Blog post

SMS/OTP under attack – Man in the Mobile

By Avivah Litan | September 28, 2010 | 0 Comments

This past week, I was made aware of two attacks on SMS/OTP which is commonly used by non-U.S. banks, and now Google Apps, for two factor authentication.

I just had a demo of a phishing attack that captured my log in id and password to my presumed bank, and then told me to wait.  The fraudsters then used the credentials I gave them to log in to my bank account and move some money out of it. The bank then generated an OTP (to confirm the transaction) which was sent to my cell phone, which the phishing attack site then asked me to enter into the phishing site, whereupon the crooks passed it through to the online banking site to confirm the money transfer transaction.

I learned of a second attack on SMS/OTP by reading blogs posted by S21Sec, which found an attack that loaded malware on user’s phones (Symbian (.sis) or BlackBerry (.jad) applications) that sniff SMS messages and send them to criminal command and control servers for fraudster use. This is spawning the long anticipated new generation of man-in-the-mobile attacks. For more information on it, read this blog and their follow ons:

http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html

So what’s the lesson here:

SMS/OTP can be fairly easily defeated.  Companies that want to protect accounts and information with out-of-band communications must move to transaction signing – not just simple OTP authentication – where the OTP is tied to transaction details that are clearly displayed to the user and only those transaction details can be executed.

Fraud detection is also a must-have additional layer.

Comments are closed