Experimental Study on One-Time Password used in Authentication within Norwegian Banking

Postponed access: the file will be accessible after 2021-06-02Authentication is a vital part of this fast-growing, digitalized world. Fundamentally, today’s society is more reliant on computer technology and digitalization than ever before. Therefore, the use of dynamic one-time passwords plays a significant role within online banking in Norway by strengthening the level of security. This study examines four tokens provided by DNB, Sparebanken Møre, Sparebank 1 and Nordea used in token-based authentication and the one-time passwords they generate. By studying one-time passwords collected at various time intervals, it was able to reconstruct the internal token-algorithm and the verification protocol. This research argues that three out of four tokens indicate weaknesses that can have damaging effects. This is also proven by explaining a basic theoretical attack, which demonstrates that the success probability of an attack is higher than the expected probability of 10^(-6) or 10^(-8).Masteroppgåve i informatikkINF399MAMN-PROGMAMN-IN

Experimental Study on One-Time Password used in Authentication within Norwegian Banking

Authentication is a vital part of this fast-growing, digitalized world. Fundamentally, today’s society is more reliant on computer technology and digitalization than ever before. Therefore, the use of dynamic one-time passwords plays a significant role within online banking in Norway by strengthening the level of security. This study examines four tokens provided by DNB, Sparebanken Møre, Sparebank 1 and Nordea used in token-based authentication and the one-time passwords they generate. By studying one-time passwords collected at various time intervals, it was able to reconstruct the internal token-algorithm and the verification protocol. This research argues that three out of four tokens indicate weaknesses that can have damaging effects. This is also proven by explaining a basic theoretical attack, which demonstrates that the success probability of an attack is higher than the expected probability of 10^(-6) or 10^(-8)