RT info:eu-repo/semantics/article
T1 App-based detection of vulnerable implementations of OTP SMS APIs in the banking sector
A1 Aparicio de la Fuente, Amador
A1 Martínez González, María Mercedes
A1 Cardeñoso Payo, Valentín
K1 Android
K1 Security
K1 Banking
K1 Apps
K1 1203.17 Informática
AB Two Factor Authentication (2FA) using One Time Password (OTP) codes via SMS messages is widely used. In order to improve user experience, Google has proposed APIs that allow the automatic verification of the SMS messages without the intervention of the users themselves. They reduce the risks of user error, but they also have vulnerabilities. One of these APIs is the SMS Retriever API for Android devices. This article presents a method to study the vulnerabilities of these OTP exchange APIs in a given sector. The most popular API in the sector is selected, and different scenarios of interaction between mobile apps and SMS OTP servers are posed to determine which implementations are vulnerable. The proposed methodology, applied here to the banking sector, is nevertheless simple enough to be applied to any other sector, or to other SMS OTP APIs. One of its advantages is that it proposes a method for detecting bad implementations on the server side, based on analyses of the apps, which boosts reusability and replicability, while offering a guide to developers to prevent errors that cause vulnerabilities. Our study focuses on Spain’s banking sector, in which the SMS Retriever API is the most popular. The results suggest that there are vulnerable implementations which would allow cybercriminals to steal the users SMS OTP codes. This suggests that a revision of the equilibrium between ease of use and security would apply in order to maintain the high level of security which has traditionally characterized this sector.
PB Springer
SN 1022-0038
YR 2023
FD 2023
LK https://uvadoc.uva.es/handle/10324/60698
UL https://uvadoc.uva.es/handle/10324/60698
LA eng
NO Wireless Networks, 2023.
NO Producción Científica
DS UVaDOC
RD 14-ene-2025