9 minutes to read

How Does One Time Password Hijacking Work and How Can You Avoid It?


Human activities and interactions are rapidly happening online. The digital space offers convenience and quick service and is a favorite place for customers to transact and interact with businesses. Unfortunately, heavy financial losses are being recorded with hackers and cybercriminals stealing user identities and details. In 2020, the United Kingdom lost 159.7 million pounds to online banking fraud. In the United States, over $756 million was lost to payment and bank transfer fraud in 2021. 

In combating this problem, businesses are implementing various forms of multi-factor authentication to provide added layers of security. The best-known MFA is One-Time Passwords, random codes sent via SMS or email to a user to authenticate a transaction. Sadly, hackers still bypass OTP. 

In this article, we will look at how secure One-Time Passwords are, tricks used by hackers, and tips to prevent OTP fraud. Can One-Time Passwords Be Hacked?

As with most security measures, there is a loophole to exploit. OTP attacks occur in two ways. One is when malware is planted on your mobile device to collect critical information from SMS. Secondly, you are deceived into providing OTP. 

Unfortunately, victims may not know immediately if their accounts have been hacked. Signs like a sudden loss of cellular network or non-receipt of OTPs point to hacking. 

How Secure are One Time Passwords from Attack? 

OTPs were introduced to serve as an additional layer of security while conducting online transactions. As a safety measure, the random numbers generated before completing transactions would help to protect transactions. Hackers have gained access to OTPs sent to customers’ phones and emails. 

Human weaknesses and technological loopholes have whittled down the security of One-Time Passwords. The FBI highlighted this problem and suggested that biometric authentication be added as multi factor authentication to provide a stronger layer of security. 

In a nutshell, even though OTPs are better than static passwords, they are still susceptible to attacks by hackers. 

Problems and Vulnerability of One-Time Passwords over SMS

Problems and Vulnerability of One-Time Passwords over SMS

As Forbes Cyber security expert Zak Doffman said, “The greatest benefit with SMS is also its greatest weakness….. It works across all apps and platforms and doesn’t rely on any specific ecosystem…. But behind the façade, the SMS system over which these codes are sent is wide open.” 

One-Time Passwords are by far the most common form of 2-factor authentication. Despite this, some SMS vulnerabilities make it prone to security breaches. Let’s see some of them. 

SIM Swap Issues 

SIM swap involves transferring personal information details from one user’s SIM to another without the user’s knowledge. Cybercriminals have perfected the art of SIM hacks by calling a network provider with the ruse of misplacing the SIM. Activating the new SIM gives the hacker access to the user’s bank account. From there, the cybercriminal can alter the password, illegally transfer money from the account and even request debit cards and loans. In 2021 the Federal Bureau of Investigation (FBI) reported that $68 million was stolen by SIM Swap criminals in the United States. 

Signaling System No. 7 defects 

Also known as SS7, the signaling system is the protocol that allows SMS, calls, call forwarding, and other telecom services to operate. SS7 has a critical flaw that hackers have exploited for years. The weakness of the SS7 design allows online thieves to intercept messages and calls. Network services were built with old technology and had no end-to-end encryption common with modern apps. Lack of encryption means calls or messages can be diverted or intercepted by malicious elements. Intercepting these messages means criminals can hack SMS OTPs sent to the users’ phones. 

Social engineering tricks 

Cybercriminals exploit SMS security issues by tricking OTP text message receivers into revealing the codes. This is what is known as Smishing, a form of SMS hijacking. 

So how does it work? 

The cyber thief sends a simple SMS to the customer containing links to a fake website. Once the customer clicks on the link, he will be directed to fill out a web form and asked to input personal information such as social security number or account pin. Another trick is for the fake website to download malware to the user’s phone, which begins collecting sensitive data. 

Smishing has led to a lot of losses to customers and financial institutions. In 2020, the Bank of Ireland was forced to pay over €800,000 to customers who fell victim to Smishing. Using an OTP verification service to verify codes can help businesses avoid this problem.

Social engineering tricks 

Late delivery issues 

A common problem for users of OTP via SMS or email is the slow pace of receiving the code. Often, the messages get delivered when the validity has passed. Worse still, the messages never arrive. Late or non-delivery of these SMS affects instant transactions, especially in emergencies. Slow or poor networks sometimes cause this. In developing nations where telecommunications services are not widespread, especially in rural areas, it can put off users from using digital finance apps. 

