pith. sign in

arxiv: 1506.06332 · v1 · pith:C5VW76UInew · submitted 2015-06-21 · 💻 cs.CR

Experimental Study of DIGIPASS GO3 and the Security of Authentication

classification 💻 cs.CR
keywords attackdigipassexpectedableaccountsalgorithmanalysisargue
0
0 comments X
read the original abstract

Based on the analysis of $6$-digit one-time passwords(OTP) generated by DIGIPASS GO3 we were able to reconstruct the synchronisation system of the token, the OTP generating algorithm and the verification protocol in details essential for an attack. The OTPs are more predictable than expected. A forgery attack is described. We argue the attack success probability is $8^{-5}$. That is much higher than $10^{-6}$ which may be expected if all the digits are independent and uniformly distributed. Under natural assumptions even in a relatively small bank or company with $10^4$ customers the number of compromised accounts during a year may be more than $100$.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.