SlideShare a Scribd company logo

Sms based otp

Hai Nguyen
Hai Nguyen
TechnologyBusiness
1 of 11
Download to read offline
SMS-based Two-Factor Authentication SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 1 of 11 Risk analysis
Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright © VASCO Data Security 2005. All rights reserved. Trademarks DIGIPASS and VACMAN are trademarks of VASCO Data Security. All other trademarks are trademarks of their respective owners. SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 2 of 11
Table of Contents Disclaimer ...................................................................................................... 2 Table of Contents............................................................................................ 3 Reference guide....................................................... Error! Bookmark not defined. 1 Introduction.............................................................................................. 5 2 SMS-based two-factor authentication ....................................................... 5 2.1 SMS-based user authentication ............................................................. 6 2.2 SMS-based transaction authentication.................................................... 7 3 Threats ..................................................................................................... 8 3.1 Security............................................................................................. 8 3.1.1 Security of SMS-based user authentication .......................................... 8 3.1.2 Security of SMS-based transaction authentication................................. 9 3.2 Reliability......................................................................................... 11 3.3 Cost ................................................................................................ 11 4 Conclusion .............................................................................................. 11 SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 3 of 11
Document history Version Author Comments Date 1.0 Frederik Mennes Creation of document October 17, 2005 SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 4 of 11
1 Introduction This document analyses the risk associated with deploying SMS-based two-factor authentication. Section 2 presents the concept. Section 3 outlines a number of threats. We draw our conclusions in Section 4. 2 SMS-based two-factor authentication In this section, we shortly describe the concept of SMS-based two-factor authentication. SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 5 of 11
2.1 SMS-based user authentication When a user wants to authenticate himself to the Internet banking application of a bank, the process goes as follows (see Figure 1): • The user surfs to the Internet banking application and provides his username and static password to the application. The application sends username and password to the banking server. The banking server verifies the username/password combination. (Steps 1, 2) • If the combination is valid, it generates a one-time password. The banking server sends this one-time password to the user via an SMS-message. (Steps 3, 4, 5) • Upon receipt of the SMS-message, the user provides the Internet banking application with the one-time password. The application sends this one-time password to the banking server. (Steps 6, 7) • The banking server verifies whether or not the one-time password provided by the user matches the password it has sent out. If this is the case, the user has successfully been authenticated. (Step 8) Figure 1: SMS-based user authentication SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 6 of 11
2.2 SMS-based transaction authentication We assume here that the user has successfully logged into the Internet banking application. When a user subsequently wants to sign the data of a financial transaction, the process goes as follows (see also Figure 2 below). • The user enters the data of the financial transaction (e.g. amount, account) into the Internet banking application. The application sends this data to the banking server. (Steps 1, 2) • The banking server generates a signature and sends this signature, together with the transaction data, to the user via an SMS-message. (Steps 3, 4) • Upon receipt of the SMS-message, the user verifies whether or not the data in the SMS-message match his transaction data. If they match, the user provides the Internet banking application with the signature and transaction data. The application sends this signature to the banking server. (Steps 5, 6, 7) The banking server verifies whether or not the signature provided by the user matches the signature it has sent out. If this is the case, the financial transaction is conducted. Figure 2: SMS-based transaction authentication SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 7 of 11
3 Threats 3.1 Security 3.1.1 Security of SMS-based user authentication Following attacks are possible against SMS-based user authentication as described above : • Eavesdropping. SMS-based two-factor authentication systems are characterized by the fact that the end-user does not control the generation of the one-time password. On the contrary, it is the bank that provides the user with the one-time password. This delivery process may give rise to a weak link in the authentication system, because several entities can eavesdrop on the communication link between bank and end-user. The eavesdropper can then use the one-time password himself, effectively impersonating the genuine user. o Members of staff of the bank can learn the one-time password. o The link between bank and operator can be eavesdropped. o Members of staff of the telecom operator can learn the one-time password. o The link between operator and user can be eavesdropped (only the link from the base station to the mobile phone is encrypted in case of GSM). • Man-in-the-middle attack. An adversary can lure a user to a fake web site, and have the user disclose its username/password/one-time password. When the user authentication has been performed, the adversary hijacks the banking session, conducting transactions on behalf of the user. This is a real-time phishing/pharming attack, where the adversary monitors the traffic between bank and user. SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 8 of 11
3.1.2 Security of SMS-based transaction authentication An adversary can conduct man-in-the-middle attacks against SMS-based transaction authentication. We differentiate between two types of man-in-the-middle attacks. A) Adversary controls traffic between user’s PC and bank A number of different man-in-the-middle attacks are possible, depending on the nature of the signature: • Signature is random number. Suppose that the signature is a random number. The adversary watches the traffic between the banking server and the user. When the user has entered the signature into the banking application, the adversary changes the transaction data (e.g. amount, account). If the banking server does not check the data again, the adversary’s transaction will be executed. • Signature is hash. Suppose that the signature is actually a hash of the transaction data, computed using, for example, SHA-1, SHA-2, RIPEMD-160, etc. Suppose also that the adversary learns which hash function is used to compute the hash values. When the user has entered the signature into the banking application, the adversary changes the transaction data (e.g. amount, account) and hash. If the banking server only checks whether or not the data and signature match, the adversary’s transaction will be executed. • Signature is Message Authentication Code (MAC). Suppose that the signature is actually a MAC of the transaction data, computed using a secret key. In this case, the adversary is not able to compute matching data/signature pairs of his own, because he does not possess the secret key. Figure 3 SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 9 of 11
In order to protect against these attacks, we have following recommendations: • Do NOT use random numbers as signatures. • Do NOT use hash values as signatures. • Do use Message Authentication Codes (MAC’s) as signatures. • Do verify whether the submitted signature matches the received signature. • In Step 7, send only the signature, and not the transaction data, or verify whether or not the transaction data are always the same. B) Adversary controls traffic between user’s PC and bank and between bank and mobile phone In this case, the adversary can launch very powerfull attacks. When a user submits a transaction, the adversary hijacks the session between user and bank. He then changes the transaction data at his will, and submits the new transaction. The bank generates a signature and sends an SMS-message to the genuine user. However, the adversary intercepts the SMS-message and conducts his transaction. This type of fraud can typically be conducted by members of staff of the telecom operator, as they have full control over the SMS-messages. However, an adversary can also conduct this type of attack if he intercepts the traffic between bank and operator or between the operator and the mobile phone. Figure 4 SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 10 of 11
3.2 Reliability Following factors influence the reliability of SMS-based two-factor authentication. • SMS delay and loss. According to a study of KeyNote Systems, Inc. (http://www.keynote.com), an average of 94.7 % of SMS-messages arrive at their destination in an average of 11.8 seconds. This means that 5.3 % of the messages arrives late or does not arrive at all. As an example, if you have 100,000 customers requesting one SMS-message per week, 5300 messages will arrive late or get lost every week. • Coverage. In order to receive an SMS-message, one has to be in an area with coverage for cellular phones. If this is not the case, it is not possible to conduct an Internet banking session. • User acceptance. Not everyone has a cellular phone, and not everybody knows how to read SMS-messages. 3.3 Cost • Sending SMS-messages to customers comes with a certain cost. The cost per SMS-message is dependent on the local mobile phone operator, but $0.10 might be a possible average. • Moreover, the cost of sending SMS-messages is ever-increasing, hence not fixed. For example, if a customer requests one SMS-message per week, this would cost already $5 per year if an SMS-message costs $0.10. Users might not be happy to pay for this cost. 4 Conclusion It is up to the bank to assess the potential impact of the threats presented above. The bank then has to decide whether or not the risk is acceptable. SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 11 of 11

