Case study of the vulnerability of OTP implemented in internet banking systems of South Korea

Changsok Yoo, Byung Tak Kang, Huy Kang Kim

Research output: Contribution to journalArticle

5 Citations (Scopus)

Abstract

The security risk of internet banking has increased rapidly as internet banking services have become commonly used by the public. Among the various security methods, OTP (one time password) is known as one of the strongest methods for enforcing security, and it is now widely used in internet banking services. However, attack methods which can detour OTP have been developed that additional security for OTP is now needed. In this study, we discovered that a new kind of attack through OTP is theoretically possible through an analysis of the currently implemented OTP system and known attack methods. Based on our theory, we tested the new attack method on Korean internet banking services, and empirically proved that it could effectively detour around all of the currently implemented OTP security systems in Korea. To prevent this, we also suggested solutions based on the root cause analysis of the OTP vulnerabilities.

Original languageEnglish
Pages (from-to)3289-3303
Number of pages15
JournalMultimedia Tools and Applications
Volume74
Issue number10
DOIs
Publication statusPublished - 2014 Feb 14

Fingerprint

Computer systems
Internet
Security systems

Keywords

  • Internet banking
  • Man-in-the-middle attack
  • OTP (one time password)
  • Reverse engineering

ASJC Scopus subject areas

  • Media Technology
  • Hardware and Architecture
  • Computer Networks and Communications
  • Software

Cite this

Case study of the vulnerability of OTP implemented in internet banking systems of South Korea. / Yoo, Changsok; Kang, Byung Tak; Kim, Huy Kang.

In: Multimedia Tools and Applications, Vol. 74, No. 10, 14.02.2014, p. 3289-3303.

Research output: Contribution to journalArticle

@article{b599ef25f699460ebfc5e695d86d5f56,
title = "Case study of the vulnerability of OTP implemented in internet banking systems of South Korea",
abstract = "The security risk of internet banking has increased rapidly as internet banking services have become commonly used by the public. Among the various security methods, OTP (one time password) is known as one of the strongest methods for enforcing security, and it is now widely used in internet banking services. However, attack methods which can detour OTP have been developed that additional security for OTP is now needed. In this study, we discovered that a new kind of attack through OTP is theoretically possible through an analysis of the currently implemented OTP system and known attack methods. Based on our theory, we tested the new attack method on Korean internet banking services, and empirically proved that it could effectively detour around all of the currently implemented OTP security systems in Korea. To prevent this, we also suggested solutions based on the root cause analysis of the OTP vulnerabilities.",
keywords = "Internet banking, Man-in-the-middle attack, OTP (one time password), Reverse engineering",
author = "Changsok Yoo and Kang, {Byung Tak} and Kim, {Huy Kang}",
year = "2014",
month = "2",
day = "14",
doi = "10.1007/s11042-014-1888-3",
language = "English",
volume = "74",
pages = "3289--3303",
journal = "Multimedia Tools and Applications",
issn = "1380-7501",
publisher = "Springer Netherlands",
number = "10",

}

TY - JOUR

T1 - Case study of the vulnerability of OTP implemented in internet banking systems of South Korea

AU - Yoo, Changsok

AU - Kang, Byung Tak

AU - Kim, Huy Kang

PY - 2014/2/14

Y1 - 2014/2/14

N2 - The security risk of internet banking has increased rapidly as internet banking services have become commonly used by the public. Among the various security methods, OTP (one time password) is known as one of the strongest methods for enforcing security, and it is now widely used in internet banking services. However, attack methods which can detour OTP have been developed that additional security for OTP is now needed. In this study, we discovered that a new kind of attack through OTP is theoretically possible through an analysis of the currently implemented OTP system and known attack methods. Based on our theory, we tested the new attack method on Korean internet banking services, and empirically proved that it could effectively detour around all of the currently implemented OTP security systems in Korea. To prevent this, we also suggested solutions based on the root cause analysis of the OTP vulnerabilities.

AB - The security risk of internet banking has increased rapidly as internet banking services have become commonly used by the public. Among the various security methods, OTP (one time password) is known as one of the strongest methods for enforcing security, and it is now widely used in internet banking services. However, attack methods which can detour OTP have been developed that additional security for OTP is now needed. In this study, we discovered that a new kind of attack through OTP is theoretically possible through an analysis of the currently implemented OTP system and known attack methods. Based on our theory, we tested the new attack method on Korean internet banking services, and empirically proved that it could effectively detour around all of the currently implemented OTP security systems in Korea. To prevent this, we also suggested solutions based on the root cause analysis of the OTP vulnerabilities.

KW - Internet banking

KW - Man-in-the-middle attack

KW - OTP (one time password)

KW - Reverse engineering

UR - http://www.scopus.com/inward/record.url?scp=84929521524&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84929521524&partnerID=8YFLogxK

U2 - 10.1007/s11042-014-1888-3

DO - 10.1007/s11042-014-1888-3

M3 - Article

AN - SCOPUS:84929521524

VL - 74

SP - 3289

EP - 3303

JO - Multimedia Tools and Applications

JF - Multimedia Tools and Applications

SN - 1380-7501

IS - 10

ER -