Abstract : The Norwegian company Encap has developed protocols
enabling individuals to use their mobile phones as one-time password
(OTP) generators. An initial analysis of the protocols reveals minor
security flaws. System-level testing of an online bank utilizing Encap's
solution then shows that several attacks allow a malicious individual to
turn his own mobile phone into an OTP generator for another individual's
bank account. Some of the suggested countermeasures to thwart the
attacks are already incorporated in an updated version of the online
banking system.
https://hal.inria.fr/hal-01056074 Contributor : Hal IfipConnect in order to contact the contributor Submitted on : Thursday, August 14, 2014 - 6:02:58 PM Last modification on : Friday, November 20, 2020 - 4:22:03 PM Long-term archiving on: : Thursday, November 27, 2014 - 1:35:16 AM
Håvard Raddum, Lars Hopland Nestås, Kjell Jørgen Hole. Security Analysis of Mobile Phones Used as OTP
Generators. 4th IFIP WG 11.2 International Workshop on Information Security Theory and Practices: Security and Privacy of Pervasive Systems and Smart Devices (WISTP), Apr 2010, Passau, Germany. pp.324-331, ⟨10.1007/978-3-642-12368-9_26⟩. ⟨hal-01056074⟩