Time to switch from SMS OTPs – Sim-swap, OTP Phishing based account takeovers?

SIM swapping occurs when someone contacts your wireless carrier and is able to convince the call center employee that they are, in fact, you, using your personal data.
Upon a SIM-swap, the attacker can receive OTPs and impersonate for an account takeover.

Further, SMS OTPs also suffer from OTP-Phishing as they are bearer tokens — One who intercepts or takes into OTP-divulging can impersonate for an account takeover leading to 81% of data breaches and online fraud.

They do this by using data that’s often exposed in hacks, data breaches, or information you publicly share on social networks to trick the call center employ into switching the SIM card linked to your phone number, and replace it with a SIM card in their possession.

Once your phone number is assigned to a new card, all of your incoming calls and text messages will be routed to whatever phone the new SIM card is in.

Several sim swap attacks have resulted in serious financial fraud:  One victim of a SIM swap attack is Robert Ross, who claims he had one million dollars stolen from him after an AT&T customer service representative was tricked into redirecting Ross’s number to a cellphone under the control of a hacker.


A Healthcare hospital lost $20K with the same sim-swap attacks as noted here

This leaves us with a question of, are we better-off with software/app-based Oath OTPs such as Google authenticator etc. The answer is “no”, with several of the tools such as Modlishka, Evilngnx and Muraen available to do a real-time proxy of the submitted OTPs. This is due to the fact that legacy OTPs (from Google authenticator) are bearer-agnostic and as such be intercepted and spoofed as depicted below.

The Bearer-aware credential-based authentication does the job of securing against any such sim-swaps, spoofing and phishing (including real MiM proxy ) attacks with no additional hardware expense with excellent ROI within a year.

For more info, please schedule a demo with us.

Want to know more on No-Passwords, hacker-safe magic login codes?