Filter resources

Blog

Understanding the Risks of Unprompted One-Time Passcodes in Cybersecurity

In the dynamic world of cybersecurity, understanding the implications of receiving an unprompted one-time passcode (OTP) is crucial. This occurrence often signals a significant security threat: the potential theft of your credentials. Typically, cybercriminals acquire these credentials through various methods, including phishing, credential stuffing, information-stealing malware, or social engineering attacks. What happens once stolen credentials are obtained […]

2 minutes read

David Kasabji

Principal Threat Intelligence Engineer

Understanding the Risks of Unprompted One-Time Passcodes in Cybersecurity – featured image

In the dynamic world of cybersecurity, understanding the implications of receiving an unprompted one-time passcode (OTP) is crucial. This occurrence often signals a significant security threat: the potential theft of your credentials. Typically, cybercriminals acquire these credentials through various methods, including phishing, credential stuffing, information-stealing malware, or social engineering attacks.

What happens once stolen credentials are obtained

Once acquired, these stolen credentials open doors to numerous malicious activities. Attackers may use them to infiltrate corporate networks, engaging in data theft, espionage, or launching ransomware attacks. In the consumer sphere, these credentials enable financial fraud on online retail accounts. The existence of marketplaces where stolen consumer accounts are traded, sometimes for as little as 1 EUR, exacerbates the issue. These marketplaces include accounts from major retailers like Amazon, Marriot Bonvoy, Dunkin, and Instacart.

Implementing MFA to help combat credential theft

To combat this, many companies have implemented multi-factor authentication (MFA). MFA adds an extra layer of security, requiring a secondary form of verification, like an OTP via email or text, a passcode from an authenticator app, or a hardware security key to access an account. This measure significantly hinders unauthorized access, even if your credentials are compromised.

Unprompted MFA

However, receiving an OTP without initiating a login attempt is a critical red flag. Such instances suggest that someone else is trying to use your credentials. It’s imperative to change your password immediately in these scenarios and apply the same change to any other accounts sharing the same password. Relying solely on MFA for protection is a risky strategy, as there have been instances where attackers bypassed MFA. Moreover, while SMS and email for 2FA provide added security, they are also the most vulnerable to attacks, such as SIM swapping. In such cases, attackers gain control over your OTPs, potentially resetting your passwords without your knowledge.

Better MFA Methods

A safer alternative is using authentication apps, hardware security keys, or passkeys, which require physical access to your device. This adds an extra hurdle for attackers in overcoming multi-factor authentication challenges. Cybersecurity and User Experience do not always go hand-in-hand, or rather never do. However, it is up to your threat model and risk assessment which measures you might take to protect your credentials.

Adversary-In-The-Middle Attack (AiTM): A novel way to evade MFA

In the vast realm of cyber threats, a relatively newer but impactful method has emerged: Adversary In the Middle (AiTM) attacks. AiTM attacks have recently become more popular as organizations started…

Read
About the author

David Kasabji

Principal Threat Intelligence Engineer

David began his career as a software developer at NXP Semiconductors in Austria, where he was hired after completing his degree in electrical engineering (FERI). Early in his career, he became interested in cryptography, and his passion led him into the fields of encryption, security, and cybersecurity. At NIL, he began his career as a security analyst. After more than five years of experience at the same company, he became a lead security intelligence analyst. David’s work includes data analysis and engineering, malware reverse engineering, developing TTPs, publishing R&R content, and advising clients on investments in cybersecurity.

David Kasabji

Principal Threat Intelligence Engineer

Recent Blog posts

Related

Resources