Text
Implementasi sms-based one-time password stealing attack pada akun aplikasi android menggunakan Digispark Atitiny85
Abstrak:
One-Time Password (OTP) yang mendominasi bidang otentikasi pengguna selama dekade terakhir, merupakan musuh utama bagi setiap penyerang yang mencoba mengakses sensitif informasi. Pakar keamanan khawatir bahwa spoofing pesan SMS dan serangan man-in-the-middle (MITM) dapat digunakan untuk merusak sistem 2FA yang mengandalkan one-time password. Pencurian OTP dapat dilakukan dengan berbagai saluran serangan, salah satunya adalah akses fisik ke perangkat, yakni malware seluler yang mencuri pesan SMS OTP. Serangan telepon seluler dapat dilakukan juga melalui micro-USB dengan menggunakan tampilan antar muka yang umum pada port micro-USB pada telepon seluler. Tujuan dari penelitian ini adalah untuk mengimplementasikan serangan SMS-based OTP stealing attack pada aplikasi Android menggunakan Digispark Attiny85. Metode yang digunakan menggunakan Software Development Lifecycle dengan pendekatan extreme programming. Pada penelitian ini, penulis membuat dua buah skenario penyerangan untuk mencuri OTP berbasis SMS milik korban. Skenario live attack beroperasi dengan memanfaatkan injeksi langsung Digispark Attiny85 ke device korban, sedangkan skenario remote attack memanfaatkan malware yang diunduh melalui script yang diinjeksikan dari Digispark Attiny85. Pengujian menggunakan metode path testing untuk pengujian hardware dan scenario testing untuk pengujian software. Pengujian skenario diterapkan pada beberapa aplikasi antara lain aplikasi mobile banking, dompet digital, instant messaging, dan e-commerce. Hasil penelitian menunjukkan keberhasilan implementasi dari SMS-based OTP Stealing Attack berbasis SMS dalam mengambil OTP akun dari beberapa aplikasi Android korban terbukti dari hasil path testing dan scenario testing.
Abstract:
The dominant use of One-Time Passwords (OTPs) in user authentication over the past decade has made it a primary adversary for any attacker attempting to access sensitive information. Security experts are concerned that SMS message spoofing and man-in-the-middle (MITM) attacks can be employed to compromise Two-Factor Authentication (2FA) systems relying on one-time passwords. OTP theft can occur through various attack vectors, one of which involves physical access to the device, namely, mobile malware that steals OTP SMS messages. Mobile phone attacks can also be executed via a micro-USB interface by exploiting the common interface provided by the micro-USB port on mobile phones. The objective of this research is to implement an SMS-based OTP stealing attack on Android applications using Digispark Attiny85. The method employed follows the Software Development Lifecycle with an extreme programming approach. In this study, two attack scenarios were devised to steal OTPs sent via SMS from the victim's device. The live attack scenario operates by directly exploiting Digispark Attiny85 into the victim's device, while the remote attack scenario leverages malware downloaded through a script injected from Digispark Attiny85. Testing was conducted using path testing for hardware evaluation and scenario testing for software assessment. The scenarios were applied to various applications, including mobile banking, digital wallets, instant messaging, and e-commerce. The research results demonstrate the successful implementation of the SMS-based OTP Stealing Attack in acquiring OTPs from multiple Android applications, as evidenced by the path testing and scenario testing outcomes.
Availability
Detail Information
- Series Title
-
--
- Call Number
-
2023 ASE i
- Publisher
- Bogor : Politeknik Siber dan Sandi Negara., 2023
- Collation
-
xiii, 90 halaman
- Language
-
Indonesia
- ISBN/ISSN
-
--
- Classification
-
Rekayasa Keamanan Siber
- Content Type
-
-
- Media Type
-
-
- Carrier Type
-
-
- Edition
-
--
- Subject(s)
- Specific Detail Info
-
--
- Statement of Responsibility
-
Asep Setiawan
Other version/related
No other version available
File Attachment
Comments
You must be logged in to post a comment
Computer Science, Information & General Works 
Philosophy & Psychology 
Religion 
Social Sciences 
Language 
Pure Science 
Applied Sciences 
Art & Recreation 
Literature 
History & Geography