Abstract
The security risk of internet banking has increased rapidly as internet banking services have become commonly used by the public. Among the various security methods, OTP (one time password) is known as one of the strongest methods for enforcing security, and it is now widely used in internet banking services. However, attack methods which can detour OTP have been developed that additional security for OTP is now needed. In this study, we discovered that a new kind of attack through OTP is theoretically possible through an analysis of the currently implemented OTP system and known attack methods. Based on our theory, we tested the new attack method on Korean internet banking services, and empirically proved that it could effectively detour around all of the currently implemented OTP security systems in Korea. To prevent this, we also suggested solutions based on the root cause analysis of the OTP vulnerabilities.
Similar content being viewed by others
References
(2008) NetworkWorld, New Trojan intercepts online banking information, http://www.networkworld.com/news/2008/011408-silentbanker-trojan.html
(2014) Gi Seong Lee, Huy Kang Kim, “Internet Banking Security Services in South Korea, the status quo”, http://www.hksecurity.net/internet-banking-in-south-korea
Aloul F, Zahidi S, Wassim E-H (2009) Two factor authentication using mobile phones. IEEE/ACS International Conference on Computer Systems and Applications, pp 641–644
Bae G, Lim G (2008) Analysis of basic weakness of keyboard security solution, Korea Institute of Information Security Cryptology, No.3, Vol. 18, pp 89–95
BBC News, South Korea blames North for bank and TV cyber-attacks, http://www.bbc.co.uk/news/technology-22092051
Chang H (2011) The study on end-to-end security for ubiquitous commerce. J Supercomput 55(2):228–245
Christos K (2007) Dimitriadis, analyzing the security of internet banking authentication mechanisms. Inf Syst Control J 3:1–8
Citibank Phish Spoofs 2-Factor Authentication, http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html
Considerations for web transaction security, RFC2084, http://www.ietf.org/rfc/rfc2084.txt
Cornel de Jong, Online authentication methods, evaluate the strength of online authentication methods, http://staff.science.uva.nl/~delaat/rp/2007-2008/p30/report.pdf
Guhring P (2007) Concepts against man-in-the-browser attacks
Hallsteinsen S, Jorstad I, Thanh D (2007) Using the mobile phone as s security token for unified authentication. In: ICSNC 2007. IEEE Computer Society, Los Alamitos pp 68
Hanacek P, Malinka K, Schafer J (2009) E-Banking Security—Comparative Study, 10th ACIS, pp 263–26
Hiltgen A, Kramp T, Weigold T (2006) Secure Internet Banking Authentication, IEEE Security & Privacy
Ku WC, Tasi HC, Tsaur MJ (2005) Stolen-verifier attack on an efficient smartcard-based one-time password authentication scheme. IEICE Trans Commun E87-B(8):2374–2376
Maeng Y, Shin D, Kim S, Yang D, Lee M (2010) Analysis of weakness of MITB against credit transfer of domestic internet banking, Internet and Information Security, No.2, Vol.1, pp 101–118
Mizuno S, Yamada K, Takahashi K (2005) Authentication using multiple communication channels, in DIM 2005: Proceedings of the 2005 workshop on Digital identity management. New York, NY, USA: ACM, pp 54–62
Oppliger R, Rytz R, Holderegger T (2009) eSecurity Technol, Internet Banking: Client-Side Attacks and Protection Mechanisms, IEEE, Computer, pp 27–33
Paulson LD (2002) Key snooping technology causes controversy, IEEE, Computer, pp 27
Phishing attack targets one-time passwords—scratch it and weep, http://www.theregister.co.uk/2005/10/12/outlaw_phishing/
Phone approval service, http://bank1.kbstar.com/quics?asfilecode=5023&_nextPage=page=B002346
Security aspects of the SuisseID - http://postsuisseid.ch/en/suisseid/security/security-aspects
Seo S, Kang W, (2007) Technical status of OTP & cases of introducing OTP in domestic financial institutions, Korea Institute of Information Security Cryptology, No.3, Vol. 17, pp 18–25
Sherstobitoff R, Liba I, Walter J (2013) Dissecting Operation Troy: Cyberespionage in South Korea, http://www.mcafee.com/au/resources/white-papers/wp-dissecting-operation-troy.pdf
Steeves DJ, Snyder MW (2005) Secure online transaction using a CAPTCHA image as a watermark, U.S.Patent, 11/157,336
Thanh D, Jonvik T, Feng B, Thuan D, Jorstad I (2008) Simple strong authentication for internet applications using mobile phones. IEEE GLOBECOM pp 1–5
Wikipedia.: Man-in-the-middle Attack, http://en.wikipedia.org/wiki/Man_in_the_middle_attack
Wikipedia.: One-Time Password, http://en.wikipedia.org/wiki/One-time_password
Wikipedia.: Online Banking, http://en.wikipedia.org/wiki/Online_banking
Wikipedia.: Two-factor Authentication, http://en.wikipidia.org/wiki/two-factor_authentication
Acknowledgments
This work was supported by a grant from the Kyung Hee University in 2013 (KHU-2013-0988).
A preliminary version of this paper appeared in “A study on the vulnerability of OTP implementation by using MITM attack and reverse engineering”, Kang, Byung-Tak and Kim, Huy-Kang, Journal of the Korea Institute of Information Security and Cryptology, volume 21, issue 6, 2011, pp. 83–99. This version has been considerably improved from the previous version by including new results and features.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Yoo, C., Kang, BT. & Kim, H.K. Case study of the vulnerability of OTP implemented in internet banking systems of South Korea. Multimed Tools Appl 74, 3289–3303 (2015). https://doi.org/10.1007/s11042-014-1888-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-014-1888-3