Browse > Article
http://dx.doi.org/10.13089/JKIISC.2011.21.6.83

A study on the vulnerability of OTP implementation by using MITM attack and reverse engineering  

Kang, Byung-Tak (Graduate School of Information Security, Korea University)
Kim, Huy-Kang (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.21, no.6, 2011 , pp. 83-99 More about this Journal
Abstract
OTP (One Time Password) is widely used for protecting accounts on Internet banking, portal services and online game services in Korea. OTP is very strong method for enforcing account security but there are several ways for exploiting vulnerabilities caused by implementation errors. These attacks can work because of the weakness from OTP enabled system's vulnerabilities, not for OTP's algorithm itself. In this paper, we present the known attack scenarios such as MITM (Man-in-the-Middle) attack and various reverse engineering techniques; also, we show the test result of the attacks and countermeasures for these attacks.
Keywords
OTP; Malware; Reverse Engineering; MITM attack; Internet Banking;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Augusto, P. B. "O futuro dos backdoors - O pior dosmundos", Retrieved August 10, 2010, http://www.paesdebarros.com. br/backdoors.pdf Sep. 15. 2005
2 Chun-Ming Leung, "Depress phishing by CAPTCHA with OTP," 3rd International Conference on Anti-counterfeiting, Security, and Identification in Communication, pp.187-192 Aug, 2009
3 Wikipedia.: No Phishing, http://ko.wikipedia. org/wiki/%EB%85%B8%ED%94% BC%EC%8B%B1
4 Blackinkbottle, "RSA Interoperability between JavaScript and RSACrypto- ServiceProvider - Form Login Example," Codeproject, http://www.codeproject.com/ KB/aspnet/rasinterop.aspx Aug, 2005
5 시큐어브라우저 http://www.ahnlab.com/kr/site/product/productView.do?prodS eq=48
6 금융보안연구원, "거래연동 인증기술의 이해," 이슈리포트 2010-001, 2010년 1월
7 Gartner, "Transaction Verification Complements Fraud Detection and Stronger Authentication," http://www.gartner. com/id=496217 Nov, 2006
8 S.Driner "Otimised to Fall: Card Readers for Online Banking," Springer, Light Blue Touchpaper http://www.lightbluetouchpaper. org/2009/02/ Feb 2009
9 UOTP, http://www.u-otp.co.kr/blog/
10 Wikipedia.: Man-in-the-middle Attack , http://en.wikipedia.org/wiki/Man_in_t he_middle_attack
11 Security aspects of the SuisseID, http://postsuisseid.ch/en/suisseid/sec urity/security-aspects
12 Heutige Situation, Angriffsvarianten und mögliche Schutzmassnahmen, "Cyber- Kriminalität ist heute zur Normalität geworden," Robert Weiss Consulting "The WEISSBUCH-Company" 2009
13 Phishing attack targets one-time passwords - scratch it and weep, http://www.theregister.co.uk/2005/ 10/12/outlaw_phishing/
14 Citibank Phish Spoofs 2-Factor Authentication, http://blog.washington post.com/securityfix/2006/07/citibank _phish_spoofs_2factor_1.html
15 NetworkWorld, "New Trojan intercepts online banking information," Jan. 14.2008
16 Guhring, P. "Concepts against man-inthe- browser attacks," Jan, 24. 2007
17 맹영재, 신동오, 김성호, 양대헌, 이문규, "국내인터넷뱅킹 계좌이체에 대한 MITB 취약점 분석,"Internet and Information Security, 제1권 제 2호, pp.101-118, 2010년 11월.
18 Steeves, D.J., & Snyder, M.W. "Secure online transaction using a CAPTCHA image as a watermark," U.S.Patent, 11/157,336, Jun, 2005
19 지정PC등록제, Nexon, http://security.nexon.com/ pcr/index.aspx
20 전화승인서비스, http://bank1.kbstar.com/ quics?asfilecode=5023&_nextPage=pa ge=B002346
21 mControl, NCSoft, https://security. plaync.co.kr/privateservice/mcontrol/i ntro.aspx
22 Hangbae Chang, "The study on endto- end security for ubiquitous commerce," The Journal of Supercomputing Volume 55 Issue 2, pp.228-245, Feb 2011   DOI   ScienceOn
23 배광진, 임강빈, "키보드 보안의 근본적인 취약점분석," 한국정보보호학회지, 제18권 제3호,pp.89-95, 2008년 4월.
24 Wikipedia.: One-Time Password, http://en. wikipedia.org/wiki/One-time_password
25 Linda D. Paulson, "Key snooping technology causes controversy," IEEE Computer, pp.27, Mar. 2002
26 강병탁, "Bypass AntiVirus - 키보드 보안 솔루션 취약점," 마이크로소프트웨어 pp.204-211,2009년 6월.
27 서승현, 강우진, "OTP기술현황 및 국내 금융권OTP 도입사례," 한국정보보호학회지, 제17권 제3호, pp. 18-25, 2007년 6월.
28 S. Mizuno, K. Yamada, and K. Takahashi, "Authentication using multiple communication channels," in DIM 2005: Proceedings of the 2005 workshop on Digital identity management. New York, NY, USA: ACM, pp.54-62. Nov. 2005
29 Wikipedia.: Two-factor Authentication, http://en.wikipidia.org/wiki/two-facto r_authentication
30 Fadi Aloul, Syed Zahidi, Wassim and El-Hajj, "Two factor authentication using mobile phones," IEEE/ACS International Conference on Computer Systems and Applications, pp.641-644, Apr. 2009
31 Hallsteinsen, S., Jorstad, I., and Thanh,D. "Using the Mobile Phone as s Security Token for Unified Authentication. In," ICSNC 2007. IEEE Computer Society, Los Alamitos pp.68, Aug. 2007
32 Thanh, D., Jonvik, T., Feng, B., Thuan, and D., Jorstad, I., "Simple Strong Authentication for Internet Applications Using Mobile Phones,". IEEE GLOBECOM pp.1-5, Nov, 2008
33 Wei-Chi KU, Hao-Chuan TSAI, and Maw-Jinn TSUAR, "Stolen - verifier attack on an efficient smartcard-based one-time password authentication scheme," IEICE Transactions on Communication, vol.E87-B, no8, pp.2374-2376, Jan, 2005
34 김소이, "전자금융사고 발생유형 및 대응현황," 지급결제와 정보기술, pp.35-61, 2010년 10월.
35 "온라인게임 보안서비스 설문조사," 인소야닷http://www.insoya.com/bbs/zboard.php?id=poll&no=39
36 임형진, 심희원, 서승현, 강우진, "전자 금융 거래환경의 인증 기술 동향 분석," 한국정보보호학회학회지, 제18권 제5호, pp.84-98, 2008년 10월.
37 유정각, 송주민, "인터넷뱅킹 호환성을 고려한 보안기술 적용방안," 지급결제와 정보기술, pp.84-98,Jul. 2010.
38 Petr Hanacek, Kamil Malinka, and Jiri Schafer, "E-Banking Security - Comparative Study," 10th ACIS, pp.263-26 Jun.2009
39 Alain Hiltgen, Thorsten Kramp, and Thomas Weigold, "Secure Internet Banking Authentication," IEEE Security & Privacy, 2006
40 Oppliger, R. Rytz, and R. Holderegger, T.eSecurity Technol, "Internet Banking: Client-Side Attacks and Protection Mechanisms," IEEE Computer, pp.27-33, Aug 2009