Real Time Cryptanalysis of A5/1 on a PC
FSE '00 Proceedings of the 7th International Workshop on Fast Software Encryption
The effectiveness of application permissions
WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
A survey of mobile malware in the wild
Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Conditional estimators: an effective attack on A5/1
SAC'05 Proceedings of the 12th international conference on Selected Areas in Cryptography
Dissecting Android Malware: Characterization and Evolution
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Hi-index | 0.00 |
SMS-based One-Time Passwords (SMS OTP) were introduced to counter phishing and other attacks against Internet services such as online banking. Today, SMS OTPs are commonly used for authentication and authorization for many different applications. Recently, SMS OTPs have come under heavy attack, especially by smartphone Trojans. In this paper, we analyze the security architecture of SMS OTP systems and study attacks that pose a threat to Internet-based authentication and authorization services. We determined that the two foundations SMS OTP is built on, cellular networks and mobile handsets, were completely different at the time when SMS OTP was designed and introduced. Throughout this work, we show why SMS OTP systems cannot be considered secure anymore. Based on our findings, we propose mechanisms to secure SMS OTPs against common attacks and specifically against smartphone Trojans.