Sri Lanka Cert has issued a “High” threat warning for malicious One Time Password (OTP) SMS’s originating from local private numbers instead of respective authentication service providers (Eg. Banks).
Full warning message of SL CERT
Receiving OTP via a Local Private Number
Threat Level – HIGH
Overview
You will receive your OTP message from a local private number instead of from your authentication service provider.
Description
One Time Password (OTP) is a service which users provides an extra layer of security. This is mostly used when accessing accounts and carrying out financial transactions etc. to identify the real user of the account. When a user request for an OTP, it comes as an SMS message and the sender of that OTP will be the actual service provider. Ex-If you request an OTP from Google, sender of that OTP would be Google itself and you will receive a message from Google.
If you receive your OTP from a local private number, instead of from your service provider it means that the message has come through an unauthorized third party whom has access to your OTP messages. They normally change its content slightly except the OTP code and send it to the user through a private number. Please refer below images for examples.
Impact
Loss of access to your online accounts such as social media, emails, online banking, etc.Financial loss
Solution/ Workarounds
Use authentication application developed by service providers instead of OTP SMS.
Ex- Google Authenticator, Facebook Authentication app, Microsoft Authenticator, etc.
If the OTP is essential, request it through a voice call rather than a SMS message.If you received an OTP message through a private number change your password immediately and set proper account recovery options.
Disclaimer
The information provided herein is on “as is” basis, without warranty of any kind.