5

Is there a credible scenario in which the OTP (One Time Password) for online credit card transactions ( specifically for Verified by Visa) can be bypassed?

Context: A guy I know was cheated via the usual social engineering routes (dumb I know!) into revealing his Credit Card details & a fraudulent transaction was made. The bank says an accurate OTP was entered and hence their liability ends. I tend to agree with them.

The victim OTOH insists that although he did give his Card Number, Expiry date & CVV to the phishers over the phone, he never gave them the OTP received via his cellphone SMS (text message). I find that hard to rationalize.

That's why I'm wondering if there really could be channels of attack that somehow defeat the OTP-SMS protection? The only possibility I could brainstorm is some variant of SIM card cloning.

What do people think? Know any exploit reports like this in the wild? (Normally I'd have not believed the victims insistence that he never revealed the OTP but I'm just playing devils advocate for a bit)

In case it matters, Verified by Visa uses a 4-6 digit OTP sent via text message & it is supposed to expire in 180 secs.

curious_cat
  • 1,013
  • 1
  • 11
  • 18
  • 1
    I know that for example with Facebook, you can generate 10 OTP Codes that can be used. Other than having your phone compromised, or the phone linked to another account it doesn't seem likely really. – KingJohnno Mar 03 '15 at 10:07
  • At least with my Credit Card's OTP system the moment you generate a new OTP the last one gets invalidated. At least, that's how it is supposed to work. I haven't stress tested the system much. :) – curious_cat Mar 03 '15 at 13:11
  • 1
    Verified by VISA is only required depending on the transaction amount - on my card for example, sometimes it doesn't ask for it at all, and for low amounts it only asks for my birth date. Did the bank actually confirm that an OTP was used, as opposed to a birth date or similar personal info ? –  Apr 29 '15 at 08:09
  • @AndréDaniel: This is a card / institution which insists on a Verified by Visa for every transaction. – curious_cat Apr 29 '15 at 14:40

4 Answers4

4

If your friend is telling the truth then there are a few different ways the attackers could have gotten the code:

  1. If the phone is a GSM it's possible they could have cloned his SIM and received his text messages that way
  2. Text messages are processed by systems called SMS-Cs - servers running software that handles text messages which are located in the cell provider's network. If the phishers managed to hack the SMS-C they could have access to every text message in the system
  3. His phone was hacked - phone malware could have given the phishers access to text messages on his phone
  4. An app on the phone leaked the information using permissions. On Android when you install an application it will pop up a message with all the access the app requires. Apps offering the most minor functionality sometimes request to access email, sms, contacts, photos, location, and browsing history - way more than required to do what they say. If you permit an application access to SMS messages it will be able to legitimately forward every SMS you send or receive to a third party. Most of the time this is done to sell to advertisers, however some of these applications are known to have been developed by criminals expressly for the purpose of identity theft and to assist in wider crime.

So it is entirely possible that your friend did not give the criminals the SMS details directly, instead it's quite likely that he gave them indirectly through the apps he installed.

GdD
  • 17,321
  • 2
  • 41
  • 63
  • 1
    If you clone a GSM SIM, is it possible to eavesdrop silently without detection? Or does the tower recognize the incongruity of two SIMs talking to it & flag it or at least keep dropping one SIM? Just curious. – curious_cat Mar 03 '15 at 12:57
  • Thanks for those scenarios BTW. After a little thought, #3 & #4 seem very likely. And he does use an Android phone so lots of app hacking opportunities. #1 sounds relatively unlikely. #2 might happen but if so I'm expecting a local epidemic of such reports. – curious_cat Mar 03 '15 at 12:59
  • 1
    SIM card copying seems to be pointed out frequently but I find it hard to believe that a phone network will happily accept an IMSI registering simultaneously from different places and even delivering an SMS to both places at the same time. I'm pretty sure this would raise many red flags on the carrier's side if it really happened and the person would at least know his SIM was indeed copied (and the carrier would most likely force him to change his SIM anyway).. –  Apr 29 '15 at 08:11
  • @AndréDaniel: I agree. THat's what I think too. – curious_cat Apr 29 '15 at 14:42
4

As OTP by SMS grows in popularity, there's a growing trend in malware to steal it.

For example, check out this report on NeverQuest. Once it infects your computer and steals all your other credentials, it shows a very professional looking page, apparently from your bank, asking you to download an app. And then of course, it steals your OTPs.

(PDF) https://devcentral.f5.com/d/neverquest-malware-analysis?download=true

If your friend insists that he was not asked to download an app, then the likely scenario is this:

  1. He downloaded an app that looked legit and required text message reading permissions.
  2. Once the app was running, it sent his phone number to the scammers.
  3. The scammers called him and asked for his details.
  4. The scammers logged in using his details.
  5. The bank sent your friend an OTP.
  6. The app forwarded it to the scammers and deleted the SMS from the phone.
  7. The scammers completed login using the OTP.

I've not heard of this method in use, but it would be very simple to implement. Much easier than Neverquest.

ColBeseder
  • 320
  • 3
  • 11
2

You should consider also that an attacker used IMSI catcher as a possible attack vector to get access to the mobile phone data.

IMSI catchers are essentially devices which imitate mobile phones towers in order to intercept calls and text messages. These devices can grab information such as the International Mobile Subscriber Identity, as well as phone calls and text messages.

Th government agencies and law enforcement can use these, but you can always buy one on the black market or build one yourself (if you know how to do it)

IMSI catchers hijack the phone's signal, and in some cases, intercept the contents of calls and texts. The IMSI catchers take advantage of a vulnerability built into the system. Phones using 3G or 4G technology can authenticate cell towers, but phones on older 2G systems cannot tell between real and fake towers.

An IMSI catcher blocks the smarter 3G and 4G signals, forcing mobile phones in the area to switch to the unsecured 2G service — something that phones also do routinely in more rural areas, where 2G service is widespread. The IMSI catcher then poses as a tower and "catches" signals.

Michal Koczwara
  • 1,580
  • 3
  • 15
  • 27
0

If it's a four-digit password and you get three tries to enter it, then three in every 10,000 attacks will succeed by trying random passwords. That doesn't sound like very much, but if every one of the 1 billion or so people with a credit or debit card were to be attacked in this way then there would be 300,000 people all telling stories like your friend's.

Mike Scott
  • 10,134
  • 1
  • 28
  • 35