Changsok Yoo
Abstract
The security risk of internet banking has increased rapidly as internet banking services have become commonly used by the public. Among the various security methods, OTP (one time password) is known as one of the strongest methods for enforcing security, and it is now widely used in internet banking services. However, attack methods which can detour OTP have been developed that additional security for OTP is now needed. In this study, we discovered that a new kind of attack through OTP is theoretically possible through an analysis of the currently implemented OTP system and known attack methods. Based on our theory, we tested the new attack method on Korean internet banking services, and empirically proved that it could effectively detour around all of the currently implemented OTP security systems in Korea. To prevent this, we also suggested solutions based on the root cause analysis of the OTP vulnerabilities.
- (2008) NetworkWorld, New Trojan intercepts online banking information, http://www.networkworld.com/news/2008/011408-silentbanker-trojan.htmlGoogle Scholar
- (2014) Gi Seong Lee, Huy Kang Kim, "Internet Banking Security Services in South Korea, the status quo", http://www.hksecurity.net/internet-banking-in-south-koreaGoogle Scholar
- Aloul F, Zahidi S, Wassim E-H (2009) Two factor authentication using mobile phones. IEEE/ACS International Conference on Computer Systems and Applications, pp 641---644Google Scholar
- Bae G, Lim G (2008) Analysis of basic weakness of keyboard security solution, Korea Institute of Information Security Cryptology, No.3, Vol. 18, pp 89---95Google Scholar
- BBC News, South Korea blames North for bank and TV cyber-attacks, http://www.bbc.co.uk/news/technology-22092051Google Scholar
- Chang H (2011) The study on end-to-end security for ubiquitous commerce. J Supercomput 55(2):228---245 Google ScholarDigital Library
- Christos K (2007) Dimitriadis, analyzing the security of internet banking authentication mechanisms. Inf Syst Control J 3:1---8Google Scholar
- Citibank Phish Spoofs 2-Factor Authentication, http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.htmlGoogle Scholar
- Considerations for web transaction security, RFC2084, http://www.ietf.org/rfc/rfc2084.txtGoogle Scholar
- Cornel de Jong, Online authentication methods, evaluate the strength of online authentication methods, http://staff.science.uva.nl/~delaat/rp/2007-2008/p30/report.pdfGoogle Scholar
- Guhring P (2007) Concepts against man-in-the-browser attacksGoogle Scholar
- Hallsteinsen S, Jorstad I, Thanh D (2007) Using the mobile phone as s security token for unified authentication. In: ICSNC 2007. IEEE Computer Society, Los Alamitos pp 68 Google Scholar
- Hanacek P, Malinka K, Schafer J (2009) E-Banking Security--Comparative Study, 10th ACIS, pp 263---26Google Scholar
- Hiltgen A, Kramp T, Weigold T (2006) Secure Internet Banking Authentication, IEEE Security & Privacy Google Scholar
- Ku WC, Tasi HC, Tsaur MJ (2005) Stolen-verifier attack on an efficient smartcard-based one-time password authentication scheme. IEICE Trans Commun E87-B(8):2374---2376Google Scholar
- Maeng Y, Shin D, Kim S, Yang D, Lee M (2010) Analysis of weakness of MITB against credit transfer of domestic internet banking, Internet and Information Security, No.2, Vol.1, pp 101---118Google Scholar
- Mizuno S, Yamada K, Takahashi K (2005) Authentication using multiple communication channels, in DIM 2005: Proceedings of the 2005 workshop on Digital identity management. New York, NY, USA: ACM, pp 54---62 Google Scholar
- Oppliger R, Rytz R, Holderegger T (2009) eSecurity Technol, Internet Banking: Client-Side Attacks and Protection Mechanisms, IEEE, Computer, pp 27---33 Google Scholar
- Paulson LD (2002) Key snooping technology causes controversy, IEEE, Computer, pp 27Google Scholar
- Phishing attack targets one-time passwords--scratch it and weep, http://www.theregister.co.uk/2005/10/12/outlaw_phishing/Google Scholar
- Phone approval service, http://bank1.kbstar.com/quics?asfilecode=5023&_nextPage=page=B002346Google Scholar
- Security aspects of the SuisseID - http://postsuisseid.ch/en/suisseid/security/security-aspectsGoogle Scholar
- Seo S, Kang W, (2007) Technical status of OTP & cases of introducing OTP in domestic financial institutions, Korea Institute of Information Security Cryptology, No.3, Vol. 17, pp 18---25Google Scholar
- Sherstobitoff R, Liba I, Walter J (2013) Dissecting Operation Troy: Cyberespionage in South Korea, http://www.mcafee.com/au/resources/white-papers/wp-dissecting-operation-troy.pdfGoogle Scholar
- Steeves DJ, Snyder MW (2005) Secure online transaction using a CAPTCHA image as a watermark, U.S.Patent, 11/157,336Google Scholar
- Thanh D, Jonvik T, Feng B, Thuan D, Jorstad I (2008) Simple strong authentication for internet applications using mobile phones. IEEE GLOBECOM pp 1---5Google Scholar
- UOTP, http://www.u-otp.co.kr/blog/Google Scholar
- Wikipedia.: Man-in-the-middle Attack, http://en.wikipedia.org/wiki/Man_in_the_middle_attackGoogle Scholar
- Wikipedia.: One-Time Password, http://en.wikipedia.org/wiki/One-time_passwordGoogle Scholar
- Wikipedia.: Online Banking, http://en.wikipedia.org/wiki/Online_bankingGoogle Scholar
- Wikipedia.: Two-factor Authentication, http://en.wikipidia.org/wiki/two-factor_authenticationGoogle Scholar
Index Terms
- Case study of the vulnerability of OTP implemented in internet banking systems of South Korea
Recommendations
Secure Internet Banking Authentication
This article classifies common Internet banking authentication methods regarding potential threats and their level of security against common credential stealing and channel breaking attacks, respectively. The authors present two challenge/response ...
Internet Banking: Client-Side Attacks and Protection Mechanisms
Although current mechanisms protect against offline credential-stealing attacks, effective protection against online channel-breaking attacks requires technologies to defeat man-in-the-middle (MITM) attacks, and practical protection against content-...
Security weakness in a three-party pairing-based protocol for password authenticated key exchange
Authentication and key exchange are fundamental for establishing secure communication channels over public insecure networks. Password-based protocols for authenticated key exchange are designed to work even when user authentication is done via the use ...
Comments