As the importance of cybersecurity continues to elevate, Jimmy Fong, CCO at SEON, spoke to us about the role of one-time passwords and how their impact has changed in recent times. 

For a long time, one-time-passwords (OTPs) were considered the crème de la crème of account protection measures. As its name suggests, this form of system provides a password, which is normally sent to a verified phone number or email address and valid for up to one minute. In the past, there was an assumption that OTPs guaranteed the safety of those using them. Unfortunately, fraudsters are now capable of jumping this hurdle, and by accessing sensitive information they can leverage a monetary reward.  

What is an OTP? 

Let’s start with the basics, OTPs refer to a range of numbers generated automatically as a means of authenticating a transaction or login for a particular user. This form of system is commonly used as an extra layer of protection on top of a static password. As such, OTPs are at the heart of many online two-factor authentication processes. Despite recent concerns, OTPs are still largely assumed to be the safest way to protect personal data and accounts. 

In fact, in recent years, OTPs have evolved even further, with dedicated authentication apps, such as Google and Microsoft’s Authenticator applications now used commonly by businesses and individuals alike. However, while authenticator apps can help to fortify accounts, they’re still vulnerable to different forms of social engineering attacks. As such, they mustn’t be considered a ‘silver bullet’ in the fight to protect sensitive information online.  

Flaws at the forefront 

So, now that we’ve established what OTPs are and covered some of the main reasons why they’re used, it’s time to assess where their weak points are from the perspective of fraud prevention. On a very simple level, an OTP is just another piece of information that a fraudster needs to break into an individual’s account. With the right tools, approach, and expertise, it’s a highly achievable task with a big payoff.  

Surprisingly, fraudsters haven’t had to rethink their existing methods of access to circumvent OTP systems. In fact, social engineering attacks remain a popular route to gain access to OTP software, with phishing, baiting, and catfishing methods being utilised both online and in person to manipulate individuals into offering sensitive or personal information. 

The most popular form of social engineering attack for hacking OTPs is phishing, where fraudsters can send a fake but legitimate looking email or text message to an individual, often purporting to be from a business or financial institution. In the message, the fraudster will ask the individual to enter a tailored OTP that may have been sent to them, which in turn gives them access to an otherwise protected area. Fraudsters can also take advantage of bots, which are programmed using specialised container-as-a-service (CaaS) toolkits to intercept passwords.  

Unfortunately, phishing has become more advanced in recent times, and is becoming increasingly difficult to detect without the right knowledge and education. For businesses that use OTPs, it’s now essential to offer routine training around these attacks in order to keep sensitive information safe, and out of the hands of fraudsters. Likewise, for individuals, it’s extremely important to be vigilant whenever asked to disclose sensitive personal information either online, or in-person. 

Restoring faith in OTPs 

Despite the evidence that can be stacked up against the use of OTPs, they remain one of the best systems on the market when looking to secure the protection of personal and business accounts. While largely safe, there are still some measures that can be implemented to make OTPs more secure. 

From a business perspective, it’s paramount to ensure customers know exactly what type of communications they can expect to receive, which in turn, can help to prevent sensitive account information from leaking. Additionally, businesses are also advised to employ account usage detection software, which can alert individuals when their accounts have been accessed in a suspicious manner, and are able to detail exactly where this suspicious login has occurred from. 

Sadly, individuals have less tools at their disposal to mitigate the threat of OTP hacks, but they can ensure they are reacting to the issue in an effective manner, should it occur. To this end, anyone who thinks they may have been exposed to an OTP related attack should contact the business where the message purported to come from immediately, to confirm if the communication was indeed legitimate.  

Is time up for OTPs? 

It’s fair to say that OTPs aren’t going anywhere anytime soon, but it’s still imperative for individuals and businesses to be highly vigilant when using them. Fortunately, OTP attacks are still classified as rare, and simple preventative measures can often be used to stop them in their tracks before they’re able to inflict psychological and financial harm on their intended victims. Fraud prevention tools, like those offered by SEON,can play a vital part in stopping identifying the risk of fraud and stopping it in its tracks. 

Ultimately, adding an extra barrier to account access is a net positive in terms of increasing data protection, however careful attention must always be paid whenever handling sensitive information. The bottom line is this; OTPs are the best option we have right now, but they are not without flaws. Generally, they are only as safe as businesses and individuals make them. Thankfully, by implementing protective controls, and promoting sensible responsibility, the overall risk is immediately reduced.