Security analysis of mobile phones used as OTP generators

Authors:
Håvard Raddum;Lars Hopland Nestås;Kjell Jørgen Hole
Affiliations:
Department of Informatics, University of Bergen;Department of Informatics, University of Bergen;Department of Informatics, University of Bergen
Venue:
WISTP'10 Proceedings of the 4th IFIP WG 11.2 international conference on Information Security Theory and Practices: security and Privacy of Pervasive Systems and Smart Devices
Year:
2010

Citing 1
Cited 1

Risk Assessment of a National Security Infrastructure

IEEE Security and Privacy

Mobile one-time passwords: two-factor authentication using mobile phones

Security and Communication Networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

The Norwegian company Encap has developed protocols enabling individuals to use their mobile phones as one-time password (OTP) generators. An initial analysis of the protocols reveals minor security flaws. System-level testing of an online bank utilizing Encap's solution then shows that several attacks allow a malicious individual to turn his own mobile phone into an OTP generator for another individual's bank account. Some of the suggested countermeasures to thwart the attacks are already incorporated in an updated version of the online banking system.