One Time Passwords are Not Secure Enough

Monday, February 14, 2011

Gurudatt Shenoy


The thing About One Time Passwords... It is Not Secure Enough

An OTP, or One Time Password, is becoming quite a fashion these days. There are many ways to generate OTPs, and a swarm of security companies have sprung up, each offering a different variant of One Time Password technology.

This is not surprising, as even Google has awakened to the concept of OTP in securing users from phishing attacks for Google Docs and other access points.

And the herd mentality follows.

No doubt, OTP-based two factor authentication is far more secure than single factor authentication and is also cheaper.

But, is it really secure enough to thwart the efforts of dedicated hackers who have broken into highly secured government and defense enterprises deploying even far more secured solutions?

I do not think so.

OTP is equally vulnerable because the action remains on the same device that the first layer of authentication occurs (username and password).

For example, if a victim's computer is already vulnerable to key-loggers and other malware that can track what the victim is keying-in, and also take action based on the victim's activity, even a one time password would fail.

The following case scenario explain how the vulnerability occurs:

The victim enters the username and password and clicks on the button to generate the one time password. The OTP either appears on a proprietary device or is sent as an SMS to their cellphone.

The page where the victim has to enter first factor credentials is already being tracked and that information captured. Then the victim enters the OTP in the field provided and the malware detects this activity and then disconnects the victim.

Before this, it has already captured both factors of authentication credentials.

This information can now be used by the hacker to access the victim's account from another computer, and switch off the two factor authentication option as well as change the first factor credentials - the username and password.

By the time all this happens and the victim connects and tries to sign in again, he cannot as his account has already been hijacked.

There are other social engineering scenarios that could do the same thing, such as if the victim receives a phone call before he clicks on the sign in button and is caused to move away from the computer, etc.

People who write sophisticated malware know a lot more tricks that can defeat what OTP security solutions offer.

Possibly Related Articles:
Network Access Control
Authentication Access Control keylogger Login One Time Password OTP
Post Rating I Like this!
Franc Schiphorst The attack you describe is higly visible and will be detected very soon so attack window is potentially small.

This one is even better :)
Gurudatt Shenoy You are right, there are more sophisticated ways to do that. However, the link you have provided is not available on the website. Can you present an alternative link?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.