As the digital world has evolved, so has the need to protect customer identities. Today’s customers expect a secure experience from organizations. The increasing use of cloud-based services and mobile devices has also increased the risk of data breaches. Did you know that overall account hacking losses increased 61% to $2.3 billion and incidents increased up to 31% compared to 2014?
SMS-based one-time password is a technology invented to deal with phishing and other security risks related to authentication in the web world. In general, SMS-based OTPs are used as a second factor in two-factor authentication solutions. Requires users to submit a unique OTP after entering credentials to get verified on the website. 2FA has become an effective way to reduce hacking incidents and prevent identity fraud.
But unfortunately, SMS-based OTPs are no longer secure nowadays. There are two main reasons behind this:
- First of all, the main security of the SMS-based OTP is based on the privacy of the text message. But this SMS relies on the security of cellular networks, and lately, many of the GSM and 3G networks have hinted that the privacy of these SMS essentially cannot be guaranteed.
- Second, hackers are trying their best to intrude into customer data and thus have developed many specialized mobile phone Trojans to access customer data.
Let’s talk about them in detail!
Main risks associated with SMS-based OTP:
The key goal of the attacker is to acquire this one time password and to make it possible many of the options like mobile phone Trojans, wireless interception, SIM swapping attacks are developed. Let’s discuss them in detail:
1.Wireless interception:
There are many factors that make GSM technology less secure, such as lack of mutual authentication, lack of strong encryption algorithms, etc. It is also found that the communication between mobile phones or base stations can be intercepted and, with the help of some protocol weaknesses, it can also be deciphered. In addition, it is found that by abusing femtocells, 3G communication can also be intercepted. In this attack, modified firmware is installed on the femtocell. This firmware contains tracking and interception capabilities. Furthermore, these devices can be used to mount attacks against mobile phones.
2. Trojans for mobile phones:
The most recent emerging threats to mobile devices are mobile phone malware, especially Trojans. These malicious programs are specifically designed to intercept SMS containing one-time passwords. The main goal behind creating such malware is to earn money. Let us understand the different types of Trojans that are capable of stealing SMS-based OTPs.
The first known Trojan was ZITMO (Zeus In The Mobile) for Symbian OS. This Trojan was developed to intercept mTAN. The Trojan has the ability to log into the Symbian operating system so that when SMS are intercepted. It contains more features like message forwarding, message deletion, etc. The deletion capability completely hides the fact that the message ever arrived.
A similar type of Trojan for Windows Mobile was identified in February 2011, named Trojan-Spy.WinCE.Zot.a. The characteristics of this Trojan were similar to the previous ones.
There are also Trojans for Android and Black Berry from RIM. All of these known Trojans are user-installed software, so they do not exploit any security vulnerabilities in the affected platform. Furthermore, they make use of social engineering to convince the user to install the binary.
3. Wi-Fi and free public hotspots:
Today, it is no longer difficult for hackers to use an unsecured WiFi network to distribute malware. Planting infected software on your mobile device is no longer a difficult task if you allow file sharing over the network. Furthermore, some of the criminals also have the ability to hack hotspots. Therefore, they present a pop-up window during the connection process asking them to update some popular software.
4. SMS encryption and mirroring:
SMS transmission from the institute to the client occurs in plain text format. And I must say that it goes through various intermediaries like SMS aggregator, mobile device provider, application management provider etc. And any collusion of hackers with weak security controls can pose a huge risk. Also, many times, hackers block the SIM by providing fake ID proof and acquire the duplicate SIM by visiting the mobile operators retail point of sale. Now the hacker, if he is free to access all the OTPs, he got to that number.
5. malware:
Madware is the type of aggressive advertising that helps to provide targeted advertising via smartphone data and location by providing free mobile apps. But some of the malicious programs have the ability to function as spyware, so they can capture personal data and transfer it to the owner of the application.
What is the solution?
It is necessary to employ some preventive measures to ensure security against the SMS-based one-time password vulnerability. There are many solutions here, such as introducing hardware tokens. In this approach, when making a transaction, the token will generate a one-time password. Another option is to use a one-touch authentication process. In addition, the installation of an application on the mobile phone may also be required to generate OTP. Here are two more tips to secure SMS-based OTP:
1. SMS end-to-end encryption:
In this approach, end-to-end encryption protects one-time passwords to eliminate their usability if the SMS is eavesdropped. It makes use of the “private app storage” available on most mobile phones today. This permanent storage area is private to each application. Only the application that stores the data can access this data. In this process, the first step contains the same OTP generation process, but in the second step this OTP is encrypted with a client-centric key and the OTP is sent to the client’s mobile. On the receiver’s phone, a dedicated app displays this OTP after decryption. This means that even if the Trojan can gain access to the SMS, it will not be able to decrypt the OTP due to the absence of the required key.
2. Virtual dedicated channel for mobile:
Since phone Trojans are the biggest threat to SMS-based OTPs, since performing a large-scale Trojan attack is no longer difficult, this process requires minimal support from the operating system and minimal to no support from network providers. mobiles. In this solution, certain SMS are protected from eavesdropping by sending them only to a special channel or application. The process requires a dedicated virtual channel in the mobile phone’s operating system. This channel redirects some messages to a specific OTP application, making them safe from eavesdropping. Using private app storage ensures the security of this protection.
Ultimately, no matter which process you choose, no technology can guarantee you 100% security. The key here is to be aware and up to date with the rapid changes that occur in technology.