Skip to main content
SpringerLink
Log in

Analyzing the Security of OTP 2FA in the Face of Malicious Terminals

  • Conference paper
  • First Online:
Information and Communications Security (ICICS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12918))

Included in the following conference series:

Abstract

One Time Password (OTP) is the most prevalent 2FA method among users and service providers worldwide. It is imperative to assess this 2FA scheme’s security from multiple perspectives, considering its ubiquitous presence in the user’s day-to-day activities. In this work, we assess the security of seven commercially deployed OTP-2FA schemes against malware in the terminal attack model without compromising any 2FA device or authentication services. To implement this attack scenario, we develop a combination of attack modules that will capture password and OTP in different ways during the user’s login attempt. At the same time, it would originate a fresh concurrent hidden session from within the terminal or remotely to get possession to the user account without compromising the service or network or any external device. We examine implemented attack against seven different popular public services, which mostly use two variants of OTP-2FA and observed that almost all of them are vulnerable to this attack. Here, the threat model is practical as the attack components can be installed in the user’s terminal without any root/administrator privilege. Moreover, the attack modules require a small number of resources to run. The whole procedure would run from the background that makes the attack very hidden in nature and attain low detectability after examining against prominent anti-malware programs that indicate a real-world threat. Our findings after the analysis of the OTP-2FA schemes indicate that an adversary who can install malware on the user’s terminal can defeat almost all popular and widely used OTP-2FA schemes, which are vital security components of online accounts and secure financial transactions. The result also points out that the OTP-2FA scheme does not add extra security on top of the password in the presence of the malicious program in the terminal.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Outlook- free personal email and calender from microsoft (2020). https://outlook.live.com/owa/

  2. Adams, C.: Dictionary Attack, pp. 332. Springer, Boston (2011). https://doi.org/10.1007/978-1-4419-5906-5_74

  3. Amazon.com Inc: Amazon.com: Online shopping for electronics, apparels, computer, books & dvd and more (2020). https://www.amazon.com

  4. Anise, O., Lady, K.: State of the auth: experiences and perceptions of multi-factor authentication. Duo security (2017)

    Google Scholar 

  5. AO Kaspersky Lab: Kaspersky security cloud - free (2020). https://www.kaspersky.com/free-cloud-antivirus

  6. AV-TEST - The independent IT Security Institute: Malware statistics & trends report (2020). https://www.av-test.org/en/statistics/malware

  7. Avast Foundation: Avast free antivirus (2020). https://www.avast.com/en-us

  8. Avast Software s.r.o.: Avg free antivirus (2020). https://www.avg.com/en-us/

  9. Avira Operations GmbH & Co. KG.: Avira antivirus (2020). https://www.avira.com/

  10. Bhushan, B., Sahoo, G., Rai, A.K.: Man-in-the-middle attack in wireless and computer networking – a review. In: 2017 3rd International Conference on Advances in Computing, Communication Automation (ICACCA) (Fall), pp. 1–6 (2017)

    Google Scholar 

  11. Bitdefender: Bitdefender - global leader in cybersecurity software (2020). https://www.bitdefender.com/

  12. Bonneau, J., Herley, C., Van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy, pp. 553–567. IEEE (2012)

    Google Scholar 

  13. Chandel, A., Kumar, P., Yadav, D.K.: Phishing attack and its countermeasures. IEEE Electron. Device Lett 7, 569–571 (1999)

    Google Scholar 

  14. Check Point Software Technologies Inc: Pc and mobile security software - zonealarm (2020). https://www.zonealarm.com/

  15. DataProt: A not-so-common cold: malware statistics in 2021 (2021). https://dataprot.net/statistics/malware-statistics/

  16. De Cristofaro, E., Du, H., Freudiger, J., Norcie, G.: A comparative usability study of two-factor authentication. arXiv preprint arXiv:1309.5344 (2013)

  17. Duo: Duo two factor authentication and endpoint security (2020). https://duo.com

  18. Facebook: Facebook (2020). https://www.facebook.com/

  19. Google: Google accounts (2020). https://accounts.google.com

  20. Grimes, R.: The many ways to hack 2fa. Netw. Secur. 2019(9), 8–13 (2019)

    Google Scholar 

  21. Karia, M.A.R., Patankar, A., Tawde, M.P.: SMS-based one time password vulnerabilities and safeguarding OTP over network. Int. J. Eng. Res. Technol. (IJERT) 3(5), 1339–1343 (2014)

    Google Scholar 

  22. Kuo, W.C., Lee, Y.C.: Attack and improvement on the one-time password authentication protocol against theft attacks. In: 2007 International Conference on Machine Learning and Cybernetics, vol. 4, pp. 1918–1922. IEEE (2007)

    Google Scholar 

  23. Logmeln Inc.: Lastpass - password manager & vault app (2020). https://www.lastpass.com/

  24. MalwareBytes: Malwarebytes cybersecurity for home and business (2020). https://www.malwarebytes.com/

  25. McAfee: Mcafee total protection (2020). https://www.mcafee.com/en-us/antivirus/free.html

  26. Molloy, I., Li, N.: Attack on the gridcode one-time password. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 306–315 (2011)

    Google Scholar 

  27. M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., Ranen, O.: Hotp: an hmac-based one-time password algorithm. The Internet Society, Network Working Group. RFC4226 (2005)