Recommended

Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
120 i143
120 i143120 i143
120 i143Hai Nguyen
 

Recommended

Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
120 i143
120 i143120 i143
120 i143Hai Nguyen
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...IJERA Editor
 
Security Analysis of Mobile Authentication Using QR-Codes
Security Analysis of Mobile Authentication Using QR-Codes Security Analysis of Mobile Authentication Using QR-Codes
Security Analysis of Mobile Authentication Using QR-Codes csandit
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication IJMER
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)IJNSA Journal
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd Iaetsd
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDIJNSA Journal
 
App Authentication
App AuthenticationApp Authentication
App AuthenticationTrevayne Van Niekerk
 
Access management
Access managementAccess management
Access managementVenkatesh Jambulingam
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web SecurityDragos Lungu
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...Chema Alonso
 
A secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationsA secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationseSAT Publishing House
 
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...ijiert bestjournal
 
Two Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time PasswordTwo Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time PasswordIOSR Journals
 
9 3
9 39 3
9 3Hai Nguyen
 
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARINGSFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARINGijcsit
 
Man in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperMan in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperHai Nguyen
 
Zsun
ZsunZsun
ZsunHai Nguyen
 

More Related Content

What's hot

IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...IJERA Editor
 
Security Analysis of Mobile Authentication Using QR-Codes
Security Analysis of Mobile Authentication Using QR-Codes Security Analysis of Mobile Authentication Using QR-Codes
Security Analysis of Mobile Authentication Using QR-Codes csandit
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication IJMER
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)IJNSA Journal
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd Iaetsd
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDIJNSA Journal
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web SecurityDragos Lungu
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...Chema Alonso
 
A secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationsA secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationseSAT Publishing House
 
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...ijiert bestjournal
 
Two Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time PasswordTwo Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time PasswordIOSR Journals
 

What's hot (18)

IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...
 
