Por favor, use este identificador para citar o enlazar este ítem:https://uvadoc.uva.es/handle/10324/60698
Título
App-based detection of vulnerable implementations of OTP SMS APIs in the banking sector
Año del Documento
2023
Editorial
Springer
Descripción
Producción Científica
Documento Fuente
Wireless Networks, 2023.
Abstract
Two Factor Authentication (2FA) using One Time Password (OTP) codes via SMS messages is widely used. In order to improve user experience, Google has proposed APIs that allow the automatic verification of the SMS messages without the intervention of the users themselves. They reduce the risks of user error, but they also have vulnerabilities. One of these APIs is the SMS Retriever API for Android devices. This article presents a method to study the vulnerabilities of these OTP exchange APIs in a given sector. The most popular API in the sector is selected, and different scenarios of interaction between mobile apps and SMS OTP servers are posed to determine which implementations are vulnerable. The proposed methodology, applied here to the banking sector, is nevertheless simple enough to be applied to any other sector, or to other SMS OTP APIs. One of its advantages is that it proposes a method for detecting bad implementations on the server side, based on analyses of the apps, which boosts reusability and replicability, while offering a guide to developers to prevent errors that cause vulnerabilities. Our study focuses on Spain’s banking sector, in which the SMS Retriever API is the most popular. The results suggest that there are vulnerable implementations which would allow cybercriminals to steal the users SMS OTP codes. This suggests that a revision of the equilibrium between ease of use and security would apply in order to maintain the high level of security which has traditionally characterized this sector.
Materias Unesco
1203.17 Informática
Palabras Clave
Android
Security
Banking
Apps
ISSN
1022-0038
Revisión por pares
SI
Patrocinador
Publicación en abierto financiada por el Consorcio de Bibliotecas Universitarias de Castilla y León (BUCLE), con cargo al Programa Operativo 2014ES16RFOP009 FEDER 2014-2020 DE CASTILLA Y LEÓN, Actuación:20007-CL - Apoyo Consorcio BUCLE
Version del Editor
Propietario de los Derechos
© 2023 The Author(s)
Idioma
eng
Tipo de versión
info:eu-repo/semantics/publishedVersion
Derechos
openAccess
Aparece en las colecciones
Files in questo item
La licencia del ítem se describe como Atribución 4.0 Internacional