Digital India Myths: OTP

Rachiyta JainCyber Security

OTP or One Time Password is an additional authentication factor required in online services these days. To complete a transaction or to login on some service, an OTP is sent via SMS to the account owner. The user verifies his identity by filling the One Time Password.

OTP was earlier believed to be secure as being a part of multi-factor authentication system. This however, was one of the biggest misconceptions. Studies showed that OTP would avoid phishing like attacks but opened more avenues for the attackers.

The basic idea behind OTP was that every account is connected with a particular mobile number. The mobile numbers are believed to be authentic since they are issued based on Governmental ID proofs. It is also assumed that the SIM card stays with the owner of the mobile phone. These assumptions have been confirmed as myths today. There are two major realities which overrule this.

First, SMS OTP would be secure only if the privacy of SMS messages are maintained which heavily relies on security of cellular networks. Second, in recent times several attacks have been recorded against GSM networks which clearly show that SMS messages are not at all confidential. OTP is generated by the service provider and sent to the mobile network operator which further sends it to the user’s mobile phone.

There are several modus operandi used by criminals against SMS OTP, which magnify the loophole in the entire process. Let us suppose, there’s a criminal who has knowledge of your banking credentials. With the help of these details, he logs in and initiates the process of transaction. An OTP is sent to you by the bank. One most common occurrence is where the attacker creates a fake ID by using the heap of information you provide online and gets a duplicate SIM issued. Here you can also think of the calls you get claiming that your debit card is going to expire. And the rest becomes history.

Following are certain attacks against which you should secure yourself to prevent the criminal from completing the transaction.

Don’t let anybody physically access your phone in your absence. We do not realize but this may actually be very dangerous.

As already mentioned, the authentication service providers wholly rely on mobile network operators. By using certain tools, an attacker can intercept mobile communication and get the access. It is thus clear that there is no security.

Next, there are certain mobile phone trojans that are specially designed to intercept SMS OTPs. Most mobile operating systems provide access to received SMS messages to applications after asking you the simple “Do you agree to the T&C?” question. They can also be provided access to take part in delivery process of SMS messages. In such case, trojan can receive, alter, delete and forward SMS messages without your knowledge. Some smartphone Operating Systems protect SMS messages through their permission system. But unfortunately, being unaware, we grant permission to insecure applications.

OTP, despite being a pretty user friendly method cannot be considered a good layer of security. Is there a way we can increase security of OTP or is second layer of security a vague concept ? Get answers to these questions in our upcoming post.

Special thanks to Sukhmani Kaur who is the author of this post.