3

Most of the banks uses OTP (One Time Password) to enrich the authentication through dual factor.

But I observed Banks are sending the OTP to mobile as well as email.

I suppose sharing passwords on email is not secure and it's not a recommended practice by Information Security experts.

Below is the sample email I receive with the OTP to mobile:

enter image description here

Is my OTP is not secure due to bank practice? Or Am I missing something here?

Sayan
  • 2,033
  • 1
  • 11
  • 21
  • 1
    The main difference between an OTP and a 'traditional' password is the "one time". Once you use it, you can send it to any and every one, it's doesn't matter, it's worthless (unless the OTP generation algorithm is broken) – Sefa Oct 03 '18 at 11:10
  • Thanks, I understand the OTP, my question regarding the security concerns over why banks are sending the OTP (parallel to SMS delivery) to mails.... – Sayan Oct 03 '18 at 15:39

3 Answers3

2

Multi-factor authentication (aka two-factor authentication) is more secure than simply using a long-lived password. The one-time password that sits in your email account will be useless if (1) you don't have the account password/secret key (or other factors required to login) or (2) the one-time password has been used once.

Yes, it is bad advice to send long-lived passwords via email or SMS (as email is often transferred between mail servers unencrypted and may be eavesdropped on -- say by malicious sysadmins -- and email is commonly stored on your desktop unencrypted). However, it is common practice to send one-time passwords that are useless on their own without other factors. In fact it's provably stronger than not requiring the other factors. There are potentially better ways to do multi-factor authentication than potentially insecure email (e.g., company issued physical tokens though it's probably not feasible for every bank to issue separate physical tokens to every customer and expect most customers to keep them secure and not lose them). Bottom-line, requiring an extra factor to demonstrate ability to read messages sent to your email address or phone number is stronger than not requiring it (though it would be a bad idea to allow someone with only access to your phone or email address to easily get full control of your bank account).

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
1

Yeah, you are right, the delivery method is not secure. the OTP is excellent as an enforcer of static password. like in TFA. and what worries me more is no expiring time for that OTP...maybe you will not have full access to change or modify the personal setting. I think you need to investigate more about your bank security.

user188040
  • 11
  • 1
0

Adding to @Sefa comment :

An attacker would have to intercept the OTP when it's sent to you. Possibilities I can think of :

Attacker could use one of these methods while having access to your bank account credentials.

OTP token are considered more secure if they are not sent to you but generated by a device in your possession (e.g. authenticator app like Google Authenticator or FIDO U2F Security Key like YubiKey)

CheddarLizzard
  • 222
  • 2
  • 8