Research (Insikt)

Bots for Stealing One-Time Passwords Simplify Fraud Schemes

Posted: 26th July 2022
By: Insikt Group

insikt-group-logo-updated-3-300x48.png Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

This report details how one-time password (OTP) bypass bots work, how they fit into existing fraud schemes, and the threats they pose to individuals and financial institutions. The report also includes a tutorial on how cybercriminals configure and use OTP bypass bots. The sources for this report include dark web forums, fraud-focused Telegram channels, and the Recorded Future Payment Fraud Intelligence module. The report is intended for fraud and cyber threat intelligence (CTI) teams at financial institutions and security researchers.

Executive Summary

A one-time password (OTP) is a form of multi-factor authentication (MFA) that is often used to provide an additional layer of protection beyond basic passwords. OTPs are dynamic passwords that typically consist of 4 to 8 numbers but may also occasionally include letters. Many financial institutions and online services use this tool to authenticate logins, confirm transactions, or identify users. The main way to provide an OTP code to a user is via SMS, email, or a mobile authentication application such as Authy. Since OTPs protect victims’ accounts from unauthorized access or transactions, cybercriminals are constantly developing various ways to bypass and overcome them.

Over the past year, threat actors have increasingly developed, advertised, and used bots to automate the theft of OTPs, making it easier and cheaper for threat actors to bypass OTP protections at scale. Because OTP bypass bots require little technical expertise and minimal language skills to operate, OTP bypass bots also increase the number of threat actors capable of bypassing OTP protections. OTP bypass bots typically function by distributing voice calls or SMS messages to targets, requesting the targets to input an OTP, and, if successful, sending the inputted OTP back to the threat actor operating the bot.

Recorded Future analysts identified and tested an open-source OTP bypass bot named “SMSBypassBot” that was advertised on a fraud-focused Telegram channel and confirmed that it worked as advertised and was simple to configure and use.

Key Findings

  • The increased use of OTPs by a variety of legitimate services (particularly for authenticating online account logins, money transfers, and 3-Domain Secure-enabled [3DS] purchases) creates parallel cybercriminal demand for methods of obtaining and bypassing OTPs.
  • Dark web forum activity related to OTP bypassing (measured by volume of posts and views of posts related to the topic) rose sharply in 2020 and has remained high since.
  • Traditional methods of OTP bypassing (performing SIM card swaps, brute-forcing, abusing poorly configured authentication systems, and manual social engineering) have become time-consuming and more technically challenging.
  • OTP bypass bots combine social engineering and voice phishing (vishing) techniques with simple-to-use interfaces to provide a partially automated, affordable, and scalable method of obtaining victims’ OTPs.

Background

Multi-factor authentication (MFA) provides an additional layer of security beyond just a static password, with Microsoft reporting that MFA can block over 99.9% of account compromise attacks. One-time passwords (OTPs) are a form of MFA that use an automatically generated string of characters (typically numeric values but occasionally alphanumeric) to authenticate a user.

Service providers, financial institutions, and merchants use OTPs for a variety of purposes including authenticating online account logins, money transfers, and 3DS-enabled payment card transactions. Increased adoption of OTPs over the past decade has caused threat actors to develop methods of bypassing OTPs to gain unauthorized access to online accounts and conduct fraudulent money transfers and transactions.

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Related