There has been a lot of talk in recent days regarding the financial frauds by misusing OTP (One Time Password) or passwords that can be used only once, which are generated and issued by banks or other financial institutions to increase the security of transactions in online payments. Before we examine how this is done and what the public must do to avoid it, let us examine what is happening in practice.
One day while on his way to office, Mr. Perera received a text message (SMS) that appeared to be from his bank. It said that the bank had detected that someone had made a suspicious attempt to access his bank account. It also mentioned a phone number to call the customer service department of the bank to secure his bank account immediately if the said access was not done by him.
Seeing this, Mr. Perera was very upset because he remembered that the money received from the sale of a land was also in that bank account. He was certain that he had not accessed his bank account online recently as far as he can remember. Then he felt like someone was trying to withdraw money from his account. Without thinking twice, Mr. Perera called the phone number in the message. The woman on the other end very professionally and calmly introduced herself as a customer service representative of Mr. Perera’s bank and assured him that they could help to secure his account.
Suspicious activity
She asked Mr. Perera whether he had sent money from his account to some other bank accounts today. He said he didn’t.” Thank you for the confirmation. Don’t worry, we’ll help you secure your account. To stop unauthorised access, we need to verify your identity. I will send you a one-time password (OTP) to your phone.
Please read the code again for me so that I can block any suspicious activity,” she said. A few seconds later, Mr. Perera received an OTP code from his bank. Confirming that it was from his own bank, Mr. Perera did not need to think twice and the code was given to her.” Thank you. We are now working to secure your account. Please wait a moment.” After about a minute she told him that his account was now secure and ended the call.
Relieved, Mr. Perera hung up the phone and decided to go to the office and checked his online banking to make sure everything was fine. He had lost all the money in his account. Worried Mr. Perera called the real customer service of his bank and got to know that a huge money transfer had been done a few minutes ago. By the time he realised that the entire call was a scam, it was too late. The fraudster was able to withdraw money from his account with the OTP code he willingly provided. He called the number mentioned in the text message again, but it was already disabled.
What happened here? What Mr. Perera did not know was that at that very moment the fraudster had accessed his real bank account. For that, his user name and password were used and it was previously stolen from him by sending a fake bank account link or a phishing attack. However, the scammer required the OTP code to transfer money from the bank. As it is received on the account owner’s phone, the fraudster used the above strategy to get it. What you must remember is that your bank representatives will never ask you for such OTP codes for any reason.
OTP (One-Time Password) is a temporary, unique code used for authentication purposes. It is used as a layer of security when making sensitive transactions or accessing accounts. Unlike traditional static passwords, OTPs are valid for only one session or transaction, reducing their vulnerability to common security threats such as password theft. An OTP can be used only once and expires after or shortly after use and it is generated in real time. Because of the above properties, transactions using OTP are generally considered to be more secure transactions and it is the user’s responsibility to keep it safe.
Different organisations use different methods to provide OTP codes to their clients. It is often delivered via a text message (SMS). It is also provided through e-mail or mobile authentication software (Mobile Authenticator Apps, eg: Google Authenticator). Some organisations provide a small device (hardware token) that can generate OTP codes. Irrespective of the method that you receive it, If you don’t take care of it, you’ll be opening the way for scammers to get your money.
In the example I gave above, the fraud was done by sending a text message and then a phone call, but that is not the only way to do this kind of fraud. It is also possible for scammers to get your username, password and OTP codes by sending you a fake link to a website similar to your financial institution’s website via text message or email. So always be careful that you are visiting the real website of your bank.
Social media
In a recent fraud through OTP codes, it was revealed that fraudsters published a post on social media such as Facebook, advertising that they would give some gifts only to the clients of a particular bank, and in order to get it, people having accounts in the respective bank have to fill a form mentioned in the post and get registered. After that, an OTP code received will be used to verify the registration of the concerned persons and it was instructed to submit it back to them. After sending the relevant details along with the received OTP code, the bank accounts of the people who sent them were emptied. Currently, the Cyber Crime Division of the Criminal Investigation Department is conducting investigations in this regard.
How did they do this? There is a possibility of it happening like this. Fraudsters identify the client’s account information of the respective bank from the details such as name and ID number obtained through the form. Account information and Internet banking username and password are not obtained through that form, so the fraudsters must have already obtained it in another way. There is also a possibility that they have obtained this by hacking the internet banking system of the concerned bank.
After the account holder fills the form and sends it to them, the fraudster identifies the person and accesses his account with the username and password they already have, and follows the steps to transfer the money to another account and obtains the OTP code from the account holder himself. Here the OTP code received by the account holder to confirm his registration is not a code sent by the fraudster but the OTP code actually sent by the bank to transfer money to another account on the request made by the fraudster.
The account holder who does not read the details in the text message that comes with the OTP code from the bank thinks that the code is the code sent to him for registration confirmation in the post. After he gives it to the fraudster, the fraudster transfers the money from his account to another account.
Also, you should be very careful while using your credit card or debit card. If your debit/credit card is given to an external party for a certain payment, they should do the relevant transaction in your presence. This does not happen often in our country and you are not concerned. For example, at a fuel station, you handover your card to the pumper while in the vehicle. Also a waiter is allowed to carry the card to pay the bill in a hotel. Did you know that fraudsters give money to outsiders and collect your card data for conducting financial frauds? For this they provide a very small device called card skimmer to steal the card data. It can copy the required data in a few seconds.
Fraudsters use stolen card details to make online transactions and they will use various tricks to get the OTP code you receive. Also, most card transactions can be done using only the card number and CVV, so it is your responsibility to keep the card data secure.
Online transaction
When making an online transaction, the text message you will receive along with the OTP code will usually contain the amount related to your transaction. Most people don’t care about this and only read and enter the received OTP code. Always be careful that the amount related to the transaction you make is the same as the amount in the text message. If it is any other amount then you are most likely to be a victim of fraud.
In such cases, inform the concerned bank without entering the OTP code. Also, if you receive several text messages containing OTP codes in a very short period of time without your request while going to make a transaction, inform the concerned bank without entering those codes. These messages may contain various transaction amounts that are not relevant to your transaction. This is suspicious.
Most transactions using OTP are recognised by the banks’ information systems as highly authenticated transactions, so the responsibility of the transaction lies with the client. Financial institutions do not take responsibility for such transactions. So those organisations will not work to pay you the money you lose due to OTP scams.
However, if such a fraud occurs, it is your duty to notify the relevant financial institution accordingly. Also, by making a complaint to the Cyber Crime Division of the Criminal Investigation Department, further investigations and legal action can be taken.
