Could OTP security get any worse? Yes. Bots.
Bots are being used to automate the theft of one time passwords (OTPs) for account takeover (ATO) on mobile.
In the recent Motherboard article: The Booming Underground Market for Bots That Steal Your 2FA Codes the security vulnerability of using OTP over SMS for two-factor authentication is clearly exposed. Demonstrating a new level of ingenuity, cybercriminals are now using bots to target Apple Pay, PayPal, Amazon, Coinbase, and a wide range of specific banks, to steal two-factor authentication one time passcodes, with the intent of account takeover.
With OTP bots, cybercriminals are upping their account takeover game. No longer content with the use of bots to automate the task of testing out huge volumes of stolen credentials in credential stuffing attacks, OTP bots take account takeover automation to a new level. With the use of OTP bots the risk of account takeover increases, since now apps using OTP over SMS as two-factor authentication can also be compromised. OTP over SMS is only creating the illusion of security.
Who is at risk from OTP bots?
In a recent Incognia mobile app friction study focusing on authentication methods used by leading fintech and banking mobile apps, the vast majority of apps (17 out of 20) still rely on OTP over SMS for two-factor authentication. This means that OTP bots pose a threat to many of the leading financial services apps.
How do these OTP bots work?
Using stolen usernames and passwords readily available on the Dark Web, cybercriminals are now using automated tools to contact users under the pretense that they are being contacted by the company. Using automated scripts delivered either via voice or text, the OTP bot requests the user to share the one time password being sent to them to verify the security of their account - instead the bot uses it to access and take over the user account.
Are users losing the fight to protect their accounts?
For users, the level of security expertise needed to stay safe online is only increasing. To protect against social engineering, users now need to be aware of not only cybercriminals but also automated bots. But is it reasonable to expect every user to be a security expert and are users to blame, or is it the companies who need to up their security game?
OTP over SMS is known to be vulnerable - so why is it still in use?
OTP over SMS has been known as a vulnerable method of two-factor authentication for some time. As early as 2016 NIST proposed “deprecating” OTP over SMS as a form of authentication in its draft SP 800-63 Digital Identity Guidelines, and took some heat for this suggestion. At the time, NIST addressed their security concerns with OTP over SMS in their NIST Cybersecurity blog as part of the public comment period:
“...security researchers have demonstrated the increasing success (read: lower cost in time and effort and higher success rates) of redirecting or intercepting SMS messages en masse….It's not just the vulnerability of someone stealing your phone, it's about the SMS that's sent to the user being read by a malicious actor without getting her or his grubby paws on your phone. Because of the risks, we are discouraging the use of SMS as an “out of band authenticator” — which is, essentially, a method for delivering a one-time use code for multi-factor authentication.”
There was quite a bit of debate on NIST’s use of the word “deprecated” also explained in the blog post:
“Deprecation is standards-speak for “you can use this puppy for now, but it’s on its way out.” It’s a way of balancing the practicalities of today’s implementations with the needs of the future. While SMS is a popular and convenient option today, the security concerns of SMS as a second factor should be part of agencies’ decisions. Leveraging a SMS to mobile as a second factor today is less effective than some other approaches—but more effective than a single factor. This balancing act is difficult and inherently imperfect, which is why we propose changes to the community and seek comment before making guidance final. We proposed a deprecation rather than a removal in hopes of increased efficacy for agencies’ investments in upgrading existing systems and building new ones. It's up to agencies to make the risk-based decisions that best serve their constituents today and future-proof systems for tomorrow.”
In its final publication of SP 800-63-3 Digital Identity Guidelines NIST softened its position on OTP over SMS, moving away from “deprecated” to “restricted” citing the same security concerns.
Five years later, OTP over SMS is still in use, and still vulnerable. Why?
Why have companies not moved faster on upgrading their authentication methods? In many cases it is because with extra security comes extra friction, and for mobile users friction is the leading reason users switch services. However with the recent account takeover breach at Coinbase that leveraged the vulnerability in OTP over SMS, the priority for implementing stronger authentication has become an imperative.
There is however good news on the authentication front, in that new options are available that have zero friction for the user and high friction for fraudsters. Incognia is one of these new options that offer zero-factor authentication using location behavior and device intelligence to create a digital identity for mobile users that requires no action by the users. Unlike static credentials that can be stolen, Incognia’s digital identity is dynamic and constantly changing, making it extremely difficult for fraudsters to mimic or fake.
Kudos to Joseph Cox for his research and article on the use of bots to steal OTP codes. With this public exposure of the use of bots, it’s definitely time for the security industry to move on from OTP over SMS.
Please contact us to learn more about implementing Incognia zero-factor, zero-friction authentication.