SMS Based One Time Password: Risks and Safeguarding Tips

With the digital world evolution, the need to secure customer identities also evolved. The customers of today are expecting a secure experience from organizations. The increasing utilization of cloud based services and mobile devices has also enhanced the risk of data breaches. Do you know the overall account hacking losses increased 61% to $2.3 billion and the incidents increased up to 31% compared to 2014?

SMS based One-Time Password is a technology invented to deal with counter phishing and other authentication related security risk in the web world. In general, SMS based OTPs are used as the second factor in two factor authentication solutions. It requires users to submit a unique OTP after entering credentials to get themselves verified on the website. 2FA has become an effective way to reduce hacking incidents and preventing identity frauds.

But unfortunately, SMS based OTP are no longer secure nowadays. There are two main reasons behind this:

  • First, the major security of the SMS based OTP relies on the privacy of the text message. But this SMS relies on security of the cellular networks and lately, many of the GSM and 3G networks have implied that the privacy of these SMS cannot be essentially provided.
  • Second, hackers are trying their best to intrude in customers data and therefore have developed many specialized mobile phone trojans to get into customers data.

Let’s talk about them in detail!

Major risks associated with SMS based OTP:

The key goal of the attacker is to acquire this one time password and to make it possible, many of the options are developed like mobile phone Trojans, wireless interception, SIM Swap attacks. Let’s discuss them in detail:

1. Wireless Interception:

There are many factors that make GSM technology less secure like lack of mutual authentication, lack of robust encryption algorithms, etc. It is also found that the communication between mobile phones or base stations can be eavesdropped and with the help of some protocol weaknesses, can be decrypted too. Moreover, it is found that by abusing femtocells also 3G communication can be intercepted. In this attack, a modified firmware is installed on the femtocell. This firmware contains capabilities of sniffing and interception. Also these devices can be used for mounting attacks against mobile phones.

2. Mobile phone trojans:

The latest rising threats for mobile devices are the mobile phone malwares, specially Trojans. These malwares are designed specifically to intercept the SMS that contains One Time Passwords. The major goal behind creating such malwares is to earn money. Let’s understand the different types of Trojans that are capable of stealing SMS based OTPs.

The first known piece of Trojans was ZITMO (Zeus In The Mobile) for Symbian OS. This trojan was developed to intercept mTANs. The trojan has the capability to get itself registered to the Symbian OS so that when they the SMS can be intercepted. It contains more features like message forwarding, message deletion, etc. Deletion ability completely hides the fact the message ever arrived.

Similar kind of Trojan for Windows Mobile was identified in Feb 2011, named as Trojan-Spy.WinCE.Zot.a The features of this Trojan were similar to above one.

The Trojans for Android and RIM’s Black Berry also exist. All of these known Trojans are user installed softwares which is why they don’t leverage any security vulnerability of the affected platform. Also, they make use of social engineering to convince user into installing the binary.

3. Free public Wi-Fi and hotspots:

Nowadays, it is no longer difficult for hackers to use an unsecured WiFi network to distribute malware. Planting an infected software on your mobile device is no longer a tough task if you are allowing file sharing across the network. Additionally, some of the criminals have also got the ability of hack the connection points. Thus they present a pop-up window during connection process which requests them to upgrade some popular software.

4. SMS encryption and duplication:

The transmission of SMS from the institute to customer occurs in plain text format. And need I say, it passes through several intermediaries like SMS aggregator, mobile vendor, application management vendor, etc. And any of the collusion of hacker with weak security controls can pose a huge risk. Additionally many a times, hackers get the SIM blocked by providing a fake ID proof and acquire the duplicate SIM by visiting mobile operators’ retail outlet. Now the hacker if free to access all the OTPs arrived on that number.

5. Madware:

Madware is the type of aggressive advertising that helps providing targeted advertising through the data and location of Smartphone by providing free mobile applications. But some of the madware have the capability to function like Spyware thereby being able to capture personal data and transfer them to app owner.

What is the solution?

Employing some preventing measures is must to ensure security against the vulnerability of SMS based One time password. There are many solutions here like introducing Hardware tokens. In this approach, while performing a transaction, the token will generate a one time password. Another option is using a one touch authentication process. Additionally, an application can also be required to install on mobile phone to generate OTP. Below are two more tips to secure SMS based OTP:

1. SMS end to end encryption:

In this approach, end-to-end encryption to protect one time passwords so that removing its usability if the SMS is eavesdropped on. It makes use of the “application private storage” available in most of the mobile phones nowadays. This permanent storage area is private to every application. This data can be accessed only by the app that is storing the data. In this process, the first step contains the same process of generating OTP, but in the second step this OTP is encrypted with a customer-centric key and the OTP is sent to the customer’s mobile. On the receiver’s phone, a dedicated application displays this OTP after decrypting it. This means even if the Trojan is able to get access to the SMS, it won’t be able to decrypt the OTP due the absence of required key.

2. Virtual dedicated channel for the mobile:

As phone Trojans are the biggest threat to SMS based OTP, since performing Trojan attack on large scale is not difficult anymore, this process requires minimal support from OS and minimal-to-no support from the mobile network providers. In this solution, certain SMS are protected from eavesdropping by delivering them to only a special channel or app. The process requires a dedicated virtual channel in the mobile phone OS. This channel redirects some messages to a specific OTP application thus making them secure against eavesdropping. The use of application private storage ensures security to this protection.

Lastly, no matter which process you choose, no technology can ensure you 100% security. The key here is to be attentive and updated of the rapid changes occurring in technology.