This past week, I was made aware of two attacks on SMS/OTP which is commonly used by non-U.S. banks, and now Google Apps, for two factor authentication.
I just had a demo of a phishing attack that captured my log in id and password to my presumed bank, and then told me to wait. The fraudsters then used the credentials I gave them to log in to my bank account and move some money out of it. The bank then generated an OTP (to confirm the transaction) which was sent to my cell phone, which the phishing attack site then asked me to enter into the phishing site, whereupon the crooks passed it through to the online banking site to confirm the money transfer transaction.
I learned of a second attack on SMS/OTP by reading blogs posted by S21Sec, which found an attack that loaded malware on user’s phones (Symbian (.sis) or BlackBerry (.jad) applications) that sniff SMS messages and send them to criminal command and control servers for fraudster use. This is spawning the long anticipated new generation of man-in-the-mobile attacks. For more information on it, read this blog and their follow ons:
So what’s the lesson here:
SMS/OTP can be fairly easily defeated. Companies that want to protect accounts and information with out-of-band communications must move to transaction signing – not just simple OTP authentication – where the OTP is tied to transaction details that are clearly displayed to the user and only those transaction details can be executed.
Fraud detection is also a must-have additional layer.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.