Security Analysis of Mobile Authentication Using QR-Codes
Security Analysis of Mobile Authentication Using QR-Codes Security Analysis of Mobile Authentication Using QR-Codes
Security Analysis of Mobile Authentication Using QR-Codes
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authentication
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
 
App Authentication
App AuthenticationApp Authentication
App Authentication
 
Access management
Access managementAccess management
Access management
 
E-Banking Web Security
E-Banking Web SecurityE-Banking Web Security
E-Banking Web Security
 
76 s201923
76 s20192376 s201923
76 s201923
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
 
A secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationsA secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authentications
 
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...
 
Two Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time PasswordTwo Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time Password
 

Similar to Sms based otp

SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARINGSFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARINGijcsit
 
Man in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperMan in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperHai Nguyen
 
New Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsNew Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsDR.P.S.JAGADEESH KUMAR
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisCSCJournals
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and ThreatsBPalmer13
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemIJCSIS Research Publications
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemIJCSIS Research Publications
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online bankingJakub Kałużny
 
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENTENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENTijcsit
 
Security Architecture for On-Line Mutual Funds Trading With Multiple Mobile A...
Security Architecture for On-Line Mutual Funds Trading With Multiple Mobile A...Security Architecture for On-Line Mutual Funds Trading With Multiple Mobile A...
Security Architecture for On-Line Mutual Funds Trading With Multiple Mobile A...CSCJournals
 
NetworkSecurity.ppt
NetworkSecurity.pptNetworkSecurity.ppt
NetworkSecurity.pptDreamMalar
 
NetworkSecurity.ppt
NetworkSecurity.pptNetworkSecurity.ppt
NetworkSecurity.pptDreamMalar
 
NetworkSecurity.ppt
NetworkSecurity.pptNetworkSecurity.ppt
NetworkSecurity.pptDreamMalar
 
NetworkSecurity.ppt
NetworkSecurity.pptNetworkSecurity.ppt
NetworkSecurity.pptDreamMalar
 

Similar to Sms based otp (20)

9 3
9 39 3
9 3
 
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARINGSFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARING
 
Man in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaperMan in-the-browser tectia-whitepaper
Man in-the-browser tectia-whitepaper
 
Zsun
ZsunZsun
Zsun
 
New Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsNew Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking Applications
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and Threats
 
SECURED BANKING TRANSACTION USING VIRTUAL PASSWORD
SECURED BANKING TRANSACTION USING VIRTUAL PASSWORDSECURED BANKING TRANSACTION USING VIRTUAL PASSWORD
SECURED BANKING TRANSACTION USING VIRTUAL PASSWORD
 
3D PASSWORD
3D PASSWORD3D PASSWORD
3D PASSWORD
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking System
 
A Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking SystemA Cancelable Biometric Based Security Protocol for Online Banking System
A Cancelable Biometric Based Security Protocol for Online Banking System
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
 
Enforcing Set and SSL Protocols in E-Payment
Enforcing Set and SSL Protocols in E-PaymentEnforcing Set and SSL Protocols in E-Payment
Enforcing Set and SSL Protocols in E-Payment
 
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENTENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
 
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENTENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
 
Security Architecture for On-Line Mutual Funds Trading With Multiple Mobile A...
Security Architecture for On-Line Mutual Funds Trading With Multiple Mobile A...Security Architecture for On-Line Mutual Funds Trading With Multiple Mobile A...
Security Architecture for On-Line Mutual Funds Trading With Multiple Mobile A...
 
