captcha & OTPs

As mobile ad fraud continues to take a massive toll on advertisers, publishers and end-users, advanced security measures to protect user transactions are becoming more and more common. The problem is, most common solutions – CAPTCHA tests and One Time Passwords (OTPs) – aren’t as secure as they seem. They also make life harder for consumers.

Both methods attempt to verify that a real human is behind any request to register a new account or complete a significant transaction. But the UX is getting more complicated by slowing down the mobile purchase journey – and they’re far from fraud-proof.

Cybercriminals have discovered several effective techniques to get around both measures. Let’s take a look at some of the most common.


Fraudsters Looking Over Your Shoulder

A one-time password (OTP) is a password valid for a single login session or transaction. They are often used in two-factor authentication (2FA) to confirm user identity alongside a username/password combination. OTPs typically take the form of a time-limited code sent via SMS message to the user’s mobile.

While 2FA is moving increasingly to app-based permissions, SMS is still the most widely used authentication method for consumer purchases on mobile. OTP via SMS is especially popular with mobile operators as they quickly confirm the validity of a purchase, or subscription to a digital service, in real-time.

Executing 2FA is this manner, however, adds time and complexity to the purchase journey. Users with older mobile devices may have to leave the app or website to read the code, then return to the transaction screen to enter it.

Besides the negative impact on user experience of jumping between apps and windows on a smartphone, relying on personal data like mobile numbers makes OTP the least secure 2FA method.


There are three ways fraudsters can get around it:

1. Accessing OTP messages with malicious apps

Reports from June of this year uncovered malicious Android apps capable of reading one-time passwords in the text messages used for two-factor authentication. This happened despite measures taken by Google in January to stop developers from gaining access to sensitive SMS and Call Log permissions without making their case to Google first.

The new app-based technique got past the restrictions to obtain OTPs from text messages and some email-based 2FA systems.

Instead of intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, the malicious apps would capture the OTP from notifications appearing on the device’s display. The apps could read the 2FA notifications and passwords, and also dismiss them to prevent victims from noticing that a fraudulent transaction is underway.

2. Hacking into mobile networks

Cybercriminals have found security weaknesses in mobile networks that enable them to intercept text messages, listen to voice calls, and even track users’ locations. If a fraudster intercepts a text message containing an OTP, they could use it to log in to an account, disable 2FA, change the password, and lock out the real owner.

Chinese hackers spying for Beijing recently targeted telecommunications companies with a new piece of malware designed to capture text messages in transit. Dubbed “MessageTap,” the malware was discovered on a Linux-based Short Message Service Center (SMSC) server operated by a telecommunications company. Compromising an SMSC system could enable an attacker to monitor network connections to and from the server, as well as data sitting inside.

3. Swapping their SIM for yours

In SIM-swapping attacks, a fraudster uses social engineering techniques to trick a mobile operator into transferring a targeted individual’s phone number to their own SIM card.

Once the number has been transferred it can be used to bypass SMS-based two-factor authentication, obtain the end user’s personal information, then use it to try and access bank or other accounts containing financial or payment information.


Captured By Better Technology

A CAPTCHA or ​‘Completely Automated Public Turing test to tell Computers and Humans Apart’, is the challenge-response test you frequently see at the bottom of the form when you sign up for a new account, or attempt to change a password. It’s used to determine whether you’re a real human, or a just bot trying to register or access an account without permission.

First created in 1997, CAPTCHA methods have evolved and improved over time, but cybercriminals have found ways to stay a step ahead of each new iteration.

Sometimes this is done using machine learning techniques. Fraudsters found a way past the first image-based CAPTCHA, for example, by using Optical Character Recognition to read the distorted text embedded within.

More recent CAPTCHA innovations like audio challenges have been circumvented using speech recognition technology. The audio file offered up by CAPTCHA for a response is downloaded by the fraudster then segmented. The segments are then uploaded to speech-to-text services which convert the message.

The capability is so easy to implement that there is even a publicly available browser plugin called Buster that offers the functionality to anyone who wants it.

Fraudsters also use cheap labour​ to create ‘human bots,’ who simply use their eyes and ears to answer any CAPTCHA challenge thrown up by the accounts they want to target.  

There are any number of companies offering a ‘CAPTCHA solving’ service, using people to compromise even sophisticated systems at relatively low cost.


How Mobile Operators Should React

Of course, CAPTCHA and OTP can be effective in dealing with standard attempts to break into accounts. But when it comes to combatting mobile crime and securing subscriber transactions, sophisticated scams need sophisticated solutions.

That’s why it’s never been more critical to have dedicated mobile security solutions that address the specific risks faced by phone and tablet users, and the mobile industry as a whole.