Abstract
One Time Password (OTP) is the most prevalent 2FA method among users and service providers worldwide. It is imperative to assess this 2FA scheme’s security from multiple perspectives, considering its ubiquitous presence in the user’s day-to-day activities. In this work, we assess the security of seven commercially deployed OTP-2FA schemes against malware in the terminal attack model without compromising any 2FA device or authentication services. To implement this attack scenario, we develop a combination of attack modules that will capture password and OTP in different ways during the user’s login attempt. At the same time, it would originate a fresh concurrent hidden session from within the terminal or remotely to get possession to the user account without compromising the service or network or any external device. We examine implemented attack against seven different popular public services, which mostly use two variants of OTP-2FA and observed that almost all of them are vulnerable to this attack. Here, the threat model is practical as the attack components can be installed in the user’s terminal without any root/administrator privilege. Moreover, the attack modules require a small number of resources to run. The whole procedure would run from the background that makes the attack very hidden in nature and attain low detectability after examining against prominent anti-malware programs that indicate a real-world threat. Our findings after the analysis of the OTP-2FA schemes indicate that an adversary who can install malware on the user’s terminal can defeat almost all popular and widely used OTP-2FA schemes, which are vital security components of online accounts and secure financial transactions. The result also points out that the OTP-2FA scheme does not add extra security on top of the password in the presence of the malicious program in the terminal.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Outlook- free personal email and calender from microsoft (2020). https://outlook.live.com/owa/
Adams, C.: Dictionary Attack, pp. 332. Springer, Boston (2011). https://doi.org/10.1007/978-1-4419-5906-5_74
Amazon.com Inc: Amazon.com: Online shopping for electronics, apparels, computer, books & dvd and more (2020). https://www.amazon.com
Anise, O., Lady, K.: State of the auth: experiences and perceptions of multi-factor authentication. Duo security (2017)
AO Kaspersky Lab: Kaspersky security cloud - free (2020). https://www.kaspersky.com/free-cloud-antivirus
AV-TEST - The independent IT Security Institute: Malware statistics & trends report (2020). https://www.av-test.org/en/statistics/malware
Avast Foundation: Avast free antivirus (2020). https://www.avast.com/en-us
Avast Software s.r.o.: Avg free antivirus (2020). https://www.avg.com/en-us/
Avira Operations GmbH & Co. KG.: Avira antivirus (2020). https://www.avira.com/
Bhushan, B., Sahoo, G., Rai, A.K.: Man-in-the-middle attack in wireless and computer networking – a review. In: 2017 3rd International Conference on Advances in Computing, Communication Automation (ICACCA) (Fall), pp. 1–6 (2017)
Bitdefender: Bitdefender - global leader in cybersecurity software (2020). https://www.bitdefender.com/
Bonneau, J., Herley, C., Van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy, pp. 553–567. IEEE (2012)
Chandel, A., Kumar, P., Yadav, D.K.: Phishing attack and its countermeasures. IEEE Electron. Device Lett 7, 569–571 (1999)
Check Point Software Technologies Inc: Pc and mobile security software - zonealarm (2020). https://www.zonealarm.com/
DataProt: A not-so-common cold: malware statistics in 2021 (2021). https://dataprot.net/statistics/malware-statistics/
De Cristofaro, E., Du, H., Freudiger, J., Norcie, G.: A comparative usability study of two-factor authentication. arXiv preprint arXiv:1309.5344 (2013)
Duo: Duo two factor authentication and endpoint security (2020). https://duo.com
Facebook: Facebook (2020). https://www.facebook.com/
Google: Google accounts (2020). https://accounts.google.com
Grimes, R.: The many ways to hack 2fa. Netw. Secur. 2019(9), 8–13 (2019)
Karia, M.A.R., Patankar, A., Tawde, M.P.: SMS-based one time password vulnerabilities and safeguarding OTP over network. Int. J. Eng. Res. Technol. (IJERT) 3(5), 1339–1343 (2014)
Kuo, W.C., Lee, Y.C.: Attack and improvement on the one-time password authentication protocol against theft attacks. In: 2007 International Conference on Machine Learning and Cybernetics, vol. 4, pp. 1918–1922. IEEE (2007)
