AirLift is a Pakistani decentralized urban mass transit startup backed by San Francisco-based First Round Capital, which also is an Uber investor. It, in fact, is the world’s first decentralized mass transit system. Led by Huynh Chen and Sarmad Khan, PrivacySavvy’s research team discovered a major security bug in its premium grocery service Airlift Express. With hundreds of orders daily, Airlift Express is quickly becoming a widely-used eCommerce company.
The company quickly responded to our report and fixed the OTP vulnerability alongside other security issues. Still, this AirLift’s eCommerce OTP vulnerability is a good reminder of why OTPs are insufficient for your accounts’ security today.
Modern brute force attackers are sophisticated, but the technology required to repel them is not. OTPs (One-time passwords) were introduced as a convenient means of identifying and authenticating users. Still, this intention was defeated shortly after its introduction; hackers found a way around it. But companies keep using them.
According to the PrivacySavvy security lab, OTPs are no longer considered secure because of the heavy brute force attack witnessed in recent times.
OTPs sent via SMS were developed to prevent replay attacks and add an extra layer of log-on security. This works because the website sends a unique code to a user through text, and the one-time code sent is inputted in the space provided along with a username and password combination. Upon verifying the OTP’s authenticity, the user can authorize a transaction or access a site. While this may sound simple and secure in theory, it’s a different case in reality. That’s precisely what this report is going to prove today.
How brute-force attack works
Brute force attack remains a nightmare for web developers; it is undoubtedly one of the most popular password-cracking methods known to man. But beyond cracking passwords, they also reveal hidden web pages and contents in a web application. Unfortunately, thousands of internet users are being exposed to brute-force attacks daily.
In a typical brute force attack, the attacker tries cracking the password using a series of combinations of letters and numbers until he gets it right. It is more of a ‘try until you get it’ approach. This could range from a few minutes to a few hours (depending on how long it takes to crack a particular password).
The AirfLift Express’s OTP and brute force
PrivacySavvy reporters observed this with AirLift Express, an eCommerce platform where customers order medicines, groceries, and other essential items.
The screenshot below shows that a user tried accessing his account but forgot his password. When this happens, AirLift Express advises you to click on forgot password. After this, the user enters the phone number or email address with which he opened the account.
Below, AirLift Express sends a unique OTP code, which the user inputs in the provided box.
It’s when things get risky for users. Here, a hacker can input a legit mobile number (which any skilled security person can get easily via social engineering) and could brute force the OTP code while trying out multiple combinations of numbers. Our researchers did it as an illustration of the vulnerability, as you can see in the screenshots below:
The hacker then tries various combinations until he finally gets it right (our researchers got it right within 7 minutes in the case of Airlift Express). Once he achieves this, he takes over the user’s account to perform all sorts of fraudulent acts.
PrivacySavvy’s security team’s close observation of events shows there are several types of tools employed for these brute-force attacks ranging from aircrack-ng, John the Ripper, rainbow crack L0phtCrack, Ophcrack, Hashcat, DaveGrohl, Ncrack, and THC Hydra.
Why OTPs over text are vulnerable
To further give light on the issue, our security team consulted a research paper published in 2013 and written by researchers at Northeastern University and Technische Universitat Berlin titled “SMS-Based One-Time Passwords: Attacks and Defense.” The report takes a comprehensive but in-depth look at OTP vulnerability.
After analyzing the security structure of OTP via text and studying recent brute force attacks, all those researchers agree that OTPs via SMS are no longer secure for two significant reasons:
- OTPs via SMS are built on two foundations; mobile devices and cellular networks. Back then (in 2013), users could trust that these two foundations would keep their promise of confidentiality, security, and privacy, but this is no longer true. These two sectors have broken their promises repeatedly in the past, thereby exposing users to brute-force attacks.
- Hackers and brute-force attackers have recently developed unique Trojans to bypass OTP over SMS security. The paper reports that these trojans take over mobile devices, and ever since this has been the case, no one has offered a solution or studied this security vulnerability.
But beyond the report, OTP vulnerability has become more popular due to recent security breaches. Given this, seasoned security experts have advised that there is a need for tight security measures and multiple authentications; unfortunately, many companies have ignored this call.
What’s the better alternative and solution to OTP vulnerabilities
Multi-factor authentication offers more security than simple username and password combinations. That is so because the user must meet specific requirements, usually a) username/password and b) have a mobile device; sometimes, a third authentication is needed, too.
Multi-factor authentication is not a new initiative. For instance, ATMs require a two-factor authentication; first, you will need a card, and then you will need a PIN. Many websites, including banks, are beginning to adopt OTP over SMS.
However, many companies do not understand that multi-factor authentication has many sides, and not all are safe.
There are more safe ways to approach multi-factor authentication to make it more securer than just an OTP over SMS. One such is verification using a physical token or mobile app.
Another way to secure users’ accounts is that developers can lock out accounts after a given number of unsuccessful attempts; this lockout could be for a certain period.
Furthermore, web developers, companies, and institutions can protect their clients from brute-force attacks using Captcha. Fortunately for users in Pakistan, Airlift has taken care of this OTP brute force vulnerability in their online grocery shopping service Airlift Express. Below is a part of their final statement sent to the PrivacySavvy research team via email confirming the fix:
We have been moving very quickly in development and fixing. Multiple security patches have gone into production. The vulnerabilities shared by you are pushed to production. Thanks for this. You can share the report on this bug.
But as illustrated above, hackers can hack into the users’ accounts of any mobile or web-based app with OTP authentication without any additional rules.
About our Research Lab
At PrivacySavvy, we focus on contributing to a world with the least possible cyber threats. Our fast-growing research lab has the best security researchers who are always on the lookout for users to guard themselves against ever-present cyber threats. But beyond individuals, we also focus on helping companies protect their users’ data.