One-Time Password Intercept Bots and the MFA Solution

Posted October 12, 2021

Have you ever tried to log in to your bank account and the bank sends you a one-time password (OTP) via text message to your phone? Implementation of OTPs has been a common path for many institutions to get one step closer to multi-factor authentication (MFA). Some OTP implementations will send a notice along with the OTP code that says something similar to

“American Express will never call you for this code.”

This message isn’t about your bank being paranoid. It is in response to a recent rise in OTP interception bots as a cybercrime service. The bots are so effective and easy to use that Intel471, a cybercrime intelligence group, reports they have an 80% efficacy rate. The web-based bots are designed to trick users into revealing the OTP sent via SMS or even from popular authenticator apps like Authy and Google Authenticator. Users of the bots only need to enter a user’s phone number and name and the bot takes care of the rest initiating a phone call and extracting the OTP. The phone calls generally pretend to alert the user about unauthorized activity on their account and ask the user to reveal the OTP in order to be “authorized.” The OTP is then relayed back to the bad guy, and they gain the account access they need to continue their crime.

A new bot called “SMSRanger” is very easy to use and one of the more popular bots available. As Intel471 reports:

“Those who pay for access can use the bot by entering commands similar to how bots are used on popular workforce collaboration tool Slack. A simple slash command allows a user to enable various ‘modes’ — scripts aimed as various services — that can target specific banks, as well as PayPal, Apple Pay, Google Pay, or a wireless carrier.

Once a target’s phone number has been entered, the bot does the rest of the work, ultimately granting access to whatever account has been targeted. Users claim that SMSRanger has an efficacy rate of about 80% if the victim answered the call and the full information (fullz) the user provided was accurate and updated.”

Services such as SMSRanger are becoming more common and very popular because they simply work. In addition to OTP intercept bots, mobile phone SIM swapping and port-out fraud (which allows your calls and texts to be intercepted) are on the rise. In a note issued September 30, the FCC has proposed new rules for mobile carriers to require more secure measures before allowing numbers to be ported but until then, the potential for fraud remains.

Overall, OTP implementations are an incomplete MFA. A true MFA should require at least two identifiers from the following:

Something you have (mobile devices)
Something you know (passwords)
Something you are (biometrics)

The OTP via SMS assumes you have your phone, and you don’t share the code but we know mobile numbers can be spoofed and SIMs swapped. MFA implementations such as WatchGuard’s AuthPoint require a unique device key along with a mobile DNA identifier which eliminates the chance of spoofing. AuthPoint also uses an internal clock causing requests to expire. AuthPoint can also be fully managed in WatchGuard Cloud. The user interface allows you to view AuthPoint reports and alerts, configure services, and manage tokens all from one location. Contact us to learn more about AuthPoint MFA and further securing your users.

Kyle Vinar

Kyle Vinar is Partner / President of Verus Corporation. He oversees all business operations and coaches Verus teams to continually improve on their solutions from client experience to product development and overall solution implementation. He works with all Verus resources to increase efficiencies and excellence in every aspect of their organizational roles. Kyle believes that people are the last real competitive edge that a company can have and constructing a rich culture is a vital step in running a world-class organization. Therefore he strives to create a culture within Verus that allows everyone to show up authentically and grow both personally and professionally, which in turn allows Verus Corp team members to provide clients with top-of-the-line service. Kyle helps balance strategy, capacity, and culture in such a way that has allowed Verus Corp to achieve exponential growth since he joined the company in 2013. One of Kyle’s greatest professional achievements has been in helping lay the foundation upon which Verus Corporation could be named the 2nd Best Place to Work by the Minneapolis/St. Paul Business Journal. Kyle holds a Bachelor of Science in Marketing from St. Cloud State University. He lives in Champlin with his wife and 3 children. He has enjoyed volunteering as a soccer coach for over 6 years and was the former Director of Coaching for Rebels Soccer Club. If Kyle isn’t on the sidelines of one of his children’s soccer games or in the audience of his eldest’s musicals, he can often be found cruising scenic routes on his Harley, in a deer stand, or on the golf course.