Abstract
SMS-based One-Time Passwords (SMS OTP) were introduced to counter phishing and other attacks against Internet services such as online banking. Today, SMS OTPs are commonly used for authentication and authorization for many different applications. Recently, SMS OTPs have come under heavy attack, especially by smartphone Trojans. In this paper, we analyze the security architecture of SMS OTP systems and study attacks that pose a threat to Internet-based authentication and authorization services. We determined that the two foundations SMS OTP is built on, cellular networks and mobile handsets, were completely different at the time when SMS OTP was designed and introduced. Throughout this work, we show why SMS OTP systems cannot be considered secure anymore. Based on our findings, we propose mechanisms to secure SMS OTPs against common attacks and specifically against smartphone Trojans.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
3rd Generation Partnership Project: 3GPP TS 23.040 - Technical realization of the Short Message Service (SMS) (September 2004), http://www.3gpp.org/ftp/Specs/html-info/23040.html
Apple Inc.: IOS Developer Library: Cryptographic Services (July 2012), http://developer.apple.com/library/ios/documentation/Security/Conceptual/Security/Overview/CryptographicServices/CryptographicServices.html
Apvrille, A.: Zeus In The Mobile (Zitmo): Online Banking’s Two Factor Authentication Defeated (September 2010), http://blog.fortinet.com/zeus-in-the-mobile-zitmo-online-bankings-two-factor-authentication-defeated/
Barkan, E., Biham, E.: Conditional estimators: An effective attack on A5/1. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 1–19. Springer, Heidelberg (2006)
Biryukov, A., Shamir, A., Wagner, D.: Real time cryptanalysis of A5/1 on a PC. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 1–18. Springer, Heidelberg (2001)
Bonneau, J., Herley, C., von Oorschot, P.C., Stajano, F.: The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In: Proceedings of the IEEE Symposium on Security and Privacy (2012)
GSMK Cryptophone: Questions about the Interception of GSM Calls (2012), http://www.cryptophone.de/en/support/faq/questions-about-the-interception-of-gsm-calls/
Duo Security: Modern Two-Factor Authentication, http://duosecurity.com
F-Secure: Threat Description: Trojan:Android/Crusewind.A (2011), http://www.f-secure.com/v-descs/trojan_android_crusewind_a.shtml
Fisher, D.: Zeus Comes to the BlackBerry (August 2012), http://threatpost.com/en_us/blogs/zeus-comes-blackberry-080712
Gold, N., Redon, K., Borgaonkar, R.: Weaponizing femtocells: The effect of rogue devices on mobile telecommunication. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS) (February 2012)
Google Inc.: Data Storage | Android Developers, http://developer.android.com/guide/topics/data/data-storage.html#filesInternal
Google Inc.: Verifying your account via SMS or Voice Call, http://support.google.com/mail/bin/answer.py?hl=en&answer=114129
icici Bank: What is SIM-Swap fraud?, http://www.icicibank.com/online-safe-banking/simswap.html
Klein, A.: The Song Remains the Same: Man in the Mobile Attacks Single out Android (July 2012), http://www.trusteer.com/blog/song-remains-same-man-mobile-attacks-single-out-android
Koot, L.: Security of mobile TAN an smartphones. Master’s thesis, Radboud University Nijmegen (February 2012)
Maslennikov, D.: ZeuS in the Mobile is back (February 2011), http://www.securelist.com/en/blog/11169/Zeus_in_the_Mobile_is_back
Microsoft Coperation: Windows Phone 7 Security Model (December 2010), http://download.microsoft.com/download/9/3/5/93565816-AD4E-4448-B49B-457D07ABB991/WindowsPhone7SecurityModel_FINAL_122010.pdf
Muttik, I.: Securing Mobile Devices:Present and Future (December 2011), http://www.mcafee.com/us/resources/reports/rp-securing-mobile-devices.pdf
Nohl, K., Pudget, C.: GSM: SRSLY? (2009), http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html
PhoneFactor, Inc.: Comparing PhoneFactor to Other SMS Authentication Solutions, http://www.phonefactor.com/sms-authentication
Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A Survey of Mobile Malware in the Wild. In: Proceedings of the ACM Workshop on Security and Privacy in Mobile Devices, SPSM (2011)
Felt, A.P., Greenwood, K., Wagner, D.: The Effectiveness of Application Permissions. In: USENIX Conference on Web Application Development (2011)
SMS PASSCODE A/S: Two-factor Authentication, http://www.smspasscode.com/twofactorauthentication
TrustGo Mobile Inc.: MMarketPay.A (2012), http://blog.trustgo.com/mmarketpay-a-new-android-malware-found-in-the-wild-2/
VISUALtron Software Corporation. 2-Factor Authentication - What is MobileKey?, http://www.visualtron.com/products_mobilekey.html
Zhou, Y., Jiang, X.: Dissecting Android Malware: Characterization and Evolution. In: 33rd IEEE Symposium on Security and Privacy (May 2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mulliner, C., Borgaonkar, R., Stewin, P., Seifert, JP. (2013). SMS-Based One-Time Passwords: Attacks and Defense. In: Rieck, K., Stewin, P., Seifert, JP. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2013. Lecture Notes in Computer Science, vol 7967. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39235-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-39235-1_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39234-4
Online ISBN: 978-3-642-39235-1
eBook Packages: Computer ScienceComputer Science (R0)