As the digital world evolved, so did the need to protect customer identities. Today’s customers expect a secure experience from organizations. The increasing use of cloud-based services and mobile devices has also increased the risk of data breaches. Did you know that overall account hacking losses were up 61% to $2.3bn and incidents were up 31% compared to 2014?
SMS-based One Time Password is a technology invented to combat spoofing and other authentication-related security risks in the web world. In general, SMS-based OTPs are used as the second factor in two-factor authentication solutions. Requires users to submit a unique OTP after entering credentials in order for them to be verified on the website. 2FA has become an effective way to reduce hacking incidents and prevent identity fraud.
But unfortunately, SMS-based OTPs are no longer secure nowadays. There are two main reasons behind this:
- First of all, the main security of the SMS-based OTP is based on the privacy of the text message. But this SMS is based on the security of cellular networks and lately many of the GSM and 3G networks have implied that the privacy of these SMS cannot be essentially guaranteed.
- Second, hackers are trying their best to meddle with customer data and have therefore developed many specialized mobile phone Trojans to access customer data.
Let’s talk about them in detail!
Main risks associated with SMS-based OTP:
The key objective of the attacker is to acquire this one-time password and to make it possible, many of the options are developed, such as mobile phone trojans, wireless interception, SIM swapping attacks. Let’s discuss them in detail:
1.Wireless interception:
There are many factors that make GSM technology less secure, such as lack of mutual authentication, lack of strong encryption algorithms, etc. It is also found that the communication between mobile phones or base stations can be intercepted and with the help of some weaknesses of the protocol, it can also be decrypted. In addition, it is found that by abusing femtocells, 3G communication can also be intercepted. In this attack, a modified firmware is installed on the femtocell. This firmware contains tracking and interception capabilities. Additionally, these devices can be used to mount attacks against mobile phones.
2. Trojans for mobile phones:
The most recent emerging threats to mobile devices are mobile phone malware, especially Trojans. These malicious programs are specifically designed to intercept SMS containing one-time passwords. The main goal behind the creation of such malware is to earn money. Let’s understand the different types of Trojans that are capable of stealing SMS-based OTPs.
The first known Trojan was ZITMO (Zeus In The Mobile) for Symbian OS. This Trojan was developed to intercept mTAN. The Trojan has the ability to register with the Symbian operating system so that when SMS is intercepted. It contains more features like message forwarding, message deletion, etc. The deletion capability completely hides the fact that the message ever arrived.
A similar type of Trojan for Windows Mobile was identified in February 2011, named Trojan-Spy.WinCE.Zot.a. The characteristics of this Trojan were similar to the previous ones.
There are also RIM’s Android and Black Berry Trojans. All of these known Trojans are user-installed software and therefore do not exploit any security vulnerabilities on the affected platform. Furthermore, they make use of social engineering to convince the user to install the binary.
3. Free Wi-Fi and public hotspots:
Today, it is no longer difficult for hackers to use an unsecured WiFi network to distribute malware. Planting infected software on your mobile device is no longer a difficult task if you allow file sharing over the network. Furthermore, some of the criminals also have the ability to hack into the hotspots. Therefore, they present a pop-up window during the connection process asking them to update some popular software.
4. SMS encryption and mirroring:
The transmission of SMS from the institute to the client occurs in plain text format. And I must say that it goes through various intermediaries like SMS aggregator, mobile provider, application management provider etc. And any collusion by hackers with weak security controls can pose a huge risk. Also, many times, the hackers lock the SIM by providing a fake ID proof and acquire the duplicate SIM by visiting the retail outlet of the mobile operators. Now, the hacker, if he is free to access all the OTPs, he got to that number.
5. Malware:
Madware is the type of aggressive advertising that helps to provide targeted advertising through smartphone data and location by providing free mobile apps. But some of the malicious programs have the ability to work as spyware, so they can capture personal data and transfer it to the owner of the application.
What is the solution?
It is necessary to employ some preventive measures to ensure security against the SMS-based one-time password vulnerability. There are many solutions here, such as introducing hardware tokens. In this approach, when performing a transaction, the token will generate a one-time password. Another option is to use a one-touch authentication process. In addition, the installation of an application on the mobile phone may also be required to generate OTP. Here are two more tips to secure SMS-based OTP:
1. SMS end-to-end encryption:
In this approach, end-to-end encryption protects one-time passwords to eliminate their usability if the SMS is listened to. It makes use of the “private app storage” available on most mobile phones today. This permanent storage area is private to each application. Only the application that stores the data can access this data. In this process, the first step contains the same OTP generation process, but in the second step, this OTP is encrypted with a customer-centric key and the OTP is sent to the customer’s mobile. On the recipient’s phone, a dedicated app displays this OTP after decryption. This means that even if the Trojan can gain access to the SMS, it will not be able to crack the OTP due to the absence of the required key.
2. Dedicated virtual channel for mobile:
Since phone Trojans are the biggest threat to SMS-based OTPs, since performing a large-scale Trojan attack is no longer difficult, this process requires minimal support from the operating system and little to no support from network providers. mobile. In this solution, certain SMS are protected from eavesdropping by sending them only to a special channel or application. The process requires a dedicated virtual channel in the mobile phone operating system. This channel redirects some messages to a specific OTP application, making them secure against eavesdropping. The use of private application storage ensures the security of this protection.
Finally, regardless of the process you choose, no technology can guarantee you 100% security. The key here is to stay aware and up-to-date with the rapid changes that occur in technology.