Snippet: The intensity and sophistication of account takeover attacks continues to rise inexorably. Security breaches at trusted companies are in the news on a daily basis, with stolen consumer data acting as the new currency of the digital underworld.

The intensity and sophistication of account takeover attacks continues to rise inexorably. Security breaches at trusted companies are in the news on a daily basis, with stolen consumer data acting as the new currency of the digital underworld. The risk of reputational damage and financial losses is at an all-time high, and yet organizations, including financial institutions around the world, continue to buy and deploy outdated, easily compromised user and transaction authentication systems.

The most popular system is the one-time password (OTP), a passcode valid for a single system login or online transaction and then discarded. The concept, developed to address the shortcomings of static passwords, was first developed and considered state of the art in the 1980s, nearly three decades ago. These systems continue to factor in banks’ plans for online transaction authentication and security, despite their proven vulnerabilities to today’s sophisticated global cyber threats.  

For nearly a decade cyber criminals have been successfully attacking OTP-based systems. One of the largest early attacks happened in October 2005, when Swedish Internet bank Nordea fell prey to a phishing scam that compromised its paper-based one-time password security system. A year later, in July 2006, Citibank’s CitiBusiness Online was also compromised. Directing customers to a phony website where they entered their user name, password and OTP that was generated by a hardware token, provided fraudsters with everything they needed to break into the accounts. 

A well-known assault against two-factor authentication systems occurred in 2012 when cyber criminals gained access to individual and commercial accounts at nearly 30 banks in Europe, scamming almost 30,000 online banking customers out of approximately €36 million ($47 million). Fraudsters had tricked victims into downloading Eurograbber, a variation of the Zeus trojan, onto their computers and mobile devices, enabling hackers to hijack online banking sessions in a classic man-in-the-middle attack. 

There are various types of OTP-based authentication systems, mostly differing in the ways OTPs are distributed to banking customers. However, all OTP systems share the same flaws and vulnerabilities. First, they are all symmetric, because the bank has access to the same secrets as its customer. Secondly, OTP systems all remain reliant on browser-based communications back to the bank. This means that if a phishing site mimics the bank’s online banking or the browser is otherwise compromised, the customer’s credentials and the OTP can be harvested by fraudsters and immediately used to gain access to accounts and authenticate fraudulent transactions.

It’s high time the financial services industry moved on from this legacy technology. It is simply no match for the most commonly used online fraud schemes today. For financial institutions intent on providing a secure and convenient method for customers to transact online, there are new solutions available today that can virtually eliminate all types of man-in-the-middle attacks.

For more information, please download Entersekt’s white paper, OTP: Security Past its Expiration Date.

Subscribe to our blog.


Entersekt editor

Entersekt editor

An avid scowler and violent sharpener of pencils, Editor’s bark is worse than her bite. Every scrap of writing that crosses her desk she treats with the same care she would her own privately published comic verse. Any orphans and misfits, she takes under her wing. After hours, she practices amateur type design and represents her local library in extreme kerning competitions.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.