NetworkSecurity.ppt
NetworkSecurity.pptNetworkSecurity.ppt
NetworkSecurity.ppt
 
NetworkSecurity.ppt
NetworkSecurity.pptNetworkSecurity.ppt
NetworkSecurity.ppt
 
NetworkSecurity.ppt
NetworkSecurity.pptNetworkSecurity.ppt
NetworkSecurity.ppt
 
NetworkSecurity.ppt
NetworkSecurity.pptNetworkSecurity.ppt
NetworkSecurity.ppt
 

More from Hai Nguyen

Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Hai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 enHai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationHai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationxHai Nguyen
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowresHai Nguyen
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseHai Nguyen
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013Hai Nguyen
 
10695 sidtfa sb_0210
10695 sidtfa sb_021010695 sidtfa sb_0210
10695 sidtfa sb_0210Hai Nguyen
 
9697 aatf sb_0808
9697 aatf sb_08089697 aatf sb_0808
9697 aatf sb_0808Hai Nguyen
 

More from Hai Nguyen (20)

Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowres
 
Bi guardotp
Bi guardotpBi guardotp
Bi guardotp
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013
 
10695 sidtfa sb_0210
10695 sidtfa sb_021010695 sidtfa sb_0210
10695 sidtfa sb_0210
 
9697 aatf sb_0808
9697 aatf sb_08089697 aatf sb_0808
9697 aatf sb_0808
 

Recently uploaded

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Sms based otp

  • 1. SMS-based Two-Factor Authentication SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 1 of 11 Risk analysis
  • 2. Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright © VASCO Data Security 2005. All rights reserved. Trademarks DIGIPASS and VACMAN are trademarks of VASCO Data Security. All other trademarks are trademarks of their respective owners. SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 2 of 11
  • 3. Table of Contents Disclaimer ...................................................................................................... 2 Table of Contents............................................................................................ 3 Reference guide....................................................... Error! Bookmark not defined. 1 Introduction.............................................................................................. 5 2 SMS-based two-factor authentication ....................................................... 5 2.1 SMS-based user authentication ............................................................. 6 2.2 SMS-based transaction authentication.................................................... 7 3 Threats ..................................................................................................... 8 3.1 Security............................................................................................. 8 3.1.1 Security of SMS-based user authentication .......................................... 8 3.1.2 Security of SMS-based transaction authentication................................. 9 3.2 Reliability......................................................................................... 11 3.3 Cost ................................................................................................ 11 4 Conclusion .............................................................................................. 11 SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 3 of 11
  • 4. Document history Version Author Comments Date 1.0 Frederik Mennes Creation of document October 17, 2005 SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 4 of 11
  • 5. 1 Introduction This document analyses the risk associated with deploying SMS-based two-factor authentication. Section 2 presents the concept. Section 3 outlines a number of threats. We draw our conclusions in Section 4. 2 SMS-based two-factor authentication In this section, we shortly describe the concept of SMS-based two-factor authentication. SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 5 of 11
  • 6. 2.1 SMS-based user authentication When a user wants to authenticate himself to the Internet banking application of a bank, the process goes as follows (see Figure 1): • The user surfs to the Internet banking application and provides his username and static password to the application. The application sends username and password to the banking server. The banking server verifies the username/password combination. (Steps 1, 2) • If the combination is valid, it generates a one-time password. The banking server sends this one-time password to the user via an SMS-message. (Steps 3, 4, 5) • Upon receipt of the SMS-message, the user provides the Internet banking application with the one-time password. The application sends this one-time password to the banking server. (Steps 6, 7) • The banking server verifies whether or not the one-time password provided by the user matches the password it has sent out. If this is the case, the user has successfully been authenticated. (Step 8) Figure 1: SMS-based user authentication SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 6 of 11
  • 7. 2.2 SMS-based transaction authentication We assume here that the user has successfully logged into the Internet banking application. When a user subsequently wants to sign the data of a financial transaction, the process goes as follows (see also Figure 2 below). • The user enters the data of the financial transaction (e.g. amount, account) into the Internet banking application. The application sends this data to the banking server. (Steps 1, 2) • The banking server generates a signature and sends this signature, together with the transaction data, to the user via an SMS-message. (Steps 3, 4) • Upon receipt of the SMS-message, the user verifies whether or not the data in the SMS-message match his transaction data. If they match, the user provides the Internet banking application with the signature and transaction data. The application sends this signature to the banking server. (Steps 5, 6, 7) The banking server verifies whether or not the signature provided by the user matches the signature it has sent out. If this is the case, the financial transaction is conducted. Figure 2: SMS-based transaction authentication SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 7 of 11
