Phishbowl

True story: Senior citizen recently reached out to me over some help after she fell for a scam. I asked what happened and first thing she said was: “I never shared my OTP.” Of course, working in fraud, we’ve all seen such memos before. One time, we were reviewing in how many such cases where we had taken a claim was the OTP successful. This for us was a good proxy for the extent of OTP sharing involved in ATO cases in retail banking. “Lack of care”, was the carefully coined trade jargon.

But to be fair, there are too many ways that OTPs are compromised, and not “shared”. In today’s blog I will enumerate the full bag of tricks.

1. The sloppiest scammers social engineer the OTP out manually. In this case study we can rule it out.
2. Next obvious option was the RAT or other screen sharing apps. These apps that may be legit apps, useful to help desk technicians get easily misused by scammers to capture the user’s screen.
3. Along similar lines there are message forwarding apps too! To this line of questioning, she said she had not downloaded anything, not even .apk files. Period.
4. The call forward scam? I wondered. Depending on the cellular service provider there are key combinations that when dialed forward all calls to the number entered. Those could steal a Voice OTP. “Again”, she insisted “I did not dial any keys on my phone.”
5. The little cogs inside my head started turning up the higher tech options. The scammers use services (via the dark web/Telegram) where OTP bots extract OTPs from victims through IVR and turn them over in real time. “No, she insisted. There was no IVR call she responded to as she was talking to the fraudsters.”
6. That by default rules out SIM swap, if the phone was active. 

So how did they get the OTP?

7. There are other ways to leak the OTP through the service provider. I had heard about spoofing of base stations to intercept OTPs from a podcast by #ScalingTrust.
8. Wait, it was also possible that the bulk SMS vendor was compromised.

I was clearly entering analysis paralysis mode here. So decided instead to review copies of the bank’s dispute form and the local police complaint.

Read the story scrawled on paper in a hurry. Okay, so that’s how they had the Card number and CVV2. They asked her to take a picture of the front and back of the card while on video. But the OTP, how did they get that? Clink! The coin dropped for me. Elementary my dear #fraudfighter.

9. She was on a video call! The OTP no doubt dropped itself right into the scammer’s lap when she viewed it.

This Diwali, like me if you are spending time with the seniors’ team of your family. Here are some tips to protect your elders.

[A] Help them turn off their settings to take video calls from unknown numbers.

[B] Turn off onscreen notifications setting while screen sharing [C] Warn them to NEVER to get their credit cards smile for any cameras