SMS-Based One-Time Passwords: Attacks and Defense

(Short Paper)
  • Collin Mulliner
  • Ravishankar Borgaonkar
  • Patrick Stewin
  • Jean-Pierre Seifert
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7967)

Abstract

SMS-based One-Time Passwords (SMS OTP) were introduced to counter phishing and other attacks against Internet services such as online banking. Today, SMS OTPs are commonly used for authentication and authorization for many different applications. Recently, SMS OTPs have come under heavy attack, especially by smartphone Trojans. In this paper, we analyze the security architecture of SMS OTP systems and study attacks that pose a threat to Internet-based authentication and authorization services. We determined that the two foundations SMS OTP is built on, cellular networks and mobile handsets, were completely different at the time when SMS OTP was designed and introduced. Throughout this work, we show why SMS OTP systems cannot be considered secure anymore. Based on our findings, we propose mechanisms to secure SMS OTPs against common attacks and specifically against smartphone Trojans.

Keywords

Smartphone OTP SMS mTAN Malware Multi-factor 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    3rd Generation Partnership Project: 3GPP TS 23.040 - Technical realization of the Short Message Service (SMS) (September 2004), http://www.3gpp.org/ftp/Specs/html-info/23040.html
  2. 2.
  3. 3.
    Apvrille, A.: Zeus In The Mobile (Zitmo): Online Banking’s Two Factor Authentication Defeated (September 2010), http://blog.fortinet.com/zeus-in-the-mobile-zitmo-online-bankings-two-factor-authentication-defeated/
  4. 4.
    Barkan, E., Biham, E.: Conditional estimators: An effective attack on A5/1. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 1–19. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Biryukov, A., Shamir, A., Wagner, D.: Real time cryptanalysis of A5/1 on a PC. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 1–18. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Bonneau, J., Herley, C., von Oorschot, P.C., Stajano, F.: The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In: Proceedings of the IEEE Symposium on Security and Privacy (2012)Google Scholar
  7. 7.
    GSMK Cryptophone: Questions about the Interception of GSM Calls (2012), http://www.cryptophone.de/en/support/faq/questions-about-the-interception-of-gsm-calls/
  8. 8.
    Duo Security: Modern Two-Factor Authentication, http://duosecurity.com
  9. 9.
    F-Secure: Threat Description: Trojan:Android/Crusewind.A (2011), http://www.f-secure.com/v-descs/trojan_android_crusewind_a.shtml
  10. 10.
    Fisher, D.: Zeus Comes to the BlackBerry (August 2012), http://threatpost.com/en_us/blogs/zeus-comes-blackberry-080712
  11. 11.
    Gold, N., Redon, K., Borgaonkar, R.: Weaponizing femtocells: The effect of rogue devices on mobile telecommunication. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS) (February 2012)Google Scholar
  12. 12.
  13. 13.
    Google Inc.: Verifying your account via SMS or Voice Call, http://support.google.com/mail/bin/answer.py?hl=en&answer=114129
  14. 14.
    icici Bank: What is SIM-Swap fraud?, http://www.icicibank.com/online-safe-banking/simswap.html
  15. 15.
    Klein, A.: The Song Remains the Same: Man in the Mobile Attacks Single out Android (July 2012), http://www.trusteer.com/blog/song-remains-same-man-mobile-attacks-single-out-android
  16. 16.
    Koot, L.: Security of mobile TAN an smartphones. Master’s thesis, Radboud University Nijmegen (February 2012)Google Scholar
  17. 17.
    Maslennikov, D.: ZeuS in the Mobile is back (February 2011), http://www.securelist.com/en/blog/11169/Zeus_in_the_Mobile_is_back
  18. 18.
  19. 19.
    Muttik, I.: Securing Mobile Devices:Present and Future (December 2011), http://www.mcafee.com/us/resources/reports/rp-securing-mobile-devices.pdf
  20. 20.
    Nohl, K., Pudget, C.: GSM: SRSLY? (2009), http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html
  21. 21.
    PhoneFactor, Inc.: Comparing PhoneFactor to Other SMS Authentication Solutions, http://www.phonefactor.com/sms-authentication
  22. 22.
    Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A Survey of Mobile Malware in the Wild. In: Proceedings of the ACM Workshop on Security and Privacy in Mobile Devices, SPSM (2011)Google Scholar
  23. 23.
    Felt, A.P., Greenwood, K., Wagner, D.: The Effectiveness of Application Permissions. In: USENIX Conference on Web Application Development (2011)Google Scholar
  24. 24.
    SMS PASSCODE A/S: Two-factor Authentication, http://www.smspasscode.com/twofactorauthentication
  25. 25.
  26. 26.
    VISUALtron Software Corporation. 2-Factor Authentication - What is MobileKey?, http://www.visualtron.com/products_mobilekey.html
  27. 27.
    Zhou, Y., Jiang, X.: Dissecting Android Malware: Characterization and Evolution. In: 33rd IEEE Symposium on Security and Privacy (May 2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Collin Mulliner
    • 1
  • Ravishankar Borgaonkar
    • 2
  • Patrick Stewin
    • 2
  • Jean-Pierre Seifert
    • 2
  1. 1.Northeastern UniversityUSA
  2. 2.Technische Universität BerlinGermany

Personalised recommendations