Abstract
The Norwegian company Encap has developed protocols enabling individuals to use their mobile phones as one-time password (OTP) generators. An initial analysis of the protocols reveals minor security flaws. System-level testing of an online bank utilizing Encap’s solution then shows that several attacks allow a malicious individual to turn his own mobile phone into an OTP generator for another individual’s bank account. Some of the suggested countermeasures to thwart the attacks are already incorporated in an updated version of the online banking system.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Hagalisletto, A.M., Riiber, A.: Using the Mobile Phone in Two-Factor Authentication, Encap white paper, www.encap.no/admin/userfiles/file/iwssi2007-05.pdf
Raddum, H., Nestås, L.H., Hole, K.J.: Security Analysis of Mobile Phones Used as OTP Generators, Reports in Informatics, 392, The University of Bergen (2010), www.ii.uib.no/publikasjoner/texrap/pdf/2010-392.pdf
RFC 2631, Diffie–Hellman Key Agreement Method (June 1999), tools.ietf.org/html/rfc2631
Jøsang, A., AlFayyadh, B., Grandison, T., AlZomai, M., McNamara, J.: Security Usability Principles for Vulnerability Analysis and Risk Assessment. Presented at the Twenty-Third Annual Computer Security Applications Conference (ACSAC), Miami Beach, FL, USA, December 10-14 (2007), www.acsac.org/2007/papers/45.pdf
Hole, K.J., Klingsheim, A.N., Netland, L.-H., Espelid, Y., Tjøstheim, T., Moen, V.: Risk Assessment of a National Security Infrastructure. IEEE Security & Privacy (January/February 2009), www.nowires.org/Papers-PDF/RiskEvaluation.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 IFIP International Federation for Information Processing
About this paper
Cite this paper
Raddum, H., Nestås, L.H., Hole, K.J. (2010). Security Analysis of Mobile Phones Used as OTP Generators. In: Samarati, P., Tunstall, M., Posegga, J., Markantonakis, K., Sauveron, D. (eds) Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices. WISTP 2010. Lecture Notes in Computer Science, vol 6033. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-12368-9_26
Download citation
DOI: https://doi.org/10.1007/978-3-642-12368-9_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-12367-2
Online ISBN: 978-3-642-12368-9
eBook Packages: Computer ScienceComputer Science (R0)