Trust Us, One-Time Passwords Can’t Be Trusted

To combat cybercrime, many mobile network operators (MNOs) are taking the fight to fraudsters by adding layers of authentication to online transactions.
Their favoured approach is to create a unique numeric sequence called a one-time-password or OTP, a ‘secret’ pin code delivered via text so users can verify that they’ve initiated a transaction.
We’ve written about OTP fraud before; but as ever, cyber rogues manage to stay a half-step ahead. Secure-D has found more evidence that fraudsters are getting their hands on confidential OTPs to authenticate bogus transactions and make fake purchases look legit.
Mobile operators love text-based OTP – but they shouldn’t
On paper, OTPs stop fraud by compelling users to respond to a prompt before any transaction can proceed. While some industries have started questioning over-reliance on OTP, mobile operators still like SMS-based OTP. It’s fast, and it fits the needs of telco infrastructure. Users can confirm a purchase or new digital subscription immediately while a transaction is underway.
At checkout, a temporary code is texted to their mobile number. They type it into a confirmation field and voila, purchase confirmed. A great idea in theory – but in practice, it’s turning out to be weak.
The strange case of Sita
Consider this recent compromise observed by Secure-D researchers.
A major mobile operator in Southeast Asia was using text-based OTP to protect subscribers from click fraud. Despite the security measure, Secure-D recorded a high number of suspicious transaction attempts in the MNO’s network originating from an app called ‘Sita cleaner’.
We decided to investigate further.
Sita cleaner is a ‘junk cleaner’ that clears old and un-needed files from device memory, potentially making smartphones faster and more responsive. There are zillions to choose from; however, Sita cleaner has been removed from Google Play and is only available in third-party stores.
Secure-D researchers downloaded the app from one such third-party store and installed it on a physical Android device. When the app was launched it requested a permission labelled ‘Notification Access’, asking the user to allow it to view SMS messages, emails, and notifications; plus access files and read contacts.
Saying yes to that permission would also give the app free-reign to dismiss notifications and ‘touch’ any action buttons included in notifications – even if they originated from a different application.
This is a suspiciously high-level requirement for an app meant to clean inactive and out-of-date files from a phone’s OS.
That concern didn’t occur to many users, however, who clicked ‘yes’ and gave Sita cleaner the go-ahead.
When Secure-D opened the app, it took an unusually long time to load. While we waited, two OTP text messages arrived, meaning that something we weren’t seeing had triggered an OTP process in the background.
Then confirmation SMSs arrived thanking us for subscribing to a digital service. We didn’t see anything you would have expected to precede a mobile purchase: no ad banners, sign-up screens, or landing pages. Whatever was happening, it happened invisibly, hidden from view.
Watch this video and see how Secure-D witnessed OTP fraud in-action.
Over a million fraudulent transactions
The OTP fraud discovered by Secure-D happened because the device we tested became infected with malware. Still, it’s worth adding this caveat: the app itself might not be fully responsible.
Like thousands of other apps, Sita Cleaner is infected with the Joker malware, which intercepts SMS and subscribes users to OTP protected services. Joker is one of the most successful malware strains and has been able to circumvent Google Play Store protection thousands of times. Read more about Joker malware here.
In July 2020 Sita cleaner was among the top suspicious apps on Secure-D’s suspicious app index in Southeast Asia. It had been in the top spot for three months. Secure-D blocked over 1.4 million questionable transaction requests between April to July 2020, coming from 16,000-plus devices.
Why OTP fraud hits MNOs where it hurts
Subscribers hold their mobile operators responsible for protecting them from security threats. But that trust is undermined when fraud like this occurs.
Fraudsters try to legitimise their bogus transactions by labelling them with MNO branding – a severe reputational threat to mobile operators that can crush customer loyalty and aggravate churn. Mobile operators’ customers are amongst the first to take to social media to vent their frustration when things go wrong.
And there’s a bigger question for mobile operators: if users can’t trust (or see) texts from their mobile operator, can any SMS-based system be trusted?
OTP fraud also incurs direct costs as customer service resources have to be devoted to handling complaints and investigating each instance. Mobile operators can also lose out on revenues if prepaid customers have their credits used-up by fake transactions, and can’t afford to reload their credit.
Sophisticated scams need sophisticated solutions
With mounting evidence of how insecure SMS-based OTP authentication has become, mobile operators should leave it behind. With new exploits emerging every month, it’s vital to adopt solutions that address the evolving security vulnerabilities faced by smartphone users and the mobile industry as a whole.
Mobile operators need a more sophisticated end-to-end approach to security and authentication. Secure-D works with mobile operators around the world to analyse specific vulnerabilities and protect their networks from mobile malware.