Fraudster – Anonymous G on Beating 2FA and OTP

2FA (2-Factor Authentication) and OTP (One-Time Passwords) are supposed to boost authentication security.

In this podcast interview with an active fraudster, we found out they’re more of an inconvenience.

Financial institutions are some of the highest-risk industries when it comes to fraud. The reason? Accessing an account is the quickest way to get money.

This is exactly how Anonymous G, a fraudster we contacted on the dark web, makes their living. In this podcast interview, we asked them how they take control of existing accounts, and how they create new ones without being spotted.

SIM-Jacking Isn’t As Easy As It Used To Be

First, some good news. We’ve previously covered how SIM-Jacking or SIM-Swapping works (fraudsters call the telecom operator and ask to transfer the number to a new SIM card they own).

“At the beginning that was the method of calling the carrier and basically stealing someone’s items and using their identity and then acting like him on the phone saying that you lost your SIM card or you’re out of the country and you need to redirect SMS and phone calls. Due to the lack of communication from companies, this was a way to perform some really big fraudulent attacks on many of the online businesses out there.”

It turns out that telecom companies are growing increasingly wise to the practice.

“So definitely, that’s something that telecom companies are being more cautious about. They try to add some extra steps for verification of the real SIM cardholder. However, there are still several methods to steal someone’s password and basically, these are related to phishing attacks.”

… But You Can Replace it With Phishing Techniques

So how do fraudsters manage to receive the right SMS at the right time? Good old phishing.

“So, what you do is fool the real account holder into purchasing some service, which requires a specific OTP. Then you do real-time scraping for that specific passcode or code which they receive via SMS or email. You can then use that OTP without accessing someone’s profile.”

This sounds complex and sophisticated enough, but businesses also have an extra verification step, which could completely foil fraudsters’ plans.

“Some businesses actually add some more measures. For example, when you actually purchase something after accessing that account or depositing or withdraw, they do one more round of verification. They actually send another email saying explicitly that you are trying to withdraw money to an account or trying to wire money somewhere. So definitely, that makes it much harder but many businesses don’t do that.”

Onboarding As a New User Can Be Easier Than ATO

“If you are not thinking about an account takeover, then you are creating an account. This means you are onboarding, and many online platforms require you to use a phone number to verify yourself. This is the easiest challenge to solve because there are numerous providers out there that can supply you with brand new and fresh phone numbers that can receive SMS with the OTP. You can use different apps like the Burner app, which you can download from Play Store or App Store and some other apps, which just give you a second number.”

…Especially If You Can Replicate Legitimate Behaviour

Fraudsters are well aware of how anti-fraud works. They know it’s an obstacle, but mainly when they try to automate their attacks. When performing targeted exploit, they can take their time:

“We all know this industry‘s tricks and when we perform an accounting attack, we don’t instantly do a lot of things at the same time. We know that there should be different delays, timeframes, we to try to mimic a real behaviour, how a person would act. The problem is when you try not just to win once a day, but win once a minute and that requires automation. Which requires investment in technology and developing the right toolset for an activity. You can scam someone once and do once a day, but the aim is to make the most money in the shortest time.”

Key Takeaway – Some Protection Methods do Work, But Fraud Still Gets Through

There is some good and bad news to take home from this interview. On the one hand, some fraud preventions definitely work. MFA (multi-factor authentication) does add an obstacle that could deter the less determined fraudsters. This is especially true when you get more than an OTP, and also combine it with an email confirmation (for a withdrawal or money transfer).

The other good news is that telecom operators have finally grown wise to the problem of SIM-swapping.

But there are still issues when it comes to phishing scams. Fraudsters are forced to be more creative with how they access customer information, including OTP and 2FA passwords. Yes, they do increase the challenge, but also add friction for legitimate users, and can result in higher false positives.

Once again, prevention is about combining education and detection. We hope SEON can at least help with the latter.

You might also be interested in reading about:

Learn more about:

Data Enrichment | Browser Fingerprinting | Device Fingerprinting | Fraud Detection API | Fraud Detection with Machine Learning & AI