Browse > Article
http://dx.doi.org/10.7840/kics.2017.42.2.349

Smartphone Ownership and Location Checking Scheme for Fixing the Vulnerabilities of SMS-Based Authentication  

Kwon, Seong-Jae (Department of Infrastructure Security, NHN Entertainment)
Park, Jun-Cheol (Department of Computer Engineering, Hongik University)
Publication Information
The Journal of Korean Institute of Communications and Information Sciences / v.42, no.2, 2017 , pp. 349-357 More about this Journal
Abstract
Many Web sites adopt SMS(Short Message Service)-based user authentication when a user loses her password or approves an online payment. In SMS-based authentication, the authentication server sends a text in plaintext to a user's phone, and it allows an attacker who eavesdrops or intercepts the text to impersonate a valid user(victim). We propose a challenge-response scheme to prove to the authentication server that a user is in a certain place at the moment with her smartphone beside her. The proposed scheme generates a response using a challenge by the server, user's current location, and a secret on the user's smartphone all together. Consequently, the scheme is much more secure than SMS-based authentication that simply asks a user to send the same text arrived on her phone back to the server. In addition to entering the response, which substitutes the SMS text, the scheme also requests a user to input a passphrase to get the authentication process started. We believe, however, the additional typing should be tolerable to most users considering the enhanced security level of the scheme.
Keywords
SMS-based authentication; Challenge-Response; Ownership and Location Checking; Authentication App; Passphrase;
Citations & Related Records
Times Cited By KSCI : 5  (Citation Analysis)
연도 인용수 순위
1 M. AiZomai, A. Josang, A. McCullagh, and E. Foo, "Strengthening SMS-Based authentication through usability," Int. Symp. Parall. and Distrib. Process. with Appl., pp. 683-688, 2008.
2 J. Y. Park, J. I. Kim, M. S. Shin, and N. H. Kang, "QR-code based mutual authentication system for web service," J. KICS, vol. 39B, no. 04, pp. 207-215, Apr. 2014.   DOI
3 S. H. Lee, H. Kim, and D. H. Lee, "Two-factor authentication scheme based on mobile messenger with improved usability," J. Secur. Eng., vol. 10, no. 5, pp. 549-566, Oct. 2013.   DOI
4 U. A. Abdurrahman, M. Kaiiali, and J. Muhammad, "A new mobile-based multifactor authentication scheme using pre-shared number, GPS location and time stamp," ICECCO, pp. 293-296, 2013.
5 KISA, 2015 Survey on the Mobile Internet Usage Executive Report, p. 138, 2016.
6 H. Wu, "A new stream cipher HC-256," Int. Wksp Fast Softw. Encryption, pp. 226-244, 2004.
7 F. Mohsen and M. Shehab, "Android keylogging threat," 9th IEEE Int. Conf. Collaborative Computing: Netw., Appl. and Worksharing, pp. 545-552, 2013.
8 S. T. Ahmed and L. E. George, "Secure SMS based on internet service," Int. J. Comput. Sci. Mob. Comput., vol. 3, no. 10, pp. 164-171, 2014.
9 AhnLab, Alert Smartphone malware to small sum settlement(2013), Retrieved January 11, 2013, from http://blog.ahnlab.com/ahnlab/1680.
10 BBC, Telegram denies Iranian mass breach(2016), Retrieved August 3, 2016, from http://www.bbc.com/news/36964075.
11 D. J. Seo and T. S. Kim, "Influence of personal information security vulnerabilities and perceived usefulness on bank customers' willingness to stay," J. KICS, vol. 40, no. 8, pp. 1577-1587, Aug. 2015.   DOI
12 NIST(National Institute of Standards and Technology), DRAFT NIST Special Publication 800-63B Digital Authentication Guideline(2016), Retrieved May 18, 2016, from https://pages.nist.gov/800-63-3/sp800-63b.html.
13 D. Strobel, "IMSI Catcher," Chair for Commun. Secur., Jul. 2007.
14 R. Bott and J. Frick, Method for identifying the user of a mobile telephone or for eavesdropping on outgoing calls, Patent EP1051053 A3, 2001.
15 D. W. Park and J. M. Seo, "A study of information leakage prevention through certified authentication in phishing, vishing, SMiShing attacks," J. The Korea Soc. Comput. Inf., vol. 12, no. 2, pp. 171-180, Jun. 2007.
16 H. H. Kim and M. J. Choi, "Android malware detection using auto-regressive movingaverage model," J. KICS, vol. 40, no. 8, pp. 1551-1559, Aug. 2015.   DOI
17 A. Varghese and D. Mathews, "Securing SMS-based approach for two factor authentication," J. Comput. and Commun. Technol., vol. 3, no. 3, pp. 25-28, Mar. 2014.
18 B. Schneier, "Two-Factor Authentication: Too Little, Too Late," Commun. ACM, vol. 48, no. 4, p. 136, Apr. 2005.   DOI
19 S. S. Ji, "The improved scheme of two factor authentication using SMS," J. Korea Ind. Inf. Syst. Res., vol. 17, no. 6, pp. 25-30, Dec. 2012.   DOI
20 S. T. Ahmed and L. E. George, "Secure messaging system over GSM based on third party support," IJEIT, vol. 4, no. 2, pp. 27-32, 2014.