Cross Reference Post - OTP thieves and what I.T should do
This is a cross-reference post for my Medium post: OTP thieves and what I.T should do.
OTP has become very common nowadays. And with R&AW’s (Research And Analysis Wing) advanced hacking equipment, spying, OTP theft has become very very easy! Shame on certain foreigners, for co-operating with spies from other countries (They should be called traitors of their countries because they are co-operating with spies of other countries to get into their country and hack/spy their own countries, in return for whatever benefits).
For example, adding a debit/credit card to NFC requires OTP and it’s very easy for spies to add someone else’s cards to their own mobiles. They might or might not use the cards but they would add to allow impersonation/anonymization in other words to conceal their real identities or anonymize the target.
I have Bank Of America mobile application on my Android phone. I have ICICI Bank mobile application on my Android phone. Let me explain the approaches taken by these two mobile applications.
Bank Of America requests OTP, but I don’t have to view SMS when using mobile application, the application automatically reads OTP without displaying on screen and logs in. An excellent approach in keeping away the prying wings.
ICICI when registering for the first time, generates some unique long code and sends the code as an SMS from the mobile phone and activates. I did reverse engineer ICICI but here is my assumption about the architecture: a) Send the mobile number to the app’s server, receive a unique one time code and obviously some kind of a session id. b) Send the unique one time code to the server using SMS c) The server would validate that the SMS with the unique one-time code came from the registered mobile number d) The client app would then login into the bank application.
In the above mentioned two approaches there is very very less scope of OTP theft. Mobile application developers should look into these approaches and maybe even more secure methods of login/verification considering the threat of terrorist wings!
No comments:
Post a Comment