Indian OTP myths
By Kosha Doshi:-
OTP or One Time Password is an additional authentication factor required in online services these days. To complete a transaction or to login on some service, an OTP is sent via SMS to the account owner. The user verifies his identity by filling the One Time Password.
OTP was earlier believed to be secure as being a part of multi-factor authentication system. This however, was one of the biggest misconceptions. Studies showed that OTP would avoid phishing like attacks but opened more avenues for the attackers.
The basic idea behind OTP was that every account is connected with a particular mobile number. The mobile numbers are believed to be authentic since they are issued based on Governmental ID proofs. It is also assumed that the SIM card stays with the owner of the mobile phone. These assumptions have been confirmed as myths today. There are two major realities which overrule this.
First, SMS OTP would be secure only if the privacy of SMS messages are maintained which heavily relies on security of cellular networks. Second, in recent times several attacks have been recorded against GSM networks which clearly show that SMS messages are not at all confidential. OTP is generated by the service provider and sent to the mobile network operator which further sends it to the user’s mobile phone.
There are several modus operandi used by criminals against SMS OTP, which magnify the loophole in the entire process. Let us suppose, there’s a criminal who has knowledge of your banking credentials. With the help of these details, he logs in and initiates the process of transaction. An OTP is sent to you by the bank. One most common occurrence is where the attacker creates a fake ID by using the heap of information you provide online and gets a duplicate SIM issued. Here you can also think of the calls you get claiming that your debit card is going to expire. And the rest becomes history.
Following are certain attacks against which you should secure yourself to prevent the criminal from completing the transaction.
Don’t let anybody physically access your phone in your absence. We do not realize but this may actually be very dangerous.
As already mentioned, the authentication service providers wholly rely on mobile network operators. By using certain tools, an attacker can intercept mobile communication and get the access. It is thus clear that there is no security.
Next, there are certain mobile phone trojans that are specially designed to intercept SMS OTPs.
Most mobile operating systems provide access to received SMS messages to applications after asking you the simple “Do you agree to the T&C?” question. They can also be provided access to take part in delivery process of SMS messages. In such case, trojan can receive, alter, delete and forward SMS messages without your knowledge.
Some smartphone Operating Systems protect SMS messages through their permission system. But unfortunately, being unaware, we grant permission to insecure applications.
OTP, despite being a pretty user friendly method cannot be considered a good layer of security. Is there a way we can increase security of OTP or is second layer of security a vague concept ? Get answers to these questions in our upcoming post.
10 thoughts on “Indian OTP myths”
This article highlights the intention behind fabricating OTP system however, how it has been misused by cyber attackers. it is a nice, well studied article.
This article is an eye opener for people who believe that OTP is secure as being a part of multi-factor authentication system. I myself believed it too. After reading this informative article i have got to know how we can avoid such attackers. It was helpful and would definitely share this with my family and friends so that they can also get their misconceptions cleared. Good article!!!
An eye opening article indeed!!
It precisely highlights the tricks that the cyber criminals use by forgerring and decieting OTP and messages to commit fraud and theft. Creating awareness about such burglaries holds the way to battle such robberies. The same number of applications request access to SMSes, and since such applications see the SMSes (with the OTP) similarly as an ordinary SMS, finding a mechanical arrangement is preposterous. “It is absurd to expect to build up a product to protect against this. Numerous applications request access to SMSes. Be that as it may, if clients are progressively mindful and a large portion of them don’t offer consent to get to SMSes, at that point designers will be compelled to change their strategy,” he said. On getting such calls, individuals can confirm with the client care quantities of their banks.
A great article. OTP, even a kid when uses phone for games know what it is. But he might not know the process or the purpose of that OTP. As mentioned above it is claimed to be more secure which is turning to a myth nowadays. The process of how people receive these OTP is clearly written in a very simple way. All readers should pay attention and learn about these things. Because who knows who is waiting behind a screen to access all your personal data. Never let that happen to you and all others around you.
These days, almost all websites and apps require an OTP to register and/or login to the user accounts. This has become so commonplace, that we fail to realize how insecure the system might be. The article is enlightening since it brings to the forefront some of the security concerns regarding OTPs and also lists some tips that we need to employ so as to keep our OTPs, and thus our data, safe. The article is also eye-opening in terms of the mindlessness with which we accept the T&Cs while using applications.
1)If The privacy of SMS are maintained which heavily relies on the security of cellular data
2) Recent tes several attacks have been recorded against GSM network which clearly shows the SMS messages are not confidential
Myth buster article,a brief explanation of OTP was well written the listing of myths related to it that due to its multi -factor authentication system it 100%safe and countless assumptions made regarding it and people believibg it to be safe often share their OTP when they get a forge call or SMS from a fraudster believing it to be real .article tells us about few attacks which we can conquer so a very helpful and an eye opening article ,a must read
This article was insightful and savvy. In the world of technology, it becomes very important to know about the ways in which we can be trapped . OTPs are used by almost every one of us and such type of myth busters are very much needed.
We as a consumer always have to be cautious with the terms and conditions and ensuring our own safety
This article elaborates the fraudsters who misuses the OTP and attacks data.
Now-a-days, almost all websites and applicationd require an OTP to register and/or login to the user accounts wherr we fail to realize how insecure the system might be. The article is well structured since it brings to the forefront some of the security concerns regarding OTPs and also lists some tips that we need to employ so as to keep our OTPs, and thus our data, safe. The article is also an awareness creator that in terms of the mindlessness with which we accept the T&Cs while using applications.