SMS-based one-time password: risks and protection tips

With the evolution of the digital world, the need to protect customer identities also evolved. Today’s customers expect a secure experience from organizations. The increasing use of cloud-based services and mobile devices has also increased the risk of data breaches. Did you know that total account hacking losses increased 61% to $ 2.3 billion and incidents increased up to 31% compared to 2014?

The SMS-based one-time password is a technology invented to combat phishing and other authentication-related security risks in the web world. In general, SMS-based OTPs are used as a second factor in two-factor authentication solutions. Requires users to submit a unique OTP after entering credentials for it to be verified on the website. 2FA has become an effective way to reduce hacking incidents and prevent identity fraud.

But sadly, SMS-based OTPs are no longer secure today. There are two main reasons behind this:

  • First, the greatest security of SMS-based OTP is based on the privacy of the text message. But this SMS relies on the security of cellular networks and lately many of the GSM and 3G networks have implied that the privacy of these SMS cannot be essentially provided.
  • Second, hackers are trying their best to pry into customer data and thus they have developed many specialized mobile phone Trojans to access customer data.

Let’s talk about them in detail!

Main risks associated with SMS-based OTP:

The key objective of the attacker is to acquire this one-time password and to make it possible, many of the options are developed such as mobile phone trojans, wireless interception, SIM swapping attacks. Let’s discuss them in detail:

1. Wireless interception:

There are many factors that make GSM technology less secure, such as the lack of mutual authentication, the lack of strong encryption algorithms, etc. It has also been found that communication between mobile phones or base stations can be eavesdropped and, with the help of some weaknesses in the protocol, can also be decrypted. Furthermore, it is found that by abusing femtocells, 3G communication can also be intercepted. In this attack, a modified firmware is installed on the femtocell. This firmware contains tracing and interception capabilities. Furthermore, these devices can be used to mount attacks against mobile phones.

2. Mobile phone Trojans:

The latest rising threats to mobile devices are mobile phone malware, especially Trojans. These malicious programs are specifically designed to intercept SMS containing one-time passwords. The main objective behind the creation of this type of malware is to make money. Let’s understand the different types of Trojans that are capable of stealing SMS-based OTPs.

The first known piece of Trojans was ZITMO (Zeus In The Mobile) for Symbian OS. This Trojan was developed to intercept mTAN. The Trojan has the ability to register with the Symbian operating system so that when it does, the SMS can be intercepted. It contains more functions like message forwarding, message deletion, etc. The deletion ability completely hides the fact that the message ever arrived.

In February 2011, a similar type of Trojan was identified for Windows Mobile, called Trojan-Spy.WinCE.Zot.a. The characteristics of this Trojan were similar to the previous ones.

There are also RIM’s Android and Black Berry Trojans. All of these known Trojans are user-installed software, so they do not exploit any security vulnerabilities on the affected platform. Also, they make use of social engineering to convince the user to install the binary.

3. Free Wi-Fi and Public Hotspots:

Today, it is no longer difficult for hackers to use an unsecured WiFi network to distribute malware. Installing infected software on your mobile device is no longer a difficult task if you allow file sharing over the network. Furthermore, some of the criminals also have the ability to hack into the endpoints. Therefore, they present a pop-up window during the connection process that asks them to update some popular software.

4. Encryption and duplication of SMS:

The SMS transmission from the institute to the client is done in plain text format. And I need to say, it goes through various intermediaries like SMS aggregator, mobile device provider, app management provider, etc. And any collusion of hackers with weak security controls can pose a great risk. In addition, many times, hackers lock the SIM by providing false identification proof and acquire the duplicate SIM by visiting the point of sale of the mobile operators. Now the hacker, if free to access all OTPs, hit that number.

5. Madware:

Madware is the type of aggressive advertising that helps deliver targeted advertising through smartphone data and location by providing free mobile apps. But some of the madware has the ability to function as spyware, so it can capture personal data and transfer it to the owner of the application.

What is the solution?

The use of some preventive measures is essential to ensure security against the vulnerability of one-time passwords based on SMS. There are many solutions here, such as the introduction of hardware tokens. In this approach, while a transaction is in progress, the token will generate a one-time password. Another option is to use a one-touch authentication process. In addition, an application may also be required to install on the mobile phone to generate OTP. Here are two more tips to protect SMS-based OTP:

1. End-to-end encryption SMS:

In this approach, end-to-end encryption to protect one-time passwords so as to eliminate their usability if the SMS is eavesdropped. It makes use of the “private application storage” available on most mobile phones today. This permanent storage area is private for all applications. Only the application that stores the data can access this data. In this process, the first step contains the same OTP generation process, but in the second step, this OTP is encrypted with a customer-centric key and the OTP is sent to the customer’s mobile. On the receiver’s phone, a dedicated app displays this OTP after decryption. This means that even if the Trojan can access the SMS, it will not be able to decrypt the OTP due to the absence of the required key.

2. Virtual dedicated channel for mobile:

As phone Trojans are the biggest threat to SMS-based OTP, since conducting a large-scale Trojan attack is no longer difficult, this process requires minimal operating system support and minimal or no support from the providers of mobile networks. In this solution, certain SMS are protected against eavesdropping by sending them only to a special channel or application. The process requires a dedicated virtual channel in the mobile phone’s operating system. This channel redirects some messages to a specific OTP application, making them secure against eavesdropping. The use of private application storage ensures the security of this protection.

Lastly, no matter which process you choose, no technology can guarantee you 100% security. The key here is to stay tuned and up-to-date with the rapid changes that are taking place in technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top