Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label OTP. Show all posts
UPI
Call Merging CyberCrime Cyberhackers Cybersecurity CyberThreat Mobile Security NPCI OTP personal verification Scammers UPI

Call Merging Scams and Financial Security Risks with Prevention Strategies

 


It is not uncommon for fraudsters to develop innovative tactics to deceive their targets, with one of the latest scams being the called merging scam in which the scammers attempt to gain unauthorized access to the victim's accounts to defraud them. In many cases, the victims suffer substantial financial losses due to this scheme. 

There has been a warning issued by the Indian authorities in regards to a new scam that involves individuals being manipulated into merging their calls by scammers, who then subsequently reveal One-Time Passwords (OTPs) unknowingly. Using this deceptive tactic, fraudsters can gain access to victims' financial accounts, which will enable them to carry out fraudulent activities. 

NPCI's Unified Payments Interface (UPI), an initiative that was developed by the National Payments Corporation of India (NPCI), has expressed concern about this emerging threat. As a precautionary measure, UPI cautioned users on its X account of the risks involved in call merging scams and stressed that call merging scams pose a serious threat to users. 

As part of the advisory, individuals were advised to remain vigilant, stating, Fraudsters are using call merging tactics to deceive users into giving out OTPs. As part of its role to oversee the Unified Payments Interface (UPI), NPCI has expressed significant concerns about the growing cyber fraud epidemic. 

The goal of social engineering scammers is to deceive unsuspecting victims into disclosing their sensitive banking credentials to take control of the situation. In most cases, the scam begins with the fraudster contacting the target, falsely claiming to have obtained their phone number through a mutual acquaintance. 

The fraudster will then try to convince the target to combine the call with a similar call from a different number. It is true that in this second call, the victim is being connected to an official OTP verification call from their bank. Therefore, the victim does not know they are being deceived, and unwittingly allows someone to access their banking details. 

It uses social engineering techniques to manipulate individuals to unknowingly divulge their One-Time Password (OTP), an important security feature used for financial transactions, through their manipulation techniques. 

It is quite common for victims to receive a phone call from a trusted source offering lucrative opportunities or a message from one of their trusted contacts recommending what seems a beneficial scheme to them. 

A significant security risk can be posed by engaging with such communications without due diligence as a result of the growing prevalence of such fraud activities. As a result, financial institutions and regulatory agencies are cautioning individuals to remain vigilant when receiving unexpected phone calls and to refrain from sharing OTPs or merging calls without verifying the identity of the callers before doing so. 

It has become increasingly common for these frauds to occur, and so the Unified Payments Interface (UPI) has issued an urgent advisory that warns users about the dangers of call merging scams. To avoid being victimized by such deceptive tactics, individuals need to be vigilant and take strict security measures to protect their financial information. 

There is a deceptive technique known as the Call Merging Scam, which is used by fraudsters to trick people into divulging sensitive information such as One-Time Passwords (OTPs), unknowingly. In this manner, scammers can gain unauthorized access to victims' bank accounts and other secured platforms by exploiting this technique to commit financial fraud on the victims. 

Modus Operandi of the Scam


It is quite common for fraudsters to make deceptive telephone calls, falsely stating that they have obtained the recipient's phone number from an acquaintance or source that is reliable. 

There are many scams out there that involve victims being persuaded to merge calls with another individual. This is often accomplished by presenting another individual as a friend or a bank representative, depending on the scam. 

There is an automatic OTP verification call that they will be connected to without their knowledge. The automated call will direct them to a bank site that activates a mobile OTP verification system for verification. 

As a scammer, the victim is deceitfully manipulated into believing that sharing the OTP for their financial accounts to be accessed is necessary because sharing it is required for authentication. 

Preventive Measures to Safeguard Against Fraud 


To avoid the merging of calls between unknown callers, decline the request right away. Be careful about authenticating the identity of a caller: Whenever users receive an email from someone who claims to represent a financial institution, they should contact the bank directly through their official customer support phone number. Recognize Fraudulent Requests: Banks never ask customers for an OTP over the phone. 

