Fraudsters can steal OTP now

The latest one that has hit several people in Bengaluru over the last couple of months is a malware that can automatically forward your SMS to the fraudster's phone.

By Author  |  Published: 23rd Jan 2019  11:54 pm
Online Fraud

Hyderabad: So the One Time Password (OTP) sent by your bank and comes only to your mobile phone makes your hard-earned money safe? It’s time to think again.

Fraudsters are coming up with newer ways to steal even the OTP. If the ‘Android.Bankosy’ malware two years ago could intercept voice calls and steal OTPs when banks sent the passwords via call-based systems, the latest one that has hit several people in Bengaluru over the last couple of months is a malware that can automatically forward your SMS to the fraudster’s phone.

The beginning of most of the cases reported in Bengaluru, according to various reports, was similar. The crooks stuck to their ‘conventional’ trick, posing as bank employees, calling up and saying it was time to update the target’s KYC details or renew his/her debit/credit card and surreptitiously take the card number and if possible the CVV too. The victims, who according to reports were mostly software employees, gave the details with the confidence that these details would not suffice to withdraw cash since they had enabled OTP-based transactions.

Once the crooks collected all the details, they would tell the would-be victim that they would get an SMS, and that they would have to click on the link and ‘confirm’ the details so that the process was completed. And this was where the trap was set.

Once the victim clicks on the link, the phone is infested with a malware, which automatically forwards all incoming SMS to the fraudster’s phone, including the OTP. This, along with the card/account details they have already collected, makes looting the victim easier than ever. Reports quoting the Bengaluru police indicate that crooks have stolen several lakhs from different accounts already.

Though the complete details of the new modus operandi are yet to come out, and with any such case yet to be reported from Hyderabad, cybercrime police units across the country are warning smartphone users to be alert.

And the advisory too, as of now, remains the same as that which one has to be follow to avoid falling prey to other similar debit/credit frauds, with the addition of one, and that is to be guarded against malware too. In addition, the Bengaluru Police have asked the public not to download apps such as My SMS, Any Desk and other unknown apps, which they say will help online crooks read your mobile content remotely.