The rise of OTP (One Time Password) theft and related cyberattacks has become a major security concern worldwide, including in Indonesia. OTP, as a crucial security method in the digital realm, is widely used to verify user identities in various online services, including digital banking, social media, and communication platforms like WhatsApp, SMS, or phone calls.
Amidst the rapid technological advancements and digital ecosystem growth, cybercriminals have become increasingly creative in devising strategies and tactics to steal OTPs. They exploit user carelessness, lack of awareness, or urgent needs to obtain OTPs, granting them unauthorized access to sensitive accounts, resulting in harm to victims.
Phishing, a frequently employed method, involves sending fake messages attempting to convince victims to share their OTP or other personal information. These messages often take the form of suspicious transaction notifications, account verification requests, or enticing fake offers.
Furthermore, man-in-the-middle attacks, where criminals intercept communication between users and service providers to steal OTPs, have become more sophisticated. They employ various techniques to obtain OTPs without the victim's knowledge.
In Indonesia, concerns about OTP-related attacks and fraud have surged alongside the increased use of digital services, especially during the COVID-19 pandemic, when more people switched to online banking, communication via WhatsApp, and SMS as their primary means of communication.
However, phone calls remain a lesser-known vulnerability. Recently, a researcher named Shuvamoy Roy, Founder CEO of AbnerSecurity, shared a video demonstrating techniques used for phishing calls and OTP theft.
Shuvamoy Roy, Founder CEO of AbnerSecurity, explained, "Currently, it's very easy for threat actors to compromise a victim's account through OTP SPOOFING, where you receive a call from an official customer portal number requesting OTP-related information. Once you input the OTP, the game is over."
In the proof-of-concept (POC) video he obtained from a bot channel offering "OTP Spoofing" subscriptions, methods ranging from a few hours to a year are available, with prices starting from $29 to $1599 USD.
However, it's worth noting that cyberdefenseinsight found these methods primarily in English, and no Indonesian-language resources were discovered. Nevertheless, this can provide insight into how call-based methods can be utilized with bots to conduct phishing attacks.
Shuvamoy Roy, Founder CEO of AbnerSecurity, also advised, "Before giving out any kind of sensitive information, always cross-verify! For cases like this, you can cross-verify by logging into your account and checking if something similar happened. Cross-verification mitigates both OTP and CALL SPOOFING risks."
This precautionary measure can ensure that any calls requesting sensitive information such as OTPs are avoided.
Conclusion
Protecting against OTP spoofing and phishing attacks is crucial in the digital age, especially in Indonesia's expanding online landscape. Staying vigilant, cross-verifying information, and raising awareness about the risks of sharing OTPs over the phone are essential steps to safeguard personal and financial information from cybercriminals.
0 Comments