A request of this nature should be viewed as an indication of a potential fraud and reported promptly. Ift an unsolicited OTP or suspected fraudulent activity occurs, individuals should notify their bank immediately and call 1930 (the national cybercrime helpline), so the incident can be investigated further. 

Considering the increasing number of scams like these, it has become imperative that one remains vigilant and adopts strict security practices as a precautionary measure to avoid financial loss. Many viral videos and discussions on social media emphasize a single aspect of fraudulent transactions — receiving an OTP via a merged call as opposed to a text message. 

Despite this, they often overlook the important point: an OTP is not sufficient for authorization of a transaction by itself. A fraudster needs to obtain essential banking details such as a card number, a card verification value, or a UPI Personal Identification Number (PIN) before he or she can use an OTP as a final step in committing an unauthorized transaction. 

To mitigate such risks, the Reserve Bank of India (RBI) has implemented strict security protocols to minimize them. To complete electronic transactions, financial institutions and payment service providers must implement multi-factor authentication (MFA) as of 2021 so that user authentication can be verified by more than one factor. This level of protection is achieved by implementing multiple authentication measures in combination with a combination of vital characteristics, including OTP verification, mobile device authentication, biometric identification, and hardware security tokens, which together provide a high level of security against unauthorized access. 

Digital transactions are typically protected by multiple layers of security, each requiring a combination of authentication factors to ensure their integrity. There are three types of authentication: manual, which includes everything the user possesses, such as their credentials, card numbers, and UPI IDs; known, such as their password, CVV, or PIN; and dynamic, such as their OTP, biometric authentication, or device authentication. 

To achieve the highest level of security, all three levels are necessary for most online banking and card transactions. However, a UPI transaction with a value up to a lakh does not require an OTP and can be authorized with only a UPI ID and PIN, without the need for an OTP. As a result of this multi-layered approach, financial fraud risks are greatly reduced and the security of digital payments is greatly strengthened.
Read more »
TRAI
Airtel Cyber Security Jio Mobile Network Network Security OTP SMS Telecommunication TRAI

India’s New SMS Traceability Rules to Combat Fraud Begin November 1, 2024

 

Beginning November 1, 2024, Indian telecom providers Airtel, Jio, and Vi will follow a new set of SMS traceability and monitoring guidelines mandated by the Telecom Regulatory Authority of India (TRAI). Aimed at combating cybercrime, these measures seek to enhance security by allowing users to block suspicious calls and messages effectively. By tracing SMS sources more accurately, telecom operators can swiftly identify and block fraudulent messages, improving the fight against scams and phishing attempts. 

Additionally, organizations sending promotional SMS, such as banks and e-commerce companies, must adhere to TRAI’s telemarketing standards, or risk their messages being blocked. This initiative aims to create a safer SMS ecosystem, giving users a clearer means to distinguish legitimate messages from scams. Yet, the vast volume of commercial messages sent in India—between 1.5 and 1.7 billion daily—makes it challenging to implement such a system seamlessly. With high-volume traffic, the infrastructure for monitoring requires robust capabilities to ensure message traceability without slowing down service for time-sensitive messages, especially for critical banking and transaction-related OTPs. Another layer of concern involves potential delays in urgent messages. 

These requirements could slow the delivery of essential communications, such as OTPs used in online banking. Telecoms are working to prevent this issue, as delays in these transactional messages could interrupt online financial processes. Balancing security and timely delivery is essential for TRAI and telecom providers, particularly for consumers who rely on timely OTPs and other immediate notifications. The Cellular Operators Association of India (COAI), which represents key telecom companies like Airtel, Jio, and Vodafone-Idea, has requested a two-month delay to facilitate a smoother transition. This extension would allow telecom operators additional time to set up necessary infrastructure and conduct thorough testing to avoid unintentional service disruptions. 

While TRAI maintains its commitment to the November deadline, telecom companies argue that extra preparation time could ensure reliable service delivery and a smoother rollout. Telecom providers have committed to ensuring user security remains intact while providing efficient service. TRAI’s objective is to foster a more secure digital communication environment where consumers feel protected against fraud and unauthorized data use. However, the effectiveness of these changes depends heavily on the ability of telecom companies to meet these new standards without compromising service quality. 

