Just a few months ago, we wrote an article about the dangers of using SMS (text) to support multi-factor authentication (MFA), called Breaking the SMS Habit. SMS verification can also be called OTP (One Time Password) as it’s essentially the same: a code is delivered via text and the user then takes that code and enters it as a second factor.
After hearing stories and reading the latest security blogs, it seems the message to move away from SMS is worth repeating for Financial Institutions (FIs) and their customers. Many FIs are currently increasing use the MFA for a variety of reasons, so when you are undertaking those projects, please heed our call to disable SMS as a verification option. Here’s why:
A cybersecurity intelligence firm, Intel 471, noted: “Over the past few months, we’ve seen actors provide access to services that call victims, appear as a legitimate call from a specific bank and deceive victims into typing an OTP or other verification code into a mobile phone in order to capture and deliver the codes to the operator. Some services also target other popular social media platforms or financial services, providing email phishing and SIM swapping capabilities.”
Intel 471 noted another OTP bot, “The bot provides options to disguise a call to make it appear as a legitimate contact from a specific bank while letting the attackers choose to dial from any phone number. From there, an attacker could follow a script to trick a victim into providing sensitive details such as an ATM personal identification number (PIN), card verification value (CVV), and OTP, which could then be sent to an individual’s Telegram account. The bot, which was used by attackers targeting Canadian victims, gives users the chance to launch attacks in French and English.”
I’m not saying there won’t be a time when the other MFA verification technologies will be targeted as SMS is currently. We all know the scammers go after the weak links until those tactics are not fruitful enough to be worth their time and effort. Until then, we can do our part by moving to verifications such as application notifications or other means of MFA and educating our users and customers to protect their personal and professional lives.
If you are looking for help with your security program, we would love to help you! Contact support@bedelsecurity.com for more information.
Krebs on security
Coinbase
Isbuzznews