This past week, I was made aware of two attacks on SMS/OTP which is commonly used by non-U.S. banks, and now Google Apps, for two factor authentication.
I just had a demo of a phishing attack that captured my log in id and password to my presumed bank, and then told me to wait. The fraudsters then used the credentials I gave them to log in to my bank account and move some money out of it. The bank then generated an OTP (to confirm the transaction) which was sent to my cell phone, which the phishing attack site then asked me to enter into the phishing site, whereupon the crooks passed it through to the online banking site to confirm the money transfer transaction.
I learned of a second attack on SMS/OTP by reading blogs posted by S21Sec, which found an attack that loaded malware on user’s phones (Symbian (.sis) or BlackBerry (.jad) applications) that sniff SMS messages and send them to criminal command and control servers for fraudster use. This is spawning the long anticipated new generation of man-in-the-mobile attacks. For more information on it, read this blog and their follow ons:
So what’s the lesson here:
SMS/OTP can be fairly easily defeated. Companies that want to protect accounts and information with out-of-band communications must move to transaction signing – not just simple OTP authentication – where the OTP is tied to transaction details that are clearly displayed to the user and only those transaction details can be executed.
Fraud detection is also a must-have additional layer.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.