Skip to main content
Log in

Case study of the vulnerability of OTP implemented in internet banking systems of South Korea

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

The security risk of internet banking has increased rapidly as internet banking services have become commonly used by the public. Among the various security methods, OTP (one time password) is known as one of the strongest methods for enforcing security, and it is now widely used in internet banking services. However, attack methods which can detour OTP have been developed that additional security for OTP is now needed. In this study, we discovered that a new kind of attack through OTP is theoretically possible through an analysis of the currently implemented OTP system and known attack methods. Based on our theory, we tested the new attack method on Korean internet banking services, and empirically proved that it could effectively detour around all of the currently implemented OTP security systems in Korea. To prevent this, we also suggested solutions based on the root cause analysis of the OTP vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

References

  1. (2008) NetworkWorld, New Trojan intercepts online banking information, http://www.networkworld.com/news/2008/011408-silentbanker-trojan.html

  2. (2014) Gi Seong Lee, Huy Kang Kim, “Internet Banking Security Services in South Korea, the status quo”, http://www.hksecurity.net/internet-banking-in-south-korea

  3. Aloul F, Zahidi S, Wassim E-H (2009) Two factor authentication using mobile phones. IEEE/ACS International Conference on Computer Systems and Applications, pp 641–644

  4. Bae G, Lim G (2008) Analysis of basic weakness of keyboard security solution, Korea Institute of Information Security Cryptology, No.3, Vol. 18, pp 89–95

  5. BBC News, South Korea blames North for bank and TV cyber-attacks, http://www.bbc.co.uk/news/technology-22092051

  6. Chang H (2011) The study on end-to-end security for ubiquitous commerce. J Supercomput 55(2):228–245

    Article  Google Scholar 

  7. Christos K (2007) Dimitriadis, analyzing the security of internet banking authentication mechanisms. Inf Syst Control J 3:1–8

    Google Scholar 

  8. Citibank Phish Spoofs 2-Factor Authentication, http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html

  9. Considerations for web transaction security, RFC2084, http://www.ietf.org/rfc/rfc2084.txt

  10. Cornel de Jong, Online authentication methods, evaluate the strength of online authentication methods, http://staff.science.uva.nl/~delaat/rp/2007-2008/p30/report.pdf

  11. Guhring P (2007) Concepts against man-in-the-browser attacks

  12. Hallsteinsen S, Jorstad I, Thanh D (2007) Using the mobile phone as s security token for unified authentication. In: ICSNC 2007. IEEE Computer Society, Los Alamitos pp 68

  13. Hanacek P, Malinka K, Schafer J (2009) E-Banking Security—Comparative Study, 10th ACIS, pp 263–26

  14. Hiltgen A, Kramp T, Weigold T (2006) Secure Internet Banking Authentication, IEEE Security & Privacy

  15. Ku WC, Tasi HC, Tsaur MJ (2005) Stolen-verifier attack on an efficient smartcard-based one-time password authentication scheme. IEICE Trans Commun E87-B(8):2374–2376

    Google Scholar 

  16. Maeng Y, Shin D, Kim S, Yang D, Lee M (2010) Analysis of weakness of MITB against credit transfer of domestic internet banking, Internet and Information Security, No.2, Vol.1, pp 101–118

  17. Mizuno S, Yamada K, Takahashi K (2005) Authentication using multiple communication channels, in DIM 2005: Proceedings of the 2005 workshop on Digital identity management. New York, NY, USA: ACM, pp 54–62

  18. Oppliger R, Rytz R, Holderegger T (2009) eSecurity Technol, Internet Banking: Client-Side Attacks and Protection Mechanisms, IEEE, Computer, pp 27–33

  19. Paulson LD (2002) Key snooping technology causes controversy, IEEE, Computer, pp 27

  20. Phishing attack targets one-time passwords—scratch it and weep, http://www.theregister.co.uk/2005/10/12/outlaw_phishing/

  21. Phone approval service, http://bank1.kbstar.com/quics?asfilecode=5023&_nextPage=page=B002346

  22. Security aspects of the SuisseID - http://postsuisseid.ch/en/suisseid/security/security-aspects

  23. Seo S, Kang W, (2007) Technical status of OTP & cases of introducing OTP in domestic financial institutions, Korea Institute of Information Security Cryptology, No.3, Vol. 17, pp 18–25

  24. Sherstobitoff R, Liba I, Walter J (2013) Dissecting Operation Troy: Cyberespionage in South Korea, http://www.mcafee.com/au/resources/white-papers/wp-dissecting-operation-troy.pdf

  25. Steeves DJ, Snyder MW (2005) Secure online transaction using a CAPTCHA image as a watermark, U.S.Patent, 11/157,336

  26. Thanh D, Jonvik T, Feng B, Thuan D, Jorstad I (2008) Simple strong authentication for internet applications using mobile phones. IEEE GLOBECOM pp 1–5

  27. UOTP, http://www.u-otp.co.kr/blog/

  28. Wikipedia.: Man-in-the-middle Attack, http://en.wikipedia.org/wiki/Man_in_the_middle_attack

  29. Wikipedia.: One-Time Password, http://en.wikipedia.org/wiki/One-time_password

  30. Wikipedia.: Online Banking, http://en.wikipedia.org/wiki/Online_banking

  31. Wikipedia.: Two-factor Authentication, http://en.wikipidia.org/wiki/two-factor_authentication

Download references

Acknowledgments

This work was supported by a grant from the Kyung Hee University in 2013 (KHU-2013-0988).

A preliminary version of this paper appeared in “A study on the vulnerability of OTP implementation by using MITM attack and reverse engineering”, Kang, Byung-Tak and Kim, Huy-Kang, Journal of the Korea Institute of Information Security and Cryptology, volume 21, issue 6, 2011, pp. 83–99. This version has been considerably improved from the previous version by including new results and features.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Huy Kang Kim.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Yoo, C., Kang, BT. & Kim, H.K. Case study of the vulnerability of OTP implemented in internet banking systems of South Korea. Multimed Tools Appl 74, 3289–3303 (2015). https://doi.org/10.1007/s11042-014-1888-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-014-1888-3

Keywords

Navigation