IT Brief Australia - Technology news for CIOs & IT decision-makers
Story image
Now bots are robocalling to phish for two-factor authentication codes
Tue, 7th Feb 2023
FYI, this story is more than a year old

Most of us are familiar with two-factor authentication, or 2FA, as an additional security measure when logging in to various sites such as Google, Apple, Facebook, Microsoft, Amazon, and other popular websites and applications we use every day.

The idea is that in addition to providing a username and password, a user should provide an additional code or token provided by the website or app. This code is sent as a one-time password (OTP) via SMS or a token obtained from a mobile app like Google/Microsoft Authenticator.

Usually, they are valid for a short duration before a new token needs to be entered. Codes valid for a short time are also known as time-based OTPs (TOTP) and are commonly used when logging into websites and apps, or to approve a banking or financial transaction.

The idea behind 2FA and OTP tokens is that even if a user’s password is breached or stolen, an attacker still cannot access the user’s account without the second factor to authenticate the login. That second factor is usually obtained from an authenticator app on the account holder’s mobile or desktop device.

Recently, however, crooks and fraudsters have started using a phone phishing technique to make phone calls to their victims. It uses specialised bots sold on underground websites.

The technique poses as a security verification call from the website or app that the potential victim uses. It tricks them into providing the actual OTP or 2FA code sent by the website or app. This occurs immediately after the fraudster logs in and attempts a purchase or financial transaction via that portal.

How 2FA phishing works

The latest specialised bots now make it far easier and quicker for fraudsters to fool their targets into providing their authentication codes or OTPs. Again, a website or app the victim uses sends these codes. Using massive lists of breached and leaked login credentials and personal data available for sale on shady underground sites found on the dark web, nefarious parties first correlate these personal details to the victim’s name and mobile number.

They then activate the bot to robocall the victim from a fake caller ID number that purports to be from the victim’s bank or a payment service, like Stripe or PayPal.

These phishing bots sound just like the robotic-voiced customer service bots that we hear when calling our bank or other companies we often deal with. The phishing bot first enters the previously obtained login credentials for the victim’s account at the bank or payment processing website.

The bank or payment service then immediately sends an SMS OTP to the victim’s phone number, which the fraudster has already obtained from prior breaches and personal data leaks.

The bot then calls the victim and plays a legitimate-sounding message stating that the account holder must complete a ‘security verification’ by entering the OTP that the victim’s bank has just sent.

If the target is fooled and enters the legitimate OTP from the bank’s text message that the bot’s login attempt triggered, the fraudster logs in successfully, takes over the account, and quickly depletes it. This happens fast before the victim has an opportunity to alert the bank. If the victim uses an authenticator app rather than getting codes via SMS, the bot asks the victim to enter the code shown in that app.

How to prevent 2FA phishing

Although 2FA codes have helped significantly to reduce the incidence of fraud and account takeover, they are vulnerable to interception by specialised phishing bots now being sold on underground sites.

When a victim gets a phone call appearing to be from the bank, they can easily be tricked into giving up the 2FA code sent by the bank or another website. There is little chance of stopping the crime once it’s in progress.

While some enterprises now use push notification services like Okta to verify login attempts, most banks and other businesses still do not use them. And even if they do use such login confirmation apps, victims could still be defrauded if they are unaware of recommended online security practices.

As a result, phishing robocalls fool the victim, who approves the push notification received from the security app on their mobile devices. It’s all triggered by the fraudster’s login attempt into a bank or another company’s website or app.

The only foolproof way to prevent 2FA phishing bots is by implementing a dedicated bot management solution that detects bots accurately in real-time on a website or app. It prevents the initial login attempt by the fraudster’s bot.

A purpose-built bot mitigation solution analyses hundreds of data points and differentiates a bot from a human. It also leverages machine learning and artificial intelligence to detect each visitor’s intention. This includes phishing bots that enter correct login credentials and other types of bots programmed to execute various types of harmful attacks.

The next step

Reach out to the cybersecurity experts at a company such as my own. They will have made it their mission to protect customers against automated threats like bots. They will provide comprehensive protection of web applications, mobile apps and APIs. Also, try online assessments to learn how protected your organisation really is from bad bots.