Hackers had the banking customer’s login and phone number.
When they would log in to the bank, the service otp.agency would robocall the customer saying that someone was fraudulently accessing their account which was insidiously true, but then the resolution was false, the service would ask them to enter their one time passcode that was texted to them by the actual bank.
This is funny because sms could already be intercepted vis SS7 and is inherently insecure for one time passcodes that banks swear by, but this service wasn't doing that.
I'm convinced that the standard form of these text messages is wrong. A (legitimate) example I received recently read
Your CorpName verification code is 305825. Do not share this code. CorpName will never call you for this code.
It's clear CorpName is trying to defend against this exact sort of attack in the last two sentences, but it's boilerplate we've all seen many times before. Who reads it anymore? The bigger problem is unaddressed: "ABC verification code" is vague. This is security information devoid of security context.
A better written message would read,
A computer in Seattle, WA is logging into your account on the CorpName website. If this is you, enter 384909 to authorize.
Or,
A wire transfer of $300 to X has been requested using your debit card ending in 9934. To authorize the transfer, enter 468909.
I think asking people for authorization without atomically telling them what they're authorizing is properly viewed as a type of vulnerability.
The funny thing is; most banks hat I've experienced will plaster warnings all over the SMS and apps not to give this information to someone who calls you etc.
The issue is that people are afraid (to lose their money) and aren't educated about the risks, and who/what they should pay attention to, so they hand it over anyway.
I think it works because banks have nonsensical security already
Even if you are educated, you’re still confronted with insecure security measures and stonewalled by the customer service agent that’s asking you to complete a measure, until you complete it
Getting a call with another nonsensical security measure would be onbrand
> I think it works because banks have nonsensical security already
Like FirstDirect changing the password requirements for their app from the already far from best practice "between 5 and 9 case-sensitive alphanumeric" down to "6 digits" and making a show and dance about this being "just as secure as before"…
Suffice it to say that I've spread my financial resources a bit more widely than that one organisation now (and I'm considering a more complete move, but a lot of the competition is no better). I want there to be more than my unlocked phone and give digits between the bulk of my money and anyone who wants access to it.
This is just so messed up. I’ve spent so much time trying to teach the more vulnerable people in my life how to protect their accounts, only to have their f’n bank call them up and ask them to do the exact opposite.
Yeah, my bank hasn't done it in a while, so I'm hoping they've sorted them selves out, but it happened a lot years ago.
They'd call me to confirm a payment and ask me to identify myself, it wasn't even a payment I was making at that moment. At least now with the current tech it's done via the app etc at point of sale.
