Experimental Study of DIGIPASS GO3 and the Security of Authentication
This exposes a security vulnerability in authentication systems used by banks or companies, potentially compromising over 100 accounts annually in organizations with 10^4 customers.
The study analyzed 6-digit one-time passwords from DIGIPASS GO3, reconstructing its synchronization, algorithm, and verification protocol to reveal higher predictability than expected, with a forgery attack success probability of 8^{-5} (much higher than the expected 10^{-6}).
Based on the analysis of $6$-digit one-time passwords(OTP) generated by DIGIPASS GO3 we were able to reconstruct the synchronisation system of the token, the OTP generating algorithm and the verification protocol in details essential for an attack. The OTPs are more predictable than expected. A forgery attack is described. We argue the attack success probability is $8^{-5}$. That is much higher than $10^{-6}$ which may be expected if all the digits are independent and uniformly distributed. Under natural assumptions even in a relatively small bank or company with $10^4$ customers the number of compromised accounts during a year may be more than $100$.