Scammers plead guilty to running an OTP scam site

Photo of author

By David Brooks

Three men have pleaded guilty to running a subscription-based web service in the UK that allowed criminals to bypass fraud controls using one-time passcode (OTP).

editorial

This content was selected, created and edited by the Finextra editorial team based on its relevance and interest to our community.

The criminals were charged a monthly subscription fee that helped them socially trick bank account holders into revealing real one-time passwords or other personally identifiable information.

A basic package priced at £30 per week made it possible to bypass multi-factor authentication on platforms such as HSBC, Monzo and Lloyds, allowing criminals to carry out fraudulent online transactions.

An Elite plan cost £380 per week and gave access to Visa and Mastercard verification sites.

Cyber ​​investigators from the UK Criminal Investigation Agency began investigating the website in June 2020 and believe over 12,500 people were targeted between September 2019 and March 2021, when it was taken offline following the trio’s arrest.

It is not known how much money the group made from the company, but estimates suggest it would have been around £30,000 if users bought the basic plan and up to £7.9 million if they opted for the elite package would have decided.

Anna Smith, operations manager of the NCA’s National Cyber ​​Crime Unit, said: “The trio profited from these serious crimes by running www.OTP.Agency and their convictions are a warning to anyone else offering similar services ; The NCA has the ability to disrupt and dismantle websites that pose a threat to people’s livelihoods.

“We also urge everyone who uses online banking services to be vigilant.”

First introduced in the 2000s as a multi-factor authentication option to strengthen online security, the use of one-time passwords is increasingly being questioned.

Banks in Singapore, for example, will phase out their use in favor of digital tokens for logging into bank accounts.

Mastercard is also piloting a new Payment Passkey service in India to replace OTPs with biometric authentication measures.

Leave a Comment