Logmeln Inc.: Lastpass - password manager & vault app (2020). https://www.lastpass.com/
MalwareBytes: Malwarebytes cybersecurity for home and business (2020). https://www.malwarebytes.com/
McAfee: Mcafee total protection (2020). https://www.mcafee.com/en-us/antivirus/free.html
Molloy, I., Li, N.: Attack on the gridcode one-time password. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 306–315 (2011)
M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., Ranen, O.: Hotp: an hmac-based one-time password algorithm. The Internet Society, Network Working Group. RFC4226 (2005)
M’Raihi, D., Machani, S., Pei, M., Rydell, J.: Totp: time-based one-time password algorithm. Internet Request for Comments (2011)
PhantomJS Contributors: Phantomjs- scriptable headless browser (2010–2018). https://phantomjs.org
Raddum, H., Nestås, L.H., Hole, K.J.: Security analysis of mobile phones used as OTP generators. In: Samarati, P., Tunstall, M., Posegga, J., Markantonakis, K., Sauveron, D. (eds.) WISTP 2010. LNCS, vol. 6033, pp. 324–331. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12368-9_26
RSA Security LLC.: RSA securid hardware tokens (2020). https://www.rsa.com/en-us/products/rsa-securid-suite/rsa-securid-access/securid-hardware-tokens/rsa-securid-hardware-tokens
Separd, D.: First-ever national study: millions of people rely on library computers for employment, health, and education (2020). https://www.gatesfoundation.org/media-center/press-releases/2010/03/millions-of-people-rely-on-library-computers-for-employment-health-and-education
Siadati, H., Nguyen, T., Gupta, P., Jakobsson, M., Memon, N.: Mind your SMSes: mitigating social engineering in second factor authentication. Comput. Secur. 65, 14–28 (2017)
Smith, N.: Hotp vs totp, whats the difference? (2018). https://www.microcosm.com/blog/hotp-totp-what-is-the-difference
Software Freedom Conservancy- Selenium Project: Selenium webdriver (2020). https://www.selenium.dev/projects/
Sophos Ltd: Sophos home - cybersecurity made simple (2020). https://home.sophos.com/en-us.aspx
StatCounter: Operating system market share worldwide- february 2020 (2020). https://gs.statcounter.com/os-market-share
TechJury.net: What is a keylogger? [everything you need to know] (2021). https://techjury.net/blog/what-is-a-keylogger/
ThreatPost: 500 malicious chrome extensions impact millions of users (2020). https://threatpost.com/500-malicious-chrome-extensions-millions/152918/
Twilio Inc.: Authy- two factor authentication (2fa) app & guides (2020). https://authy.com/
Twitter Inc: Explore twitter (2020). https://twitter.com/explore
VirusTotal: Virustotal (2020). https://www.virustotal.com/gui/home/upload
Weir, C.S., Douglas, G., Carruthers, M., Jack, M.: User perceptions of security, convenience and usability for ebanking authentication tokens. Comput. Secur. 28(1–2), 47–62 (2009)
Weir, C.S., Douglas, G., Richardson, T., Jack, M.: Usable security: user preferences for authentication methods in ebanking and the effects of experience. Interact. Comput. 22(3), 153–164 (2010)
Yoo, C., Kang, B.T., Kim, H.K.: Case study of the vulnerability of OTP implemented in internet banking systems of South Korea. Multimedia Tools Appl. 74(10), 3289–3303 (2015)
Ziff Davis, LLC. PCMAG Digital Group: Windows computers were targets of 83% of all malware attacks in q1 2020 (2020). https://www.pcmag.com/news/windows-computers-account-for-83-of-all-malware-attacks-in-q1-2020
Acknowledgements
Authors are thankful to the shepherd Yuhong Nan and the anonymous reviewers for their feedback. This work is funded in part by NSF grants: CNS-1547350, CNS-1526524 and CNS-1714807.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
1.1 A.1 Tables
1.2 A.2 Other snapshots
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Mahdad, A.T., Jubur, M., Saxena, N. (2021). Analyzing the Security of OTP 2FA in the Face of Malicious Terminals. In: Gao, D., Li, Q., Guan, X., Liao, X. (eds) Information and Communications Security. ICICS 2021. Lecture Notes in Computer Science(), vol 12918. Springer, Cham. https://doi.org/10.1007/978-3-030-86890-1_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-86890-1_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-86889-5
Online ISBN: 978-3-030-86890-1
eBook Packages: Computer ScienceComputer Science (R0)