For every innovation in password and account security, there are a dozen rat’s nests of scammers that unfortunately have a disproportionately high level of cleverness compared to their complete lack of moral integrity. The latest scam they’ve cooked up involves those one-time passwords (OTPs) that get emailed or texted to you after you’ve already entered your actual password, just to make sure it’s actually you. It seems some scammers have figured out a pretty sophisticated way around this.
Let’s get into what exactly OTP bots are and how you can protect yourself from them.
What are OTPs?
First things first. OTPs, or one-time passwords, are those verification passwords that many companies will send to your verified email or phone number after you’ve entered in your personal password as an extra step to verify it’s actually you trying to gain access to your account. This process is commonly known as two-factor authentication or 2FA for short.
What makes OTPs useful for account security is the fact that they are temporary passwords that constantly change, remaining valid for only a short period of time. By adding the layer of a dynamic password to your classically static password-secured account, OTPs create a much more difficult moving target for would-be-hackers to compromise.
Understanding OTPs and Two-Factor Authentication (2FA)
As mentioned above, OTPs are part of the security process known as two-factor authentication (2FA). It’s called 2FA because, well, it adds a second layer of password protection to your account. You enter your static password, and it triggers the second layer, in the form of a temporary, time-sensitive password sent only to your verified contact information or authenticator app. While this has been (and still is) a huge upgrade to the classic single static password, OTP bots are designed to snag these codes in the small window they have to compromise your 2FA-secured account.
What is an OTP Bot?
OTP bots are part of automated software programs designed to bypass 2FA systems. Almost all of the accounts that hold your most sensitive and private information, especially when it comes to finances, require some form of 2FA. That means these bots aren’t just after your Netflix passwords, they’re going for the big bucks — specifically your big bucks.
How OTP Bots and OTP Bot-Powered Cybercrime Works
Bypassing 2FA by intercepting OTPs doesn’t necessarily require an OTP bot, but bots make it much easier and also have the ability to launch a much wider scale of attack. While a single, human scammer is limited to one victim at a time, the bots can interact with multiple potential victims at the same time.
There are two primary scams that OTP bots use in order to compromise your seemingly secured accounts.
OTP Phishing Attacks
OTP bot attacks start with a classic phishing scam. Victims are sent a legitimate-looking text or email claiming some form of necessary and urgent engagement, along with a fake URL that is made to look like the real deal (often a clone of your banking website). As you enter your login information into the fictitious website, the bot is giving your login information to a scammer who is on the real website. This will trigger an OTP at the same time the fake website claims it has sent you one. Victims then enter the OTP into the scammer’s site, at which point the bot now has the OTP, and uses it to get through the 2FA process.
Once this is complete, the scammer has full access to your account and can begin conducting any sort of theft or fraud. If the scam is super intricate, you’ll actually be forwarded to your actual banking website, meaning you’ll likely have no reason for suspicion until the damage is already done.
OTP Bot Malware Attacks
Going a step further than just phishing, some scammers will use phishing as a first step in getting you to actually install OTP bots onto your computer as a full-on form of malware. Once the malware is successfully on a device, the bot can autonomously go to work, triggering log-in attempts, reading OTP emails, and completing authentication processes that give a hacker complete access to any account they successfully get into. Advanced bots can even cover their tracks by deleting any OTP or new log-in notifications.
How to Stay Safe from OTP Bots
OTP bots are a tricky beast, because a lot of the onus will have to fall on the companies to come up with more sophisticated ways to protect consumers from these sophisticated attacks. That doesn’t mean there aren’t ways to protect yourself, however.
Don’t Fall for Phishing
A lot of modern-day account security simply boils down to this: always being on your toes when it comes to phishing. Never log in through links sent to you, no matter how legitimate they may seem. Always proceed to the verified website directly through your browser, rather than through the message. By doing that, you’ll negate almost any phishing-based scam that comes your way.
Businesses Have to Step Up Their Game
As for OTP bots specifically, more companies are beginning to add anti-bot methods such as CAPTCHAS, which limit large-scale bot attacks that often get stuck when facing bot detection methods.
Some businesses are even resorting to having users set up verified devices, so when a new or unrecognized device attempts to log in, an extra wave of security is prompted, which not only gives scammers another hurdle to deal with, but potential victims an extra chance at stopping the scam before it’s too late.
Use Authentication Apps
Another measure you can personally take is setting up an authentication app that provides your OTPs in a secured app rather than sending one to your phone or email. While this won’t protect you if you enter the OTP into a phishing-based scam website, it will limit the access malware bots have that can read your incoming messages, as the OTP isn’t sent, but rather exists in the secured app.
Use Biometrics
Biometrics is one of those terms that can send a shiver down the spine of those who hold some suspicions about who exactly we’re giving our biometric data to. Uncomfortable boundary-pushing and potential tin-foil hats aside, using biometric logins is highly effective in stopping scammers, in that biometric data bypassing is a whole other level of challenge for criminals. While it’s fair not to trust companies or our devices fully with our biometrics, it is a largely successful security method when it comes to deterring hackers or predatory bot attacks.
Final Thoughts
To wrap it up, OTP bots are a new method scammers are using to intercept 2FA OTPs, and use them to gain access to your most secured accounts and most sensitive information. While diligence is always your best option when it comes to avoiding scams, there are all kinds of new technologies and tools being created to help trip up any would-be scammers who are also constantly innovating their scummy tactics.
Should you ever be contacted by a person or phone number you’re not 100% certain you trust, using Spokeo to double-check is always a good idea. While the digital age has opened up all sorts of doors for potential scammers, it has also provided the information you need to stay one step ahead of them, and most importantly, to stay safe.
Cyrus Grant is a writer from Southern California with a background in law and dispute resolution. When he isn’t writing he can be found deep-diving into the latest technology trends or simply spending time at the beach.