Home / Banking Strategies / One Time Passwords for Mobile Authentication

One Time Passwords for Mobile Authentication


Financial institutions are increasingly adopting mobile authentication for online/Internet banking and deploying mobile platforms that enable customers to conduct banking transactions anytime, anywhere. Defending against mobile-based threats, however, requires a more effective approach to identity assurance, as most authentication controls have documented vulnerabilities while malware specific to mobile is increasing. Simple passwords are already widely known to be compromised. Fraudsters have also effectively overcome other traditional authentication methods.

To combat simple password vulnerability, most banks have implemented strong hardware-based authentication for their commercial customers but rarely on the consumer side, thinking it costly and complicated to deploy and manage and inconvenient for users. This all changes, however, with the advent of advanced mobile security that fosters a convenient banking experience with out-of-band strong authentication.

Password Authentication

The most basic mobile authentication option is delivering a One Time Password (OTP) via SMS. An online banking customer logging in to the bank’s website with username and password triggers a request to send an OTP to his or her registered mobile phone. Upon receipt of a text message with the OTP, the customer enters it into an additional field on the banking site’s login page to complete the login process.

There are drawbacks to this approach. First, it pushes extra costs onto some end users, particularly in North America, where customers must  pay for the messages they receive. Second, it is subject to network coverage, network latency and SMS delivery issues, which creates uncertainty over whether SMSs will be delivered quickly, or at all. Third, it doesn’t address the Man-in-the-Middle fraud problem – an SMS is generated in the backend and sent via the network, so there’s greater chance it will be intercepted. Fraudsters have successfully launched targeted attacks using SMS-related malware. For instance, perpetrators of the Zeus Botnet Eurograbber attack stole $47 million in assets from more than 30,000 corporate and private banking customers.

Alternatively, the mobile phone can be turned into a “soft token” by installing software that generates OTPs on the device, itself. OATH-compliant HMAC-based algorithms (HTOP) or time-based OTP algorithms (TOTP) can be used. A unique combination of time and event-based algorithm is considered more secure. While not as seamless as SMS OTP from the rollout and support standpoint, mobile OTP offers advantages in terms of cost and usability and protection.

However, it is important to note that mobile OTP generators, if poorly implemented, are susceptible to fraudster attacks. Ensuring OTPs are generated securely only for intended users requires advanced technologies to mitigate key threats, such as:

Phishing: Ensure that each software token is bound to the device of the user on which the application is installed.

Keystroke Logging: Preclude attacker from capturing OTPs using key-logging. Even with a captured PIN or activation code, the attacker will be unable to generate an identical (clone) mobile software token.

Static Code Dump/Patch Runtime Debugging: Even if the unique device IDs are spoofed, the mobile software token must have sophisticated levels of code obfuscation and symbol stripping, as well as an additional security layer in the form of a PIN, built-in. These measures ensure that even through reverse engineering by an attacker, an OTP will not be generated.

System Resource Manipulation: In this type of an attack, a “jail-broken” or rooted device is required. The mobile software token does not operate on such a device thereby circumventing such an attack.

Static Code Dump/Patch: Sophisticated levels of anti-piracy security layers in mobile software tokens deter attackers from creating pirated and adapted mobile soft tokens and using them to obtain OTPs.

Brute Force: The mobile software token must be PIN protected and designed to self-destruct after five incorrect entries entered consecutively. The mobile software token can also be protected with a layer of PIN camouflaging. In this case, an incorrect PIN will be accepted and an invalid OTP will be displayed. The attacker has no way of knowing if an input PIN is correct or incorrect.

Dynamic Memory Access: In this type of an attack, the device would need to be in a vulnerable state such as jail broken or rooted. The mobile software token should implement sophisticated layers of verification to determine if the device is compromised and ceases to operate.

Chosen Plain Text Brute Force: The attacker will not be able to mount this attack as it is computationally not feasible to obtain the token secret key in brute force.

Screen Capturing: It should be possible to deploy the mobile software token with the configuration to generate OATH-compliant time-based OTP and Challenge/Response with a short time validity for making it ineffective to capture and relay.

Additionally, all strong authentication solutions should be implemented as part of a larger, multi-layered, context-based security strategy that also includes device profiling, malware forensics, transaction verification and mutual authentication between the user and the application. This requires an integrated, versatile authentication platform with real-time threat detection capabilities. The advanced fraud prevention seamlessly integrates with all major banking platforms and the threat detection piece is transparent, so that there is no software for the user to install. The security benefits to the financial institution are immediate and provide customers with the peace of mind that their on-line banking provider has taken steps to provide a secure environment in which to conduct their financial transactions conveniently.

Ms. Serrato is senior solutions marketing manager, Identity Assurance, with Austin, Tex.-based HID Global, a brand of Sweden’s ASSA ABLOY Group. She can be reached at [email protected]