Thumbnail Image

SMS-based One-Time Passwords: Attacks and Defense

Mulliner, Collin; Borgaonkar, Ravishankar; Stewin, Patrick; Seifert, Jean-Pierre

Forschungsberichte der Fakultät IV - Elektrotechnik und Informatik / Technische Universität Berlin

SMS-based One-Time Passwords (SMS OTP) were introduced to counter phishing and other attacks against Internet services such as online banking. Today, SMS OTPs are commonly used for authentication and authorization for many different applications. Recently, SMS OTPs have come under heavy attack, especially by smartphone trojans. In this paper, we analyze the security architecture of SMS OTP systems and study attacks that pose a threat to Internet-based authentication and authorization services. We determined that the two foundations SMS OTP is built on, cellular networks and mobile handsets, were completely different at the time when SMS OTP was designed and introduced. Throughout this work, we show why SMS OTP systems cannot be considered secure anymore. Based on our findings, we propose mechanisms to secure SMS OTPs against common attacks and specifically against smartphone trojans.