Owners of 1-Time Passcode Theft Service Plead Guilty
Three men in the UK pleaded guilty to operating OTP Agency, which intercepted one-time passcodes from over 12,500 victims. The National Crime Agency investigated and arrested them amid ongoing security risks.
Read original article
Three men in the UK have pleaded guilty to operating OTP Agency, an online service that facilitated the theft of one-time passcodes (OTPs) used for two-factor authentication. Launched in November 2019, the service allowed scammers to intercept OTPs by tricking victims into providing their codes through automated phone calls. The National Crime Agency (NCA) reported that the service targeted over 12,500 individuals during its 18-month operation. The guilty parties include Callum Picari, the main operator, along with Vijayasidhurshan Vijayanathan and Aza Siddeeque. Following a February 2021 article that exposed their activities, the operators attempted to shut down the service but quickly resumed operations under a new Telegram channel. The NCA began investigating OTP Agency in June 2020, leading to the arrests of the trio. Despite the closure of OTP Agency, similar services continue to operate, posing ongoing risks to online security. The NCA advises individuals to be cautious of unsolicited calls regarding potential fraud and to verify account statuses directly with their financial institutions.
- Three men pleaded guilty to running OTP Agency, a service for intercepting one-time passcodes.
- The service targeted over 12,500 individuals during its 18-month operation.
- The operators attempted to shut down the service after being exposed but resumed operations shortly after.
- The National Crime Agency began investigating OTP Agency in June 2020, leading to the arrests.
- Similar OTP interception services remain active, continuing to pose security risks.
Related
Identity Verification Used by X, TikTok, and Uber Exposed Driver's Licenses
An identity verification firm, AU10TIX, exposed login credentials, risking access to sensitive data like driver's licenses. Despite claims of prompt revocation, functional credentials were found. AU10TIX partners with major platforms.
WA man set up fake free WiFi at Australian airports and on flights,police allege
A man in Western Australia was arrested for creating fake wifi networks at airports and flights to steal personal data. He faces cybercrime charges for setting up deceptive networks to collect users' information. Police advise caution and cybersecurity measures.
Criminal gangs who 'shoulder-surf' pin numbers steal '20 smartphones a day'
Criminal gangs exploit pin numbers through "shoulder-surfing" to steal smartphones for financial app access. Mobile banking fraud rises by 62%, urging public awareness and protective measures against increasing threats.
Second Factor SMS: Worse Than Its Reputation
Security researchers accessed 200M 2FA-SMS messages, exposing a flaw in IdentifyMobile's system used by Google, Amazon, and Facebook. CCC recommends more secure authentication methods due to significant risks.
Banks in Singapore to phase out SMS OTP in 3 months
Singapore's major banks are replacing OTPs with digital tokens to combat evolving scams. MAS mandates the shift for enhanced security, urging prompt activation by customers from banks like DBS, OCBC, and UOB.
8 commentsUnrelated, but at the start of the year, a lot of Payoneer customers from Argentina lost their savings in the platform* due to someone having access to the OTP codes. Payoneer said it wasn't on their side the error, and evidence suggested that it was an error in Movistar, because all the victims were customers of that particular telco. As far as I know, Payoneer didn't return the money and Movistar was never charged or anything (rumours say it was a Movistar employee who sold SMS with the OTP).
And if you ask why a lot of Argentina people use Payoneer and keep their savings there, it's a bit long to explain but basically is their way to get paid in USD outside the country without paying taxes (fair and unfair ones) and without getting their payments converted automatically to ARS pesos using a bad rate.
Related
Identity Verification Used by X, TikTok, and Uber Exposed Driver's Licenses
An identity verification firm, AU10TIX, exposed login credentials, risking access to sensitive data like driver's licenses. Despite claims of prompt revocation, functional credentials were found. AU10TIX partners with major platforms.
WA man set up fake free WiFi at Australian airports and on flights,police allege
A man in Western Australia was arrested for creating fake wifi networks at airports and flights to steal personal data. He faces cybercrime charges for setting up deceptive networks to collect users' information. Police advise caution and cybersecurity measures.
Criminal gangs who 'shoulder-surf' pin numbers steal '20 smartphones a day'
Criminal gangs exploit pin numbers through "shoulder-surfing" to steal smartphones for financial app access. Mobile banking fraud rises by 62%, urging public awareness and protective measures against increasing threats.
Second Factor SMS: Worse Than Its Reputation
Security researchers accessed 200M 2FA-SMS messages, exposing a flaw in IdentifyMobile's system used by Google, Amazon, and Facebook. CCC recommends more secure authentication methods due to significant risks.
Banks in Singapore to phase out SMS OTP in 3 months
Singapore's major banks are replacing OTPs with digital tokens to combat evolving scams. MAS mandates the shift for enhanced security, urging prompt activation by customers from banks like DBS, OCBC, and UOB.