Security Analysis of Mobile Phones Used as OTP Generators
The Norwegian company Encap has developed protocols enabling individuals to use their mobile phones as one-time password (OTP) generators. An initial analysis of the protocols reveals minor security flaws. System-level testing of an online bank utilizing Encap’s solution then shows that several attacks allow a malicious individual to turn his own mobile phone into an OTP generator for another individual’s bank account. Some of the suggested countermeasures to thwart the attacks are already incorporated in an updated version of the online banking system.
KeywordsMobile Phone Authentication Protocol Activation Protocol Online Bank Secure Object
- 1.Hagalisletto, A.M., Riiber, A.: Using the Mobile Phone in Two-Factor Authentication, Encap white paper, www.encap.no/admin/userfiles/file/iwssi2007-05.pdf
- 2.Raddum, H., Nestås, L.H., Hole, K.J.: Security Analysis of Mobile Phones Used as OTP Generators, Reports in Informatics, 392, The University of Bergen (2010), www.ii.uib.no/publikasjoner/texrap/pdf/2010-392.pdf
- 3.RFC 2631, Diffie–Hellman Key Agreement Method (June 1999), tools.ietf.org/html/rfc2631
- 4.Jøsang, A., AlFayyadh, B., Grandison, T., AlZomai, M., McNamara, J.: Security Usability Principles for Vulnerability Analysis and Risk Assessment. Presented at the Twenty-Third Annual Computer Security Applications Conference (ACSAC), Miami Beach, FL, USA, December 10-14 (2007), www.acsac.org/2007/papers/45.pdf
- 5.Hole, K.J., Klingsheim, A.N., Netland, L.-H., Espelid, Y., Tjøstheim, T., Moen, V.: Risk Assessment of a National Security Infrastructure. IEEE Security & Privacy (January/February 2009), www.nowires.org/Papers-PDF/RiskEvaluation.pdf