    Google Scholar 

  28. M’Raihi, D., Machani, S., Pei, M., Rydell, J.: Totp: time-based one-time password algorithm. Internet Request for Comments (2011)

    Google Scholar 

  29. PhantomJS Contributors: Phantomjs- scriptable headless browser (2010–2018). https://phantomjs.org

  30. Raddum, H., Nestås, L.H., Hole, K.J.: Security analysis of mobile phones used as OTP generators. In: Samarati, P., Tunstall, M., Posegga, J., Markantonakis, K., Sauveron, D. (eds.) WISTP 2010. LNCS, vol. 6033, pp. 324–331. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12368-9_26

    Chapter  Google Scholar 

  31. RSA Security LLC.: RSA securid hardware tokens (2020). https://www.rsa.com/en-us/products/rsa-securid-suite/rsa-securid-access/securid-hardware-tokens/rsa-securid-hardware-tokens

  32. Separd, D.: First-ever national study: millions of people rely on library computers for employment, health, and education (2020). https://www.gatesfoundation.org/media-center/press-releases/2010/03/millions-of-people-rely-on-library-computers-for-employment-health-and-education

  33. Siadati, H., Nguyen, T., Gupta, P., Jakobsson, M., Memon, N.: Mind your SMSes: mitigating social engineering in second factor authentication. Comput. Secur. 65, 14–28 (2017)

    Google Scholar 

  34. Smith, N.: Hotp vs totp, whats the difference? (2018). https://www.microcosm.com/blog/hotp-totp-what-is-the-difference

  35. Software Freedom Conservancy- Selenium Project: Selenium webdriver (2020). https://www.selenium.dev/projects/

  36. Sophos Ltd: Sophos home - cybersecurity made simple (2020). https://home.sophos.com/en-us.aspx

  37. StatCounter: Operating system market share worldwide- february 2020 (2020). https://gs.statcounter.com/os-market-share

  38. TechJury.net: What is a keylogger? [everything you need to know] (2021). https://techjury.net/blog/what-is-a-keylogger/

  39. ThreatPost: 500 malicious chrome extensions impact millions of users (2020). https://threatpost.com/500-malicious-chrome-extensions-millions/152918/

  40. Twilio Inc.: Authy- two factor authentication (2fa) app & guides (2020). https://authy.com/

  41. Twitter Inc: Explore twitter (2020). https://twitter.com/explore

  42. VirusTotal: Virustotal (2020). https://www.virustotal.com/gui/home/upload

  43. Weir, C.S., Douglas, G., Carruthers, M., Jack, M.: User perceptions of security, convenience and usability for ebanking authentication tokens. Comput. Secur. 28(1–2), 47–62 (2009)

    Google Scholar 

  44. Weir, C.S., Douglas, G., Richardson, T., Jack, M.: Usable security: user preferences for authentication methods in ebanking and the effects of experience. Interact. Comput. 22(3), 153–164 (2010)

    Google Scholar 

  45. Yoo, C., Kang, B.T., Kim, H.K.: Case study of the vulnerability of OTP implemented in internet banking systems of South Korea. Multimedia Tools Appl. 74(10), 3289–3303 (2015)

    Google Scholar 

  46. Ziff Davis, LLC. PCMAG Digital Group: Windows computers were targets of 83% of all malware attacks in q1 2020 (2020). https://www.pcmag.com/news/windows-computers-account-for-83-of-all-malware-attacks-in-q1-2020

Download references

Acknowledgements

Authors are thankful to the shepherd Yuhong Nan and the anonymous reviewers for their feedback. This work is funded in part by NSF grants: CNS-1547350, CNS-1526524 and CNS-1714807.

Author information

Authors and Affiliations

  1. Texas A&M University, College Station, TX, USA

    Ahmed Tanvir Mahdad & Nitesh Saxena

  2. University of Alabama at Birmingham, Birmingham, AL, USA

    Mohammed Jubur

Authors
  1. Ahmed Tanvir Mahdad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohammed Jubur
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nitesh Saxena
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ahmed Tanvir Mahdad .

Editor information

Editors and Affiliations

  1. Singapore Management University, Singapore, Singapore

    Debin Gao

  2. Tsinghua University, Beijing, China

    Qi Li

  3. Xi'an Jiaotong University, Xi'an, China

    Xiaohong Guan

  4. Chongqing University, Chongqing, China

    Xiaofeng Liao

A Appendix

A Appendix

1.1 A.1 Tables

Table 4. Attack variant resource consumption
Full size table

1.2 A.2 Other snapshots

Fig. 6.
figure 6

Flow diagrams of remote and inside attack on OTP

Full size image
Fig. 7.
figure 7

Collection of snapshots of OTP-2FA prompt UI from user terminal and 2FA device

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mahdad, A.T., Jubur, M., Saxena, N. (2021). Analyzing the Security of OTP 2FA in the Face of Malicious Terminals. In: Gao, D., Li, Q., Guan, X., Liao, X. (eds) Information and Communications Security. ICICS 2021. Lecture Notes in Computer Science(), vol 12918. Springer, Cham. https://doi.org/10.1007/978-3-030-86890-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-86890-1_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-86889-5

  • Online ISBN: 978-3-030-86890-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation