A one-time password (OTP) is an automatically generated sequence of characters that authenticates a user for a single transaction or login session. OTP is a widely popular security strategy, but does it provide true password safety?

This type of password security is certainly better than traditional, static passwords. But recently security analysts discovered that you can buy an OTP interception service at your local Dark Web store. So how can you effectively prevent unauthorized access? Exploring how threat actors steal one-time passwords gives us some answers.

What is OTP Password Security?

Originally, OTP methods used security tokens, such as smart cards or RFID-equipped key fobs that generate access codes. The code was set up to change every 30-60 seconds so that the OTP was never the same.

Recently, more common OTP methods use SMS or smartphone apps to send the password as part of two-step authentication. After logging in with a traditional username and password, the system relays a message to provide the access code. This can be implemented, for example, to verify banking transactions.

So even if your password gets cracked or stolen, the secondary authentication OTP keeps you safe, right? Not always.

SMS Bandits & OTP Agency – Two-Phase Deception

Recently, two criminal agencies were involved in schemes to steal one-time passwords and gain access to personal accounts.

PHASE 1

In early 2021, U.K. police discovered a massive phishing service. This led to the arrest of a 20-year-old cyber criminal who called his service “SMS Bandits”. The service transmitted huge volumes of phishing scams affecting COVID-19 pandemic relief efforts, PayPal, telecom providers and tax agencies.

SMS Bandits offered an SMS phishing (a.k.a. “smishing”) service. It worked by sending out text messages that tricked people into giving up their account credentials. Once criminals obtained the credentials from SMS Bandits, it made OTP theft possible.

PHASE 2

For $40 to $125 per week, OTP Agency offered a service designed to intercept one-time passwords. The theft sequence worked like this:

  1. Threat actor enters a stolen phone number and name into OTP Agency service.

  2. OTP Agency initiates an automated bot phone call to the target.

  3. The call falsely alerts the victim about unauthorized account activity.

  4. Bot prompts the target to enter an OTP generated by their phone’s mobile app.

Meanwhile, threat actors on the other end were busy logging into the victim’s account. Then they used the stolen credentials + OTP to gain unauthorized access. OTP Agency advertised their service offered unlimited international calling and multiple call scripts/voice accents to choose from.

According to one report, the OTP theft bots had an efficacy rate of about 80% once a target’s phone number was entered. “Success” depended on the victim answering the call and full user credentials being available (obtained from SMS Bandit type services).

Lessons Learned from Growing OTP Theft Threat

What explains the growth and success of these scams? It may be an overreliance on OTP security in the first place. On the company side, organizations place too much trust in this kind of password protection. On the user side, they believe that only the issuer of the OTP generating app would ask for a security token.

For cyber security training, the lesson here is to never, ever give up your credentials to anyone. If you get an unsolicited call, message or email, ignore it. Despite this advice, people still fall into the trap. When it comes to businesses, counting on people to do the right thing isn’t enough.

Identity Authentication Requires Management

Credentials are the digital keys to the kingdom, or to your company. Threat actors will continue to exploit weaknesses in this area, and it’s a huge priority for security teams. As threats continue to evolve in scale and sophistication, authentication of identity becomes the end-game of password security.

That’s why Identity and Access Management (IAM) is rapidly becoming a priority for security professionals. Given the cost and reputational damage of compromised credentials, solutions that authenticate with a high level of accuracy are imperative.

Despite the availability and benefits of holistic and AI-driven IAM programs, many organizations still have fragmented, stagnant and incomplete solutions. Threat actors know this and exploit the risk at astonishingly high rates of success. By 2023, Gartner predicts that 80% of organizations will fail to meet security, privacy, usability and scale requirements. That is if their IAM teams fail to deliver the right technical guidance to developers.

Four Pillars of IAM

IAM consists of the intentional design of intelligent, context-based and analytics-powered identity and access management. It’s based on four pillars of strength, which are:

  1. Access Management – Passwords are replaced or augmented with more effective and less cumbersome solutions that provide security and appropriate levels of access.

  2. Identity Governance – Ensures organizational compliance with regulations. IAM grants and revokes access to sensitive information as users change roles within or leave an organization.

  3. Privileged Access – Monitors how privileged users access restricted data. Behavioral and pattern analysis occurs in context to identify and mitigate potential risks.

  4. Consumer Identity – Consists of Consumer Identity & Access Management (CIAM) strategy to keep up with evolving privacy regulations and consumer expectations of a personalized experience.

IAM-based user authentication also evaluates user context, device, location and behavior patterns. If a threat actor has credentials and cracks the OTP, an IAM-driven “password security checker” of sorts can still screen out malicious behavior.

For example, if a criminal is trying to access your network from an unrecognized device or IP address, they would be denied, even if they have a stolen OTP. To help address the growing issues with password security, cybersecurity certifications will be increasingly based on IAM and related solutions in the future.

Is the Future Passwordless Security?

Some might be curious about “passwordless SSH,” where authentication is used between the client and server. When a passwordless mode is configured, a user on a given client-server can connect through SSH to a server without explicitly providing the password. The use cases here are limited, and remote work makes these kinds of solutions difficult to deploy.

For better or for worse, the future will likely move towards passwordless authentication. This could include methods using fingerprints, retinal scans, face or voice recognition and other biometric identifiers. However, widespread acceptance of these methods in business applications may take some time.

Meanwhile, IAM continues to provide the best identity and access management security available today.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today