Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
This report details how one-time password (OTP) bypass bots work, how they fit into existing fraud schemes, and the threats they pose to individuals and financial institutions. The report also includes a tutorial on how cybercriminals configure and use OTP bypass bots. The sources for this report include dark web forums, fraud-focused Telegram channels, and the Recorded Future Payment Fraud Intelligence module. The report is intended for fraud and cyber threat intelligence (CTI) teams at financial institutions and security researchers.
A one-time password (OTP) is a form of multi-factor authentication (MFA) that is often used to provide an additional layer of protection beyond basic passwords. OTPs are dynamic passwords that typically consist of 4 to 8 numbers but may also occasionally include letters. Many financial institutions and online services use this tool to authenticate logins, confirm transactions, or identify users. The main way to provide an OTP code to a user is via SMS, email, or a mobile authentication application such as Authy. Since OTPs protect victims’ accounts from unauthorized access or transactions, cybercriminals are constantly developing various ways to bypass and overcome them.
Over the past year, threat actors have increasingly developed, advertised, and used bots to automate the theft of OTPs, making it easier and cheaper for threat actors to bypass OTP protections at scale. Because OTP bypass bots require little technical expertise and minimal language skills to operate, OTP bypass bots also increase the number of threat actors capable of bypassing OTP protections. OTP bypass bots typically function by distributing voice calls or SMS messages to targets, requesting the targets to input an OTP, and, if successful, sending the inputted OTP back to the threat actor operating the bot.
Recorded Future analysts identified and tested an open-source OTP bypass bot named “SMSBypassBot” that was advertised on a fraud-focused Telegram channel and confirmed that it worked as advertised and was simple to configure and use.
Multi-factor authentication (MFA) provides an additional layer of security beyond just a static password, with Microsoft reporting that MFA can block over 99.9% of account compromise attacks. One-time passwords (OTPs) are a form of MFA that use an automatically generated string of characters (typically numeric values but occasionally alphanumeric) to authenticate a user.
Service providers, financial institutions, and merchants use OTPs for a variety of purposes including authenticating online account logins, money transfers, and 3DS-enabled payment card transactions. Increased adoption of OTPs over the past decade has caused threat actors to develop methods of bypassing OTPs to gain unauthorized access to online accounts and conduct fraudulent money transfers and transactions.
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.