A new form of OTP (one-time password) theft is on the rise in Bengaluru, and many IT employees have become its victims. Lakhs of rupees have been stolen using this method, but not a single culprit has been apprehended so far.
In OTP thefts, victims are either conned into giving away their OTPs or a malware — a software designed to corrupt or gain access to a system — is used to get the SMSes with the OTPs. The perpetrators, armed with the OTPs, then transfer money from the victims’ accounts to their own.
Officials in the city’s cyber crime police station said the OTP theft involves a person calling posing as a bank employee, ostensibly to update or renew credit/debit cards of those receiving the calls. The unsuspecting victim provides the card number and CVV, secure in the knowledge that any person would still need the OTP to carry out any transaction. The scamster then says the victim will receive an SMS, which would have to be sent back to the sender.
Such SMSes, apparently, are in encrypted form, and do not contain any legible text. However, they are also links and when the victims click on them, the incoming SMS into the phone is automatically forwarded to the scamster’s phone, who then carries out money transfer — using the OTP from the victim’s account.
Cyber crime personnel said such cases came to light about 2-3 months ago. “The thefts were initially of relatively small amounts of ₹5,000-10,000. However, of late, larger amounts ranging from ₹50,000 to up to a few lakhs, have been stolen. We have not been able to apprehend anyone yet. The victims also include several IT employees,” the source said.
Harsha Halvi, co-founder of TBG Labs, said OTP theft is more a privacy matter than a technological one. Perpetrators often gain the victim’s trust by dropping a name for reference, which would make the victim trust them. And finding information about the victim’s bank is also easy. “India as a country has not taken privacy seriously. Most of the time, most hackers are able to find out the bank you are banking with,” he said.
Halvi said creating awareness about such thefts holds the key to fight such thefts. As many apps ask for access to SMSes, and since such apps view the SMSes (with the OTP) in the same way as a normal SMS, finding a technological solution is not possible. “It is not possible to develop a software to safeguard against this. Many apps ask for access to SMSes. But, if users are more aware and most of them do not give permission to access SMSes, then developers will be forced to change their policy,” he said. On receiving such calls, people can verify with the customer care numbers of their banks.
The number of cases of debit/credit card frauds, also termed vishing, increased from 880 in 2017 to 2,446 in 2018. OTP thefts, too, come under this category of offence.