A one-time password (OTP) is an automatically generated sequence of characters that authenticates a user for a single transaction or login session. OTP is a widely popular security strategy, but does it provide true password safety?

This type of password security is certainly better than traditional, static passwords. But recently security analysts discovered that you can buy an OTP interception service at your local Dark Web store. So how can you effectively prevent unauthorized access? Exploring how threat actors steal one-time passwords gives us some answers.

What is OTP Password Security?

Originally, OTP methods used security tokens, such as smart cards or RFID-equipped key fobs that generate access codes. The code was set up to change every 30-60 seconds so that the OTP was never the same.

Recently, more common OTP methods use SMS or smartphone apps to send the password as part of two-step authentication. After logging in with a traditional username and password, the system relays a message to provide the access code. This can be implemented, for example, to verify banking transactions.

So even if your password gets cracked or stolen, the secondary authentication OTP keeps you safe, right? Not always.

SMS Bandits & OTP Agency – Two-Phase Deception

Recently, two criminal agencies were involved in schemes to steal one-time passwords and gain access to personal accounts.


In early 2021, U.K. police discovered a massive phishing service. This led to the arrest of a 20-year-old cyber criminal who called his service “SMS Bandits”. The service transmitted huge volumes of phishing scams affecting COVID-19 pandemic relief efforts, PayPal, telecom providers and tax agencies.

SMS Bandits offered an SMS phishing (a.k.a. “smishing”) service. It worked by sending out text messages that tricked people into giving up their account credentials. Once criminals obtained the credentials from SMS Bandits, it made OTP theft possible.


For $40 to $125 per week, OTP Agency offered a service designed to intercept one-time passwords. The theft sequence worked like this:

  1. Threat actor enters a stolen phone number and name into OTP Agency service.

  2. OTP Agency initiates an automated bot phone call to the target.

  3. The call falsely alerts the victim about unauthorized account activity.

  4. Bot prompts the target to enter an OTP generated by their phone’s mobile app.

Meanwhile, threat actors on the other end were busy logging into the victim’s account. Then they used the stolen credentials + OTP to gain unauthorized access. OTP Agency advertised their service offered unlimited international calling and multiple call scripts/voice accents to choose from.

According to one report, the OTP theft bots had an efficacy rate of about 80% once a target’s phone number was entered. “Success” depended on the victim answering the call and full user credentials being available (obtained from SMS Bandit type services).

Lessons Learned from Growing OTP Theft Threat

What explains the growth and success of these scams? It may be an overreliance on OTP security in the first place. On the company side, organizations place too much trust in this kind of password protection. On the user side, they believe that only the issuer of the OTP generating app would ask for a security token.

For cyber security training, the lesson here is to never, ever give up your credentials to anyone. If you get an unsolicited call, message or email, ignore it. Despite this advice, people still fall into the trap. When it comes to businesses, counting on people to do the right thing isn’t enough.

Identity Authentication Requires Management

Credentials are the digital keys to the kingdom, or to your company. Threat actors will continue to exploit weaknesses in this area, and it’s a huge priority for security teams. As threats continue to evolve in scale and sophistication, authentication of identity becomes the end-game of password security.

That’s why Identity and Access Management (IAM) is rapidly becoming a priority for security professionals. Given the cost and reputational damage of compromised credentials, solutions that authenticate with a high level of accuracy are imperative.

Despite the availability and benefits of holistic and AI-driven IAM programs, many organizations still have fragmented, stagnant and incomplete solutions. Threat actors know this and exploit the risk at astonishingly high rates of success. By 2023, Gartner predicts that 80% of organizations will fail to meet security, privacy, usability and scale requirements. That is if their IAM teams fail to deliver the right technical guidance to developers.

Four Pillars of IAM

IAM consists of the intentional design of intelligent, context-based and analytics-powered identity and access management. It’s based on four pillars of strength, which are:

  1. Access Management – Passwords are replaced or augmented with more effective and less cumbersome solutions that provide security and appropriate levels of access.

  2. Identity Governance – Ensures organizational compliance with regulations. IAM grants and revokes access to sensitive information as users change roles within or leave an organization.

  3. Privileged Access – Monitors how privileged users access restricted data. Behavioral and pattern analysis occurs in context to identify and mitigate potential risks.

  4. Consumer Identity – Consists of Consumer Identity & Access Management (CIAM) strategy to keep up with evolving privacy regulations and consumer expectations of a personalized experience.

IAM-based user authentication also evaluates user context, device, location and behavior patterns. If a threat actor has credentials and cracks the OTP, an IAM-driven “password security checker” of sorts can still screen out malicious behavior.

For example, if a criminal is trying to access your network from an unrecognized device or IP address, they would be denied, even if they have a stolen OTP. To help address the growing issues with password security, cybersecurity certifications will be increasingly based on IAM and related solutions in the future.

Is the Future Passwordless Security?

Some might be curious about “passwordless SSH,” where authentication is used between the client and server. When a passwordless mode is configured, a user on a given client-server can connect through SSH to a server without explicitly providing the password. The use cases here are limited, and remote work makes these kinds of solutions difficult to deploy.

For better or for worse, the future will likely move towards passwordless authentication. This could include methods using fingerprints, retinal scans, face or voice recognition and other biometric identifiers. However, widespread acceptance of these methods in business applications may take some time.

Meanwhile, IAM continues to provide the best identity and access management security available today.

More from Identity & Access

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…