TRAI’s new SMS traceability requirements represent a meaningful step forward in enhancing consumer protection against digital scams. Despite logistical challenges, this initiative could make India’s messaging landscape safer, allowing consumers greater peace of mind. The success of this system depends on how effectively telecom providers can balance secure traceability with minimal disruption to essential services, paving the way for a digital space that prioritizes both security and efficiency.
Read more »
Privacy
Banks Cyberattacks CyberCrime Cyberhackers CyberThreat Digital Token OTP Passwords Privacy

Singapore Banks Phasing Out OTPs in Favor of Digital Tokens

 


It has been around two decades since Singapore started issuing one-time passwords (OTPs) to users to aid them in logging into bank accounts. However, the city-state is planning to ditch this method of authentication shortly. Over the next three months, major retail banks in Singapore are expected to phase out the use of one-time passwords (OTP) for account log-in by digital token users as part of their transition away from one-time passwords. 

With an activated digital token on their mobile device, customers will need to either use the token to sign in to their bank account through a browser or the mobile banking app on their mobile device. In a joint statement on Tuesday (Jul 9), the Monetary Authority of Singapore (MAS) and The Association of Banks (ABS) said that, while the digital token is designed to authenticate customers' logins, there will not be an OTP needed to prove identity, which scammers can steal or trick victims into disclosing. 

There is also a strong recommendation to activate digital tokens by those who haven't already done so, as this will greatly reduce the chance of having one's credentials stolen by unauthorized personnel. According to The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS), within the next three months, major retail banks in Singapore will gradually phase out the use of One-Time Passwords (OTPs) to log into bank accounts by customers who are using digital tokens. 

By doing this, the banks hope to better protect their customers against phishing attacks - at the very least against scams in which scammers get their customers to divulge their OTPs. To secure bank accounts, MAS and ABS encourage the use of digital tokens - apps that run on smartphones and provide OTPs - as a source of second-factor authentication, as opposed to software programs that are installed on computers. 

There will be better protection for them against phishing scams since they have been among the top five scam types over the past year, with at least SGD 14.2 million being lost to these scams, as outlined in the Singapore Police Force Annual Scams and Cybercrime Brief 2023, which was released in January of this year. When customers activate their digital tokens on their mobile devices, they will have to use these tokens when logging in to their bank accounts through the browser or by using the mobile banking app on their mobile devices. 

With the help of the token, scammers will be unable to steal your OTP, which customers may be tricked into revealing, or steal non-public information about themselves that they will be asked to provide. To lower the chances of having identity credentials phished, MAS and ABS have urged customers who haven't activated their digital token to do so, so that they don't become a victim of identity theft. The use of One Time Passwords (OTPs) has been used since early 2000 as a multi-factor authentication option to strengthen the security of online transactions. 

Nevertheless, technological advancements and more sophisticated social engineering tactics have since made it possible for scammers to manipulate phishing requests for customers' OTPs with more ease, such as setting up fake bank websites that closely resemble real banks' websites and asking for the OTP from them. As a result of this latest step, the authentication process will be strengthened, and it will be harder for scammers to trick customers out of money and funds by fraudulently accessing their accounts using their mobile devices without explicit authorization. 

During the 2000s, one-time passwords were implemented as a means to enhance the security of online transactions to strengthen multi-factor authentication. MAS and ABS have both warned consumers to be cautious about phishing for their OTP as a result of technological improvements and increasingly sophisticated social engineering techniques. There have been several phishing scams in Singapore over the past year, with at least $14.2 million lost to these scams, according to records released by the Singapore Police Force earlier this month. 

It is expected that this latest measure will enhance authentication and will ensure that scammers will not be able to fraudulently access a customer's accounts and funds without the explicit permission of the customer using their mobile devices," they commented. According to ABS Director Ong-Ang Ai Boon, this measure may cause some inconveniences for some consumers, but it is essential to help prevent unscrupulous suppliers and protect customers in the long run. 

