Last updated on January 16, 2022
Threat Level
High
Overview
You will receive your OTP message from a local private number instead of from your authentication service provider.
Further it was reported that some of these SMS service providers have maliciously obtained user account details pretending to be their usual authentication service provider. As a result, some of these social media accounts have been compromised.
Description
One Time Password (OTP) is a service which provides an extra layer of security for users. This is mostly used when accessing accounts and carrying out financial transactions etc. to identify the real user of the account. When a service provider sends an OTP to a customer, it comes as a SMS message and the displayed sender name of that OTP message will be the actual service provider. E.g., lf you request an OTP from Google, sender of that OTP would be Google itself and you will receive a message from Google.
If you receive your OTP from a local private number, instead of from your usual service FROMs name, it means that the message has come through a third-party SMS provider. They normally change its content slightly except the OTP code and send it to the user through a private number. Please refer below images for examples.
There have been several reports about malicious third party SMS Gateway service providers who have attempted to obtain account details (user names, password etc.) by having further communication with customers pretending to be the legitimate service provider by building trust using the OTP message. Sri Lanka CERT has received numerous complaints of such compromised accounts, after investigation it was discovered that account details have been provided to malicious third party SMS service providers after receiving the OTP.
Impact
- Potential risk of your online accounts such as social media, emails, online banking, etc. being compromised, in the event that you mistakenly disclose your account credentials or personal details to third party SMS service providers who pretend to be your trusted OTP service provider.
- Financial loss
Solution/ Workarounds
- Use authentication application developed by service providers instead of OTP SMS.
E.g., Google Authenticator, Facebook Authentication app, Microsoft Authenticator, - If the OTP is essential, request it through a voice call rather than a SMS message.
- If you received an OTP message through a private number change your password immediately and set proper account recovery options.
- Frequently change your passwords and setup proper account recovery options.
- Do not disclose any of your account credentials or personal details to the third-party SMS providers or anyone else by any means (Calls, SMS, Emails, etc.)
Disclaimer
The information provided herein is on “as is” basis, without warranty of any kind.
Reference:
https://www.facebook.com/CERT.lk/photos/pcb.3968325383239265/3968323723239431/?type=3&theat
#REF: 115
#Re1eased on: 09/05/2020
https://www.cert.gov.lk/alert_info.php?id=177