If your bank call you and ask for OTP via text message, be suspicious

There is now a highly convincing scam going around. A lot of sceptical people are being caught off-guard.

It goes something like this: a bank, credit card company or your telecommunication provider may call you. The caller seems to know a lot about you (e.g. your name, address, phone number, date of birth, credit card number etc). Sometimes, the caller may ask you to verify your personal information that he already knows. So, naturally, you may let your guard down. Surely if he already knows so much about you, that call must be legitimate right?

Then, to protect your security, he will need to ‘authenticate’ you. To do that, he will send you a text message with a one-time password (OTP). You need to read out the OTP to him.

Unfortunately, once you give your OTP to him, he will have enough information to hack you.

In this example, the hacker was already logged into the victim’s mobile phone account. Presumably, he already knew her password to do that. He could see all her personal information because he was logged in. That explains why he was able to ‘verify’ her personal information. But to change the password of her account, the mobile phone company will send an OTP to her mobile phone to authenticate her before the password change can take effect. But in this example, the hacker tricked his victim into believing that he was the one who sent her the OTP and requested her to divulge the OTP. Once she did that, he was able to change her password and take over her account.

In another example, the caller claimed to be from the bank’s fraud department. He was able to show that he knew the last 4 digits of her credit card number, address, name, etc. The hacker claimed that there was a fraudulent transaction on her credit card account and that to cancel that transaction, she needs to divulge an OTP that he will ‘send’ to her. What actually happened was that the hacker wanted to make a fradulent purchase with her credit card. For high risk purchases, credit card companies usually send a text message to the owner’s phone to authenticate the transaction. By divulging the OTP, the victim was enabling the hacker to authenticate that high-risk transaction.

Basic principle to understand to avoid becoming a victim

When you call the company, they need to authenticate you because they cannot tell whether the call is really made from your phone or from a hacker spoofing your phone number (see Don’t be fooled! Apple didn’t call you for more information about phone number spoofing). Therefore, they will send you a text message with a OTP. If you know the OTP, you have proven that you are in possession of your phone. A hacker spoofing your phone number will not be able to receive that text message.

But when the company calls you, there is no point in authenticating you with an OTP sent to your phone. By answering your phone, you have already proven that you are in possession of your phone. Sending you an OTP via text messages will not prove what is already proven. Instead, when they call you, it is YOU who have to authenticate them. Not the other way round.

So, if you receive a call from your company, do not divulge any OTP sent to you, even if the caller seems to know a lot about you. If you feel uncomfortable, call the company with the official phone number on their website. Do not call the number that called you because you will be calling the hacker’s phone.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from iSecurityGuru

Subscribe now to keep reading and get access to the full archive.

Continue reading