The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) announced a collaborative effort to strengthen protections against digital banking scams. This initiative involves the gradual phasing out of One-Time Passwords (OTPs) for bank logins by customers utilizing digital tokens on their mobile devices. This rollout is anticipated to occur over the next three months. MAS, represented by Loo Siew Yee, Assistant Managing Director (Policy, Payments & Financial Crime), emphasized their ongoing commitment to safeguarding consumers through decisive action against fraudulent digital banking activities. 

The elimination of OTPs aims to bolster customer security by mitigating the risks associated with phishing attacks. Phishing scams have evolved alongside advancements in technology, enabling fraudsters to more effectively target customer OTPs. They often achieve this by creating deceptive websites that closely mimic legitimate banking platforms. ABS, represented by Director Ong-Ang Ai Boon, acknowledged that this measure might cause minor inconveniences. 

However, they firmly believe such steps are essential to prevent scams and ensure customer protection. MAS, through Ms. Loo, reaffirmed the significance of maintaining good cyber hygiene practices in conjunction with this latest initiative. Customers are urged to remain vigilant and safeguard their banking credentials at all times. MAS and ABS jointly urge customers who haven't activated their digital tokens to do so promptly. 

This action minimizes the vulnerability of their credentials to phishing attempts. By implementing this multifaceted approach, MAS and ABS aim to create a more secure digital banking environment for customers in Singapore.
Read more »
Vulnerabilities and Exploits
MFA online transactions OTP UPI Vulnerabilities and Exploits

Cybercriminals Target UPI Payments: How to Stay Safe

 



The Unified Payments Interface (UPI) has transformed the infrastructure of digital transactions in India, providing a fast, easy, and secure method for payments. However, its rapid adoption has also attracted the attention of cybercriminals. This article delves into the tactics used by fraudsters and the measures users can take to protect themselves.

Cybercriminals employ a variety of deceptive methods to exploit UPI users. Vishal Salvi, CEO of Quick Heal Technologies Ltd., explains that these criminals often impersonate familiar contacts or trusted services to trick users into making quick, unverified money transfers. One prevalent technique is phishing, where fraudsters send emails that appear to be from legitimate banks or UPI service providers, prompting users to reveal sensitive information.

Malware and spyware are also common tools in the cybercriminal's arsenal. These malicious programs can infiltrate devices to steal personal information, including UPI details, or even take control of the device to initiate unauthorised transactions. Social engineering tactics, where fraudsters pose as customer service representatives, are another method. They manipulate users into sharing confidential information by pretending to resolve a payment issue.

Protecting oneself from UPI payment fraud is crucial and can be achieved through vigilance and caution. Financial institutions have implemented multi-factor authentication (MFA) and financial literacy programs to enhance security, but users must also take proactive steps. It is essential never to share your UPI PIN or OTP with anyone. Always verify the authenticity of transactions and use official apps or websites. Ensuring a secure connection (https) before entering any information is another critical step. Regularly updating your app and enabling transaction alerts can help monitor for any suspicious activity.

In the event of a fraudulent transaction, immediate action is vital. The moment you suspect fraud, report the incident to your bank and the UPI platform. Blocking your account can prevent further unauthorised transactions. Filing a complaint with the bank's ombudsman, including all relevant details, and reporting the fraud to local cybercrime authorities are crucial steps. Quick and decisive actions can significantly increase the chances of recovering lost funds.

While UPI has revolutionised digital payments, users must remain vigilant against cyber threats. By following these safety measures and responding to any signs of fraud, users can enjoy the benefits of UPI while mminimising the risks.


Read more »
unauthorised access
Cyber Fraud Financial crime Financial Loss Information Technology Online fraud Online Scam OTP unauthorised access

E-Challan Fraud, Man Loses Rs 50,000 Despite Not Sharing Bank OTP

 

In a cautionary tale from Thane, a 41-year-old man, M.R. Bhosale, found himself embroiled in a sophisticated online scam after his father fell victim to a deceptive text message. The incident sheds light on the dangers of trusting unknown sources and underscores the importance of vigilance in the digital age. 