  • 8. 3 Threats 3.1 Security 3.1.1 Security of SMS-based user authentication Following attacks are possible against SMS-based user authentication as described above : • Eavesdropping. SMS-based two-factor authentication systems are characterized by the fact that the end-user does not control the generation of the one-time password. On the contrary, it is the bank that provides the user with the one-time password. This delivery process may give rise to a weak link in the authentication system, because several entities can eavesdrop on the communication link between bank and end-user. The eavesdropper can then use the one-time password himself, effectively impersonating the genuine user. o Members of staff of the bank can learn the one-time password. o The link between bank and operator can be eavesdropped. o Members of staff of the telecom operator can learn the one-time password. o The link between operator and user can be eavesdropped (only the link from the base station to the mobile phone is encrypted in case of GSM). • Man-in-the-middle attack. An adversary can lure a user to a fake web site, and have the user disclose its username/password/one-time password. When the user authentication has been performed, the adversary hijacks the banking session, conducting transactions on behalf of the user. This is a real-time phishing/pharming attack, where the adversary monitors the traffic between bank and user. SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 8 of 11
  • 9. 3.1.2 Security of SMS-based transaction authentication An adversary can conduct man-in-the-middle attacks against SMS-based transaction authentication. We differentiate between two types of man-in-the-middle attacks. A) Adversary controls traffic between user’s PC and bank A number of different man-in-the-middle attacks are possible, depending on the nature of the signature: • Signature is random number. Suppose that the signature is a random number. The adversary watches the traffic between the banking server and the user. When the user has entered the signature into the banking application, the adversary changes the transaction data (e.g. amount, account). If the banking server does not check the data again, the adversary’s transaction will be executed. • Signature is hash. Suppose that the signature is actually a hash of the transaction data, computed using, for example, SHA-1, SHA-2, RIPEMD-160, etc. Suppose also that the adversary learns which hash function is used to compute the hash values. When the user has entered the signature into the banking application, the adversary changes the transaction data (e.g. amount, account) and hash. If the banking server only checks whether or not the data and signature match, the adversary’s transaction will be executed. • Signature is Message Authentication Code (MAC). Suppose that the signature is actually a MAC of the transaction data, computed using a secret key. In this case, the adversary is not able to compute matching data/signature pairs of his own, because he does not possess the secret key. Figure 3 SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 9 of 11
  • 10. In order to protect against these attacks, we have following recommendations: • Do NOT use random numbers as signatures. • Do NOT use hash values as signatures. • Do use Message Authentication Codes (MAC’s) as signatures. • Do verify whether the submitted signature matches the received signature. • In Step 7, send only the signature, and not the transaction data, or verify whether or not the transaction data are always the same. B) Adversary controls traffic between user’s PC and bank and between bank and mobile phone In this case, the adversary can launch very powerfull attacks. When a user submits a transaction, the adversary hijacks the session between user and bank. He then changes the transaction data at his will, and submits the new transaction. The bank generates a signature and sends an SMS-message to the genuine user. However, the adversary intercepts the SMS-message and conducts his transaction. This type of fraud can typically be conducted by members of staff of the telecom operator, as they have full control over the SMS-messages. However, an adversary can also conduct this type of attack if he intercepts the traffic between bank and operator or between the operator and the mobile phone. Figure 4 SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 10 of 11
  • 11. 3.2 Reliability Following factors influence the reliability of SMS-based two-factor authentication. • SMS delay and loss. According to a study of KeyNote Systems, Inc. (http://www.keynote.com), an average of 94.7 % of SMS-messages arrive at their destination in an average of 11.8 seconds. This means that 5.3 % of the messages arrives late or does not arrive at all. As an example, if you have 100,000 customers requesting one SMS-message per week, 5300 messages will arrive late or get lost every week. • Coverage. In order to receive an SMS-message, one has to be in an area with coverage for cellular phones. If this is not the case, it is not possible to conduct an Internet banking session. • User acceptance. Not everyone has a cellular phone, and not everybody knows how to read SMS-messages. 3.3 Cost • Sending SMS-messages to customers comes with a certain cost. The cost per SMS-message is dependent on the local mobile phone operator, but $0.10 might be a possible average. • Moreover, the cost of sending SMS-messages is ever-increasing, hence not fixed. For example, if a customer requests one SMS-message per week, this would cost already $5 per year if an SMS-message costs $0.10. Users might not be happy to pay for this cost. 4 Conclusion It is up to the bank to assess the potential impact of the threats presented above. The bank then has to decide whether or not the risk is acceptable. SMS-based Two-Factor Authentication - Risk analysis © 2005 VASCO Data Security. All rights reserved. Page 11 of 11