How can security OTP be broken?
When making money transfers over the Internet or some services on the Internet, we will often deal with OTP. OTP is abbreviated from the first three letters of One Time Password, meaning one-time password is used. And of course, this one-time password will only work for a single time and will no longer work for future use.
1. Why use OTP?
When making money transfers via the Internet, you need to have a login account on Mobile App or via SMS. And users will log in a fixed password or also called a static password when you use the password Facebook, Gmail, .
However, after logging in, the system needs to check whether you are the "real account holder" and not the system programmed to hack the account, so it will send us a random code and Please enter the web or mobile app to complete the transaction.
OTP will be sent to us via email, SMS or a device called Token. And after the user enters this OTP code to complete the transaction, it will no longer be valid, more secure for too much payment.
However, is this the safest security method really safe?
2. Can hackers steal money without using OTP?
Case 1: Your smartphone has been installed malicious code (jailbroken iOS device is often less risky while Android is easily a victim).
First, hackers will install malicious code under 1 attractive application (18+, hack Pokemon Go for example) and lure you to download & install on smartphone.
After that, the application will require permission to read / delete messages - most users currently do not care about access when installing the application. They just next, next & next only.
Next, the malicious application will steal user data (can be the account login at the bank, credit card, . saved on the web browser).
After acquiring the login account, the hacker will transfer money via Internet Banking. Of course at this time, an OTP SMS will be sent to the victim's smartphone. Once again, the other application will read the OTP and send it back to the hacker and delete the other SMS OTP.
And so the money in your account is gone, there is no trace left on the smartphone.
Operation mode of malicious applications
Case 2: Phishing via email / fake website (fake email, phishing website)
Hackers trick the victim with a fake email with compelling content: receive unexpected rewards, pay bills, etc. The link in this email will lead to a fake website but has the same interface / feature. with real bank website.
Website fake requires users to login with username / password and some other information.
Read on here, you will probably wonder, must confirm the transaction by OTP code, but how can hackers get OTP from the user's phone to transfer money successfully?
3. Smart OTP - Security vulnerabilities of banks?
Authorizing another device, not a user's phone, can generate code that is equivalent to OTP to complete the transaction.
Smart OTP is a soft token key - software that provides OTP code is installed on the customer's mobile phone and is attached only to the login account of eBank. This software is usually developed by the bank and only expires when canceled.
Soft token key applications are risky
Normally, each time a money transfer is made, users will receive OTP via SMS for authentication. But if using Smart OTP, this application will only require authentication via the phone number for the first time - and only!
From that point on, when users need to transfer money, they simply enter the transaction code into Smart OTP application to receive another code (with the same effect as OTP) to authenticate transactions on Internet Banking.
Using Smart OTP on another device is like you revealing your security code, the rest they need to do is to find the key - a much simpler job.
Hope the above article is useful to you!
You should read it
- The Ministry of Public Security warned users to warn of bank account theft when withdrawing money at ATMs
- 5 basic steps to protect your BitCoin account
- SECURITY SECURITY II: Security Policy Account for Computer Security Account Policies
- 10 simple steps to enhance your online account security and your computer
- Anyone must memorize these golden rules to secure bank accounts
- Want to secure your Google account? Do not ignore the following!
- Enhance Facebook account security in 5 steps
- How to use ACB Online to send money and transfer money
- Hacker took advantage of the vulnerability in SS7 to steal bank accounts
- Google opens an online money transfer service via Gmail
- How to make your Tik Tok account more secure
- 5 ways to improve Linux user account security
Maybe you are interested
How to automatically delete OTP messages on iPhone
What is Digital Footprint?
What is an OTP bot?
What is a time-based one-time password (TOTP)? Should I use it?
How to automatically delete OTP code messages in Google Messages on Android
Need to delay your bills during the coronavirus outbreak? DoNotPay says it can help