Bhosale's father, a diligent auto-rickshaw driver in Ghatkopar, received a seemingly official text message from the Panvel Traffic Police, notifying him of a traffic violation challan against his vehicle. The message directed him to settle the fine through a designated app called Vahan Parivahan, with a provided download link. Unbeknownst to him, the message was a clever ruse orchestrated by scammers to dupe unsuspecting victims. 

When Bhosale's father encountered difficulties downloading the app, he sought his son's help. Little did they know, their attempt to rectify the situation would lead to financial loss and distress. Upon downloading the app on his device, Bhosale encountered a barrage of One-Time Passwords (OTPs), signalling a red flag. Sensing trouble, he promptly uninstalled the app. 

However, the damage had been done. A subsequent check of his bank statement revealed unauthorized transactions totalling Rs 50,000. With resolve, Bhosale wasted no time in reporting the incident to the authorities. A formal complaint was filed, detailing the deceptive mobile number, fraudulent link, and unauthorized transactions. 

In response, the police initiated an investigation, invoking sections 66C and 66D of the Information Technology Act to pursue the perpetrators and recover the stolen funds. This unfortunate ordeal serves as a stark reminder of the prevalence of online scams and the importance of exercising caution in the digital realm. To avoid falling victim to similar schemes, users must remain vigilant and skeptical of unsolicited messages or unfamiliar apps. 

Blind trust in unknown sources can lead to devastating consequences, as Bhosale's family discovered firsthand. Furthermore, it is essential to verify the authenticity of communications from purported official sources and refrain from sharing personal or financial information without thorough verification. 

In an era where online scams abound, skepticism and diligence are paramount. As the investigation unfolds, Bhosale's story serves as a cautionary tale for all internet users. By staying informed, exercising caution, and seeking assistance when in doubt, individuals can protect themselves from falling prey to online scams.
Read more »
User Data
Aadhaar card Credit Card Digital Payment Finance Online Payments OTP Payment Apps Paytm Privacy Sensitive Information User Data

Paytm's Innovative ID-Based Checkout Solution

Paytm has made history by being the first payment gateway to provide retailers an alternative ID-based checkout solution. The way transactions are carried out in the world of digital payments is about to undergo a revolutionary change because of this ground-breaking innovation.

Traditional Internet transactions need a multi-step procedure that includes entering personal information, OTP verification, and payment confirmation. By enabling consumers to make payments using additional IDs like Aadhaar, PAN, or mobile numbers, Paytm's new system accelerates this procedure. This not only streamlines the checkout process but also improves security and lowers the possibility of mistakes.

The alternate ID-based checkout solution comes at a crucial time when the demand for seamless and secure online payments is higher than ever. With the surge in e-commerce activities, consumers seek faster and more convenient payment methods. Paytm's innovative approach addresses this need by eliminating the need for remembering complex passwords or digging through wallets for credit card information.

One of the major advantages of this system is its inclusivity. It caters to a wide range of users, including those who may need access to traditional banking services but possess valid alternate IDs. This democratization of online payments is a significant step towards financial inclusion.

Moreover, Paytm's solution is not limited to registered users. It includes a guest checkout option, allowing even first-time users to enjoy the benefits of this streamlined payment process. This opens up a whole new market of potential customers who may have been deterred by the complexity of conventional payment methods.

Security remains a paramount concern in the digital payment ecosystem, and Paytm has taken meticulous steps to ensure the safety of every transaction. The alternate ID-based system employs advanced encryption protocols and multi-factor authentication to safeguard sensitive information. This reassures both merchants and consumers that their data is protected.

Paytm's launch of the alternative ID-based checkout solution establishes a new benchmark for online payments as one of the fintech sector's innovators. The user experience is improved by this innovation, which also responds to the changing needs of a broad and expanding consumer base. Paytm is well-positioned to take the lead in determining the direction of future online transactions with its user-friendly approach and uncompromising dedication to security.

