One-Time Password Intercept Bots and the MFA Solution
Have you ever tried to log in to your bank account and the bank sends you a one-time password (OTP) via text message to your phone? Implementation of OTPs has been a common path for many institutions to get one step closer to multi-factor authentication (MFA). Some OTP implementations will send a notice along with the OTP code that says something similar to
“American Express will never call you for this code.”
This message isn’t about your bank being paranoid. It is in response to a recent rise in OTP interception bots as a cybercrime service. The bots are so effective and easy to use that Intel471, a cybercrime intelligence group, reports they have an 80% efficacy rate. The web-based bots are designed to trick users into revealing the OTP sent via SMS or even from popular authenticator apps like Authy and Google Authenticator. Users of the bots only need to enter a user’s phone number and name and the bot takes care of the rest initiating a phone call and extracting the OTP. The phone calls generally pretend to alert the user about unauthorized activity on their account and ask the user to reveal the OTP in order to be “authorized.” The OTP is then relayed back to the bad guy, and they gain the account access they need to continue their crime.
A new bot called “SMSRanger” is very easy to use and one of the more popular bots available. As Intel471 reports:
“Those who pay for access can use the bot by entering commands similar to how bots are used on popular workforce collaboration tool Slack. A simple slash command allows a user to enable various ‘modes’ — scripts aimed as various services — that can target specific banks, as well as PayPal, Apple Pay, Google Pay, or a wireless carrier.
Once a target’s phone number has been entered, the bot does the rest of the work, ultimately granting access to whatever account has been targeted. Users claim that SMSRanger has an efficacy rate of about 80% if the victim answered the call and the full information (fullz) the user provided was accurate and updated.”
Services such as SMSRanger are becoming more common and very popular because they simply work. In addition to OTP intercept bots, mobile phone SIM swapping and port-out fraud (which allows your calls and texts to be intercepted) are on the rise. In a note issued September 30, the FCC has proposed new rules for mobile carriers to require more secure measures before allowing numbers to be ported but until then, the potential for fraud remains.
Overall, OTP implementations are an incomplete MFA. A true MFA should require at least two identifiers from the following:
- Something you have (mobile devices)
- Something you know (passwords)
- Something you are (biometrics)
The OTP via SMS assumes you have your phone, and you don’t share the code but we know mobile numbers can be spoofed and SIMs swapped. MFA implementations such as WatchGuard’s AuthPoint require a unique device key along with a mobile DNA identifier which eliminates the chance of spoofing. AuthPoint also uses an internal clock causing requests to expire. AuthPoint can also be fully managed in WatchGuard Cloud. The user interface allows you to view AuthPoint reports and alerts, configure services, and manage tokens all from one location. Contact us to learn more about AuthPoint MFA and further securing your users.