The One Time Passwords Technology Description Report

Introduction

Due to advances in technology, business partners and employees can now access information and resources remotely (Meersman, Dillon & Herrero, 2009). One of the key requirements for financial institutions is that they have to safeguard clients’ information. To do so, banks allocate passwords to clients for use in accessing their accounts. However, this method is prone to hacking (Meersman et al., 2009). This calls for a system that can safeguard the privacy of clients. The paper shall endeavor to examine one-time passwords (OTPs) as a technique that enhances the user’s security.

Brief description of the technology

The One-Time Password is a single-use password that has been randomly generated (Infosec, n. d.). The system allows banks to send secure single-use passwords to their customers. In addition, OTPs allows banks to improve the security of online banking. However, customers have to request OTPs every time they want to perform a transaction (Infosec, 2008). The customer is first required to provide his/her mobile phone number or e-mail address in order to facilitate the verification process. Once the information has been verified, the bank sends a “One-Time Password” to the user in the form of an SMS. Alternatively, the bank can send a verification code to the user’s e-mail address. The mobile phone number or e-mail address acts as a security measure, and the password sent has a definite expiry period. One of the organisations providing OTPs services is Nordic Edge (Integrated Switched System, 2007).

Type of control

OTPs prevent unauthorised persons from accessing confidential information (Infosec, n. d.). As such, they are a preventive type of control. In addition, OTPs also restraint or discourage unauthorised persons from accessing confidential information.

Strengths and weaknesses

Strengths

Some of the strengths of the OTPs include:

• OTPs do not require policing and policy decisions.
• OTPs do not require specific hardware to facilitate delivery
• The OTPs require minimal support effort and modest investment
• OTPs have a high level of security, and this makes it hard for hackers to manipulate a client’s account.

Weaknesses

OTPs are characterised by the following weaknesses:

• OTPs are prone to social engineering attacks. For example, attackers can deceive consumers to provide them with past OTPs, thereby compromising their security.
• The system is prone to human manipulation
• OTPs are prone to “man-in-the middle attacks”.
• The system is costly to manage.
• Some users are reluctant to trust organisations with their valuable information.

In what area is the deployment of OTPs is justified?

OTPs have gained a lot of popularity in the various sectors of the economy, and more so in the banking industry where they have been deployed in online banking. In this case, the customer has to first register his/her mobile phone number and/or e-mail address with the bank. The bank saved this information in its database. In case the customer wishes to make a transaction with the bank, he/she has to provide his/her mobile phone number and e-mail address for verification. Upon successful verification, the bank sends the customer a one-time password in the form of an SMS.

Procedural control surrounding its use

OTPs are based on mobile enterprise application architecture (Tyntec Press Release, 2006). Organisations like banks need to document users’ information first in a database. This is important so that in case the client sends a request, the system can locate the client’s information from the database. Once the information has been verified, the system generates a One-Time Password and sends it to the client in the form of an SMS or e-mail.

Audit and logging checks

The following techniques can be used while auditing and logging checks for an OTP system:

• Allowing users to register more than one phone number so that in case one of the phones is lost, they can notify the bank promptly.
• Generating a secret key that the user is able to recognise.
• The one-time password should be valid for a few hours only, after which the client has to make another request.
• The user should be requested to answer a secret question before he/she can receive the one-time password.

Cracking the system

The OTPs system can be cracked using various methods:

Brute-force attack: This is a technique in which the attacker tries to use all the keys in a bid to crack the one-time password. This technique is a very exhaustive way of searching and locating encrypted data.

“Man-in-the middle” attack: In this form of attack, the attacker tries to intercept the replies of a bank to its users. The bank assumes that it is dealing with genuine account holders. This allows the attacker to send the desired transaction to the bank.

Conclusion

OTPs have proven to be a very effective way of preventing identity theft and fraud in areas like internet banking. It is a form of double-authentication system that enhances user security. The system uses the existing hardware and does not require policing. However, it is prone to cracking techniques like the brute-force attack and the “man-in-the middle” attack.

Reference List

Infosec. (2008). Clavister SMS One-Time Password Service. Web.

Infosec. (n.d). One time passwords via SMS secure strong authentication. Web.

Integrated Switched System. (2007). SMS one time password. Web.

Meersman, R., Dillon, T., & Herrero, P. (2009). On the move to meaningful internet systems: Otm 2009: Confederated. London: Springer.

TynTec Press Release. (2006). TynTec Launches Mobile One-Time Passwords for Banking Industry. Web.