Read more »
Software
APK Cyber Security Cyberattack CyberCrime Cyberfraud OTP Software

Fraudsters Target Kolkatans With Message-Forwarding Software

 


As online financial transactions became simpler and easier to conduct, the number of fraudulent transactions involving digital financial transactions also increased. Taking advantage of the increased sophistication of the fraudsters does not seem to be a problem. Cybercriminals, especially those inexperienced with financial transactions, have slowly begun using other platforms to dupe naive and gullible people after phishing and lottery scams.

Another way fraudulent activity is being carried out by fraudsters is by sending links via text messages to Kolkatans who are being targeted by them. The links on the website are the ones that notify users that a substantial amount has been credited into the accounts of these players. 

The police said that if one clicks on such a link to claim the money, the entire amount of funds may be transferred from the victim's account to the fraudsters' account and they will not even require them to share any OTP as part of the fraud. 

The UPI platform is used for several fraud types. Neither of these is a result of UPI problems but rather a consequence of deceptions by criminals. 

Analysts call it APK fraud as victims are tricked into downloading APK files that compromise their phones. This is done by clicking links sent by fraudulent parties to download APK files.  

An APK file download will result in an SMS-forwarding application being installed on the device and it will divert all incoming text messages to another number, so the victim isn't alerted when the money is debited from his or her account because the SMS will be forwarded to another number. According to an officer at the Lalbazar cyber cell, an SMS alert isn't received by the victim. 

There is a new method of gaining remote access to the phones of their victims that has become a weapon of choice for fraudsters. According to the officer, the scammers are claiming in their fake message to have received a large amount credited to their gaming account. 

It was reported by the Calcutta Telegraph that some Calcuttans who have been contacted had received messages saying: "Hi 9830xxxxx9 (mobile number of the recipient), The transaction of Rs 96793 has been completed to your (the name of the online gaming app). "

According to the police, victims of fraud never realize how they were cheated because they had never given their personal identification number to anyone else before being duped. 

According to a senior police officer, unlike other fraud attacks that are sent from random phones and do not address the recipient directly, the messages sent as part of the APK scam target specific individuals and are customized to them. 

There was a time when text messages were sent randomly, but that has changed. There is one thing though, the officer said, that makes it look authentic and trustworthy to be sending these messages to someone, and that is the phone number of the person to whom the message is addressed. 

In the immediate aftermath of clicking the link in the message, the recipient will see two attachments appear on his or her screen.

If the first attachment is clicked, a screen-sharing application will be silently installed on the phone and will allow fraudsters to gain direct access to the phone. A second attachment, if clicked, triggers the installation of an SMS forwarding product in the person's phone so that if fraudsters are using this software to carry out transactions on our bank account, the person will not receive any text messages from their bank, the officer explained.

According to Assistant Commissioner Atul V., their top priority area is creating awareness among their officers about the APK fraud, which has been a major problem for some time. 

Moreover, a cyber expert told that the APK fraud program is designed to make it difficult for the police to track down the fraudsters through the link in the message if a victim reports such a matter to the authorities. This is because the link in the message is active for a short period. 

Several people have been scammed in this way by sending text messages with spurious links. The sender then asks them to click on the link. A browser on the computer after a certain period will only be redirected to a popular search engine if you click on the link after that time. This means that the links remain active for only a few hours, if that long, then even the law-enforcement agencies will have no way to track the APK files or the transactions that have taken place after that explained a cyber expert in Kolkata.
Read more »
Technology
Cryptography One-Time Program OTP Research Technology

OTPs: Researchers Rekindle One-Time Program Cryptographic Concept


Technological advances over the past decade have made it possible for academics to make progress in designing so-called OTP (one-time programs). OTPs were initially proposed by researchers Goldwasser, Kalai, and Rothblum. 

OTPs, originally presented at the Crypto’08 conference were described as a type of cryptographically obfuscated computer program that can only be run once. This significant property makes them useful for numerous applications. 

The basic concept is that "Alice" could send "Bob" a computer program that was encrypted in a way that: 

1. Bob can run the program on any computer with any valid inputs and obtain a correct result. Bob cannot rerun the program with different inputs. 

