Gartner Blog Network


SMS/OTP under attack – Man in the Mobile

by Avivah Litan  |  September 28, 2010  |  1 Comment

This past week, I was made aware of two attacks on SMS/OTP which is commonly used by non-U.S. banks, and now Google Apps, for two factor authentication.

I just had a demo of a phishing attack that captured my log in id and password to my presumed bank, and then told me to wait.  The fraudsters then used the credentials I gave them to log in to my bank account and move some money out of it. The bank then generated an OTP (to confirm the transaction) which was sent to my cell phone, which the phishing attack site then asked me to enter into the phishing site, whereupon the crooks passed it through to the online banking site to confirm the money transfer transaction.

I learned of a second attack on SMS/OTP by reading blogs posted by S21Sec, which found an attack that loaded malware on user’s phones (Symbian (.sis) or BlackBerry (.jad) applications) that sniff SMS messages and send them to criminal command and control servers for fraudster use. This is spawning the long anticipated new generation of man-in-the-mobile attacks. For more information on it, read this blog and their follow ons:

http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html

So what’s the lesson here:

SMS/OTP can be fairly easily defeated.  Companies that want to protect accounts and information with out-of-band communications must move to transaction signing – not just simple OTP authentication – where the OTP is tied to transaction details that are clearly displayed to the user and only those transaction details can be executed.

Fraud detection is also a must-have additional layer.

Category: 

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio


Thoughts on SMS/OTP under attack – Man in the Mobile


  1. […] This post was mentioned on Twitter by Alex Waddell, 최진영. 최진영 said: 보안 분야는 모순으로 발전하는 끝이 없는 분야인 것 같습니다. 그 끝은 악한 사람이 사라지던가 아니면 신과 같은 완벽한 시스템인가요? SMS/OTP under attack – Man in the Mobile http://bit.ly/acPEgQ […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.