How can security OTP be broken?

When making money transfers over the Internet or some services on the Internet, we will often deal with OTP. OTP is abbreviated from the first three letters of One Time Password, meaning one-time password is used. And of course, this one-time password will only work for a single time and will no longer work for future use.

1. Why use OTP?

When making money transfers via the Internet, you need to have a login account on Mobile App or via SMS. And users will log in a fixed password or also called a static password when you use the password Facebook, Gmail, .

However, after logging in, the system needs to check whether you are the "real account holder" and not the system programmed to hack the account, so it will send us a random code and Please enter the web or mobile app to complete the transaction.

OTP will be sent to us via email, SMS or a device called Token. And after the user enters this OTP code to complete the transaction, it will no longer be valid, more secure for too much payment.

However, is this the safest security method really safe?

2. Can hackers steal money without using OTP?

Case 1: Your smartphone has been installed malicious code (jailbroken iOS device is often less risky while Android is easily a victim).

First, hackers will install malicious code under 1 attractive application (18+, hack Pokemon Go for example) and lure you to download & install on smartphone.

After that, the application will require permission to read / delete messages - most users currently do not care about access when installing the application. They just next, next & next only.

Next, the malicious application will steal user data (can be the account login at the bank, credit card, . saved on the web browser).

After acquiring the login account, the hacker will transfer money via Internet Banking. Of course at this time, an OTP SMS will be sent to the victim's smartphone. Once again, the other application will read the OTP and send it back to the hacker and delete the other SMS OTP.

And so the money in your account is gone, there is no trace left on the smartphone.

Operation mode of malicious applications

Case 2: Phishing via email / fake website (fake email, phishing website)

Hackers trick the victim with a fake email with compelling content: receive unexpected rewards, pay bills, etc. The link in this email will lead to a fake website but has the same interface / feature. with real bank website.

Website fake requires users to login with username / password and some other information.

Read on here, you will probably wonder, must confirm the transaction by OTP code, but how can hackers get OTP from the user's phone to transfer money successfully?

3. Smart OTP - Security vulnerabilities of banks?

Authorizing another device, not a user's phone, can generate code that is equivalent to OTP to complete the transaction.

Smart OTP is a soft token key - software that provides OTP code is installed on the customer's mobile phone and is attached only to the login account of eBank. This software is usually developed by the bank and only expires when canceled.

Soft token key applications are risky

Normally, each time a money transfer is made, users will receive OTP via SMS for authentication. But if using Smart OTP, this application will only require authentication via the phone number for the first time - and only!

From that point on, when users need to transfer money, they simply enter the transaction code into Smart OTP application to receive another code (with the same effect as OTP) to authenticate transactions on Internet Banking.

Using Smart OTP on another device is like you revealing your security code, the rest they need to do is to find the key - a much simpler job.

Hope the above article is useful to you!