2. Bob can learn nothing about the secret program by running it. 

The run-only-once requirements encounter difficulties because it would be an easier task to install a run-once-only program on multiple virtual machines, trying different inputs on each one of them. Consequently, this would violate the entire premise of the technology. 

The original idea for thwarting this (fairly obvious) hack was to only allow the secret program to run if accompanied by a physical token that somehow enforced the one-time rule for running the copy of the secret program that Alice had sent to Bob. No such tokens were ever made, so the whole idea has lain dormant for more than a decade.  

OTP revived: 

Recently, a team of computer scientists from Johns Hopkins University and NTT Research have established the basis of how it might be possible to create one-time programs using a combination of the functionality found in the chips found in mobile phones and cloud-based services. 

They have hacked ‘counter lockbox’ technology and utilized the same for an unintended purpose. Counter lockboxes secure an encryption key under a user-specified password, administering a limited number of incorrect password guesses (usually 10) before having the protected information erased. 

The hardware security module in iPhones or Android smartphones provides the needed base functionality, but it needs to be wrapped around technology that prevents Bob from attempting to deceive the system – the focus of the research. 

Garbled circuits: 

The research works show how multiple counter lockboxes might be linked together in order to form ‘garbled circuits’, i.e. a construction that might be utilized to build OTPs. 

A paper illustrating this research, entitled ‘One-Time Programs from Commodity Hardware’ is due to be presented at the upcoming Theory of Cryptography Conference (TCC 2022). 

Hardware-route discounted: 

One alternative means of constructing one-time programs, considered in the research, is using tamper-proof hardware, although it would require a “token with a very powerful and expensive (not to mention complex) general-purpose CPU”, as explained in a blog post by cryptographer Mathew, a professor at Johns Hopkins University and one of the co-authors of the paper. 

“This would be costly and worse, [and] would embed a large attack software and hardware attack surface – something we have learned a lot about recently thanks to Intel’s SGX, which keeps getting broken by researchers,” explains Green. 

Rather than relying on hardware or the potential use of blockchain plus cryptographic tool-based technology, the Johns Hopkins’ researchers have built a form of memory device or token that spits out and erases secret keys when asked. It takes hundreds of lockboxes to make this construction – at least 256 for a 128-bit secret, a major drawback that the researchers are yet to overcome. 

A bastion against brute-force attacks: 

Harry Eldridge, from Johns Hopkins University, lead author of the paper, told The Daily Swig that one-time programs could have multiple uses. 

“The clearest application of a one-time program (OTP) is preventing brute-force attacks against passwords […] For example, rather than send someone an encrypted file, you could send them an OTP that outputs the file if given the correct password. Then, the person on the other end can input their password to the OTP and retrieve the file.” Eldridge explained. “However, because of the one-time property of the OTP, a malicious actor only gets one chance to guess the password before being locked out forever, meaning that much weaker passwords [such as a four-digit PIN] can actually be pretty secure.”

Furthermore, this could as well be applied to other forms of authentication – for instance, if you wanted to protect a file using some sort of biometric match like a fingerprint or face scan. 

‘Autonomous’ Ransomware Risk

One of the drawbacks led via the approach is that threat actors might utilize the technique to develop ‘autonomous’ ransomware. 

“Typically, ransomware needs to ‘phone home’ somehow in order to fetch the decryption keys after the bounty has been paid, which adds an element of danger to the group perpetrating the attack,” according to Eldridge. “If they were able to use one-time programs, however, they could include with the ransomware an OTP that outputs the decryption keys when given proof that an amount of bitcoin has been paid to a certain address, completely removing the need to phone home at all.” 

Although, the feedback on the work so far has been “generally positive”, according to Eldridge. “[Most agree] with the motivation that OTPs are an interesting but mostly unrealized cryptographic idea, with the most common criticism being that the number of lockboxes required by our construction is still rather high. There is possibly a way to more cleverly use lockboxes that would allow for fewer of them to be used.” 

Read more »
Subscribe to: Posts (Atom)