High cost of sending One-Time Passwords

The financial institution is burdened with the costs of sending out an SMS to validate transactions. SMS rates are not the same and vary among service providers. For a company with millions of customers performing millions of transactions, it will lead to a hefty bill. This is because the delivery of the messages is not guaranteed. In cases like this, the customer is forced to retry the SMS validation multiple times for the same transaction. While it is a great way to secure transactions, One-Time Passwords come at high costs to banks. 

Methods Hackers Use to Bypass Two-Factor Authentication

Cybercriminals are getting more sophisticated in their attempts to steal passwords. Which methods do they use to bypass 2-step verification? Let’s see how hackers get your password using the following methods.

Methods Hackers Use to Bypass Two-Factor Authentication

Brute force

At first, if you don’t succeed, keep trying. This is the mantra of cyber thieves bypassing 2FA via brute force. It involves trying various combinations of likely passcodes of users to gain access to their information. Brute force is a common password-cracking technique used by hackers. Most passcodes contain just four figures which are easier to decode than an alphanumeric password. 

Open authorization (OAuth) 

Some apps need your consent or authorization to operate fully on your device. For instance, these apps request access to your location setting, contacts, or media files. Hackers bypass two-step verification by using malicious apps to request authorization. When granted access, it begins to snoop and collect personal data. This method helps them bypass 2FA, giving them complete control over the user’s device. 

Session hijacking 

During each session on an online platform, whether for social media or financial transactions, session cookies collect information about the user. This information includes login details, user behavior, interested tabs, etc. A digital robber can forcefully take over the session and get your passwords. All these occur while the user is active in that session. Hackers successfully hijack accounts when the server does not indicate that the session cookie is secure. 

Access to generated tokens 

Some financial apps use third-party authenticator apps to generate codes for validating transactions. Google Authenticator and Microsoft Authenticator are examples of these apps. The banking app sometimes sends manual OTP-generated codes to users to prevent lockouts. Hackers can access these codes if saved in an unsecured location. 

How to Avoid OTP Fraud: Tips & Best Practices


From the above, you can see that your accounts are not safe from hacking despite the 2FA methods. However, you can avoid OTP attacks with these tips. 

Use alpha numeric codes

Creating codes with letters and symbols is advised to secure your device from unauthorized access. Alphanumeric codes are harder to break than usual 4-figure codes. Some users simply use their year or date of birth as passcodes. 

Change your password often

Maintaining the same login details to your accounts for a long time opens you to password theft. Hackers are always on the prowl and keep trying to bypass credit card OTPs. Businesses that change passwords often for their staff and on their business emails are less likely to fall victim to Business email compromise. 

Don’t reuse codes

Instead of reusing codes, choose time-based passwords that can only be used within a certain period and expires. Also, avoid using the same password or login details for all your accounts to prevent password theft. Hackers understand that most people lazily use the same details. So when they get one login details, they can access all other user accounts. 

Utilize biometrics and other authentications.

Using biometric mechanisms like fingerprinting is far harder to bypass as the hacker would need an impression of your fingerprint to access your accounts. Additional authentications like biometrics, Geolocation, etc., provide users with stronger safeguards.

Be cautious

Be vigilant whenever you receive unsolicited SMS asking you to act on it. Check with customer support using 2-way text messaging if such messages emanate from your bank or online service provider. If you click on any link in that SMS, you might find yourself on an OTP spoofing website that can collect your information. 

Another prudent move is to be alert anytime your device suddenly loses network service. It is usually a sign of hacking. 

Follow digital security trends.

Don’t be ignorant of what’s happening. You should be up to date with all the tricks of hijackers. Cybersecurity experts always inform the public of new hacking schemes and how to prevent your account from being a victim. 

Wrapping up 

Securing your online accounts and One-Time Passwords sent to you is a continuous process. While OTP via SMS appears flawed, it remains the easiest and cheapest MFA available. SMS does not need internet service to work, meaning every mobile phone can receive them. It is a great way for businesses to offer security to their customer’s transactions. 

If you are still reading this piece, it means you are interested in implementing SMS OTPs for your business. You don’t have to go too far; BSG offers you the platform to design your SMS OTP service through our SMS API. We also provide a bulk SMS service, so you can handle servicing your customers worldwide.

Add comments

Your email address will not be published. Required fields are marked *