ONE-TIME PASSWORD (OTP) FRAUD

It is common knowledge that fraud can occur using any means possible. A more common occurrence around us today is with the One-Time Password or Pin also known as OTP. The (OTP) is a password that is only valid for one login session or transaction on a computer system or other digital device. Traditional (static) password-based authentication suffers from a variety of flaws that OTPs avoid. A variety of systems include two factor authentication by requiring access to both something a person owns (such as a small keyring fob device with an OTP calculator built in like your token keys, or a smartcard or special smartphone), and something a person knows (such as a smartcard or specific cell phone/device or pins).

METHODS THROUGH WHICH OTP FRAUD OCCURS.

As the ease of doing online transactions increased, so did the number of digital financial transaction frauds. Fraudsters are becoming more inventive in their tactics of defrauding individuals. Following phishing and lottery scams, fraudsters are now focusing on various platforms inclusive of OTP fraud schemes to deceive the unwary and naïve, particularly those who are unfamiliar with financial transactions. Some of the methods through which OTP fraud occurs includes;

1. Tax Fraud- This type of deception is most common to taxpayers whereby they are asked to respond to fraudsters’ SMS and WhatsApp communications, in which they ask for sensitive account information including OTPs in order to receive a large tax return.
2. Credit Card Reward Fraud- Since banks started offering credit cards to their customers, fraudsters take advantage of the fact that many people are unaware of how credit card incentives function. They offer to provide assistance in redeeming reward points, and they will often try to generate a sense of urgency by claiming that the offer will expire soon or that points will expire shortly. This generates panic amongst cardholders leading them to share their card information and OTP with scammers.
3. Payment Gateway/Digital Wallet- The fraudster calls a person and pretends to be interested in the purchase of goods or service. They agree to pay a specified amount as confirmation, then seek payment gateway or digital wallet information, and finally the OTP. Once a fraudster has gained access, they can carry out a series of transactions in order to drain your funds.
4. Unverified Mobile Apps- When you download an unknown or unverified mobile app, fraudsters get access to your device. These application links are commonly exchanged via SMS, social media, Instant Messenger, and other methods. The links are disguised as legitimate-looking names, but you may be redirected to download an unknown or remote access application in reality. Once the infected app has been downloaded, the fraudster will have complete access to your device and will be able to steal all of your data at will.

LIMITATIONS OF OTP FRAUD

One-Time Password (OTP) has become one of the most extensively utilized second-factor authentication methods for both digital transactions and logging into most online accounts. As a result, it’s no surprise that the majority of hacks occur when scammers obtain your OTP. An OTP should never be shared with a third party. Because in today’s interconnected world, one might have access to your complete digital life via an SSO (Single Sign-On), an OTP falling into the hands of a fraudster can have far more serious effects than simply losing the transacted account. OTPs come in various formats such as software-based token, hardware token, SMS-based tokens, hardened browsers etc. These formats despite their benefits come with various limitations. The limitations include;

1. Real-Time Replay and Social Engineering Attacks- Most OTP systems are vulnerable to social engineering and real-time replay threats. Man in the middle (MITM) and man in the browser (MITB) attacks are also possible with OTPs. An MITM attack is a type of real-time replay attack. The malware on the browser is used to steal user credentials in this attack. The spyware sends these details to the hackers while also blocking the user’s request. A failure is reported to the user in the form of an error message. With the same credentials, the attacker can execute an immediate replay. The validity of these tokens is normally within the designated one-minute range.
2. Delay in Delivery- SMS services are plagued with message delivery delays. An SMS OTP travels through many carriers after it is sent. It becomes vulnerable to network congestion-related delays. OTP delays can cause session timeout’s since 2FA OTPs are time sensitive (usually three to five minutes). SMS-based OTPs are similarly affected by operator service failures and gateway downtime.
3. Unavailability of Service- Due to the fact that SMS-based 2FA OTPs are issued over the air, users outside of network coverage may experience difficulties. Incoming SMS messages are restricted when users travel abroad or have their devices on roaming.
4. Unavailability of Device- Software-based 2FA Google’s Authenticator, for example, is a device-based OTP solution that works similarly to its desktop equivalent. Such OTP approaches are vulnerable to seed leaking as mobile platforms are regularly exploited (like their hardware counterparts). In most cases, hardware that complies with the vendor’s guidelines is necessary. The person is tethered to a device in this method. This has an influence on user access while on the road, if the device is lost, or if several devices are used to access the account, the OTP function might be a huge limitation.

PREVENTION OF OTP FRAUD

1. Do not disclose sensitive information such as OTP, PIN, OR CVV over the phone, not even to trusted authorities or institutions as they will never ask for such details virtually.
2. If someone you barely know offers you to install screen sharing software/apps, be very wary.
3. When using links embedded in an email or SMS, be extremely cautious and watchful, especially if entering financial information is required. Without you realizing it, clicking these links can corrupt and compromise both your phone and the OTP. Some apps may even launch phony transactions to trick you into handing over your personal information.
4. Double-check the amount that will be charged as well as the name of the merchant receiving the money while making a payment and entering OTP. If the source does not appear to be reputable or real, or if the amount is different, immediately cancel the transaction.
5. Be wary when asked to scan a QR code to receive money. It’s almost certainly a fraud if a buyer requests you to scan something.
6. Conducting sensitive or bank (net banking) transactions from unsecured or public devices and networks is not recommended.
7. On public devices, always utilize a virtual keyboard because keystrokes can be collected using keylogger software on hijacked systems.
8. Filling out Google forms offered by potential buyers or sellers is not always a good idea and should be avoided especially when it involves filling sensitive information including things like email addresses linked to bank accounts.
9. Only use trusted App on your devices especially those that are linked to your financial accounts.
10. Contact your bank helpline only through their verified official line.
11. Read new applications policy extensively before you proceed or agree.
12. Do not provide strangers copies of your cheque book or other KYC documents (unless you can verify their identity and KYC is required).

Conclusively, OTPs serve as a means of mitigating fraud incidences, but if carelessly handled, can serve as a means of defrauding one. Thereby, it is advised that proper caution is taken at all times to avoid OTP fraud and to ensure that suspicious incidences are reported to the relevant authorities immediately.