implement modern MFA — they must enforce it. Proven and widely supported passwordless approaches, based on the FIDO2 specifications, provide stronger security than passwords and SMS OTPs while offering a simpler user experience and easier deployment for service providers.

“While MFA is highly effective, not all MFA solutions offer the same level of security.”

Is Your MFA Strong Enough to Safeguard Sensitive Data?

The more transactions your mobile app processes or the more sensitive data it handles, the more likely it will attract targeted, sophisticated  attacks from threat actors. 

This is why NowSecure advocates for progressive testing using a tiered risk model. Not all apps require the same level of  security investment. Apps that handle critical functions or sensitive data demand greater time and resources to ensure they cannot be exploited or misused by malicious actors.

Based on the risk presented by each app, progressive testing provides different levels of depth and coverage so as to invest the right amount of resources, from least risk to most risk: 

  • Automated mobile application security testing covers critical test cases for MFA, though our findings may not raise a red flag and scream it’s an MFA finding. Apps that don’t contain sensitive information or can’t conduct financial transactions can usually get away with automated testing flagging the most common vulnerabilities.
  • Manual or NowSecure Mobile Pen Testing as a Service (PTaaS) is the only way to really test if MFA is properly implemented. With NowSecure Platform Guided Testing, we can cover more test cases thanks to the ability of a human to manipulate. 
  • And finally, for a robust adversarial emulation, expert-led pen testing can round out test coverage with the more offensive activities. This is the right level of testing for apps that have the capabilities to conduct financial transactions or contain sensitive health information, for example.

NowSecure Mobile App Penetration Testing Services

Read More

How NowSecure Tests MFA Security

Testing for MFA efficacy in mobile apps involves several key steps to verify proper implementation and security. It’s crucial to recognize that while automated security checks can detect common attack vectors, malicious actors continuously adapt their tactics and probe for weaknesses. Securing the most sensitive assets in mobile apps demands the expertise and hands-on analysis of experienced pen testers.

1. Review Implementation Design: Analyze the MFA integration to ensure it aligns with security best practices and standards like NIST and OWASP Mobile Application Security Verification Standard (MASVS). This includes checking whether multiple authentication factors (e.g., something you know, something you have, something you are) are effectively combined and appropriately separated.

2. Examine User Experience Flows: Ensure that the MFA process does not have bypassable steps or weak fallbacks, such as reverting to single-factor authentication). Test different scenarios, like app upgrades, offline access and recovery methods to identify any potential weak points.

3. Test Authentication Channels: Validate the security of communication channels used for MFA, such as SMS, email, push notifications and authenticator apps. Ensure that these channels are encrypted and that have no vulnerabilities (e.g., SIM swapping for SMS-based MFA).

4. Evaluate Data Storage and Handling: Assess how MFA-related data like tokens, recovery keys and biometric data is stored and managed. Ensure data is securely encrypted at rest and in transit and is not stored in plaintext or exposed to unauthorized access.

5. Conduct Penetration Testing: Perform penetration tests focusing on MFA processes to simulate potential attacks (e.g., brute-force attacks, man-in-the-middle attacks, phishing attacks). This helps to identify any flaws in the MFA implementation that could be exploited.

6. Check for Replay Attacks: Verify that the MFA implementation includes protections against replay attacks, such as nonce values, timestamps, or unique session IDs, to ensure that authentication requests cannot be reused.

7. Assess Usability and Resilience: Test the usability of the MFA process to ensure it does not hinder legitimate user access while maintaining security. Also, check how the system responds under stress (e.g., high traffic or denial-of-service attacks) to ensure MFA remains resilient.


8. Regularly Update and Monitor: Ensure that MFA mechanisms are regularly updated to address new threats and vulnerabilities. Continuously monitor for anomalies or suspicious activity related to MFA.

By integrating these mobile app risk management strategies, you can thoroughly test your mobile app’s MFA implementation to ensure strong security without compromising usability.

Reach out to NowSecure experts to see how business impact tiers, continuous testing and orchestrated remediation work together to strengthen and scale your mobile app risk management program.

Related Content

The Looming Threat: How Mobile Security Risks Jeopardize Reputation and Trust
Infographic
Top Mobile App Security and Privacy Breaches of 2024
Checklist for Choosing a Mobile Pen Testing as a Service (PTaaS) Vendor
Checklist for Choosing a Mobile App Pen Testing Provider
Checklist