How Does One Time Password Hijacking Work?

Introduction

In a world where two-factor authentication (2FA) has become widespread and popular, a secure authentication process is still vulnerable. The main cause of this is the widely used one-time password (OTP) over SMS and OTP over email two-factor authentication methods.

TeamPassword is a convenient and efficient way to store and share team logins and passwords to ensure trouble proof and secure business project management and protecting your assets. To get started click here to sign up for a 14-day free trial

What is OTP?

A one-time password (OTP) is a part of two-factor authentication. Generally, an OTP is several digits that a service sends to the phone or email of a user as a text message or is generated by an authenticator app. The user needs to enter these digits on the service side as an additional security layer to prove his identity.

Often users choose 2FA via SMS as a convenient and hassle-free way. But they don't know how many vulnerabilities this method has. Using these vulnerabilities, attackers can hijack an account, which means they can gain full control over it. Below we will look at how hackers can gain control of an account and how to prevent it.

OTP via SMS Hijacking

SMS-based 2FA method has several serious security drawbacks. Here is why you shouldn't be using OTP via SMS two-factor authentication and give preference, if possible, to another authentication method. 

Lock screen notifications -  - criminals can stealthy look at a locked phone's screen to get OTP codes.

SIM Basics - Subscriber Identity Module (SIM) contains information about user phone numbers, cellular vendor information, and other info. SIM cards can be stolen and used by intruders in their phones to receive SMSs or calls.

SIM Swapping - SIM information is often stored and transferred digitally. Criminals can transfer this information to their phones using trojans on the victim's phone or obtain information from the vendor’s tech support applying social engineering hacks. With this information on hand, hackers can disconnect the victim’s phone from the mobile network. 

SS7 Attacks - OTP codes can be intercepted by criminals, who take advantage of severe security flaws in SS7 message transmission protocol.

While many services offer password reset via SMS messaging, considering the aforementioned disadvantages, hackers can hijack a user account, take full control over it and restrict access of the account. 

Even if you use an authenticator app, hackers can send you an SMS, stating that there is suspicious activity on a certain service, and you must send an SMS in response to the code generated by the application. This code will be intercepted by cybercriminals for further access to the service. 

OTP via Email Hijacking

If criminals get control over a particular email account by SS7 attack, phishing attack, or credentials leakage, they can use this compromised email account for further malicious purposes. In a case when an email account is mentioned as the main email in email-based recovery methods, hackers can hijack several different service accounts easily.

There are also cases where an automated bot calls its victims, alerts them about unauthorized activity on the account, and prompts them to enter an OTP generated by the authenticator app. This code is then transferred back to the scammers and they use it to hijack an account. 

How to Prevent Hijacking

The following steps can help you prevent service account hijacking:

Use long passwords - Passwords must contain 8 characters or more (lowercase, uppercase letters, digits, and special symbols). It defends an account from brute force attacks.

Apply different passwords for different services - This can help prevent credentials leakage if one of the services gets compromised.

Change passwords periodically - By regularly changing your passwords, it can help avoid account hijacking in case of a service database leak.

Use a password manager - Encrypted password storage prevents thefts by trojans.

Update OS and programs - Developers continuously improve security issues, and by using the latest software, you’ll be safeguarded against dated hacking methods. 

Beware of phishing emails and text messages - Don’t click on suspicious links. Hackers can steal credentials when you enter them on a fraudulent site.

Only use sites with SSL certificates - Try to only visit websites with a trusted SSL certificate that provides site authentication, enables encrypted connections,  and avoids sensitive data interception during a man-in-the-middle attack.  

Disable lock screen notification - This can help eliminate the risk of criminals peeping at your OTP.

Protect SIM card by PIN - This helps prevent unauthorized SIM usage in the case of phone or SIM card theft.

Do not use SMS-based applications - App data can’t be as easily passed to a 3rd party without your knowledge. That prevents easy SIM-swapping attacks.

Try to avoid email-based and SMS-based recovery methods - These methods are vulnerable to account hijacking.

Type the OTP directly into browsers - Never send back codes via SMS  and don't enter the codes from the prompt during a phone call. Reliable services don't provide these options for authentication.

Try to use trusted authenticator apps or U2F hardware authenticators when it is possible - This helps to avoid weaknesses of 2FA via SMS and 2FA via email methods.

Conclusion

Using 2FA methods is still more reliable than not using it at all. Use two-factor authentication if the service provides that authentication option. Employ program security solutions for credentials storage and persistently improve your network security knowledge and awareness to protect your data and accounts. 

TeamPassword offers the best software for password generation and management. To learn more - sign up for the free 14-day trial today.