/security

News and resources on cyber and physical threats to banks and fintechs worldwide.

Fraudsters plead guilty to operating OTP scam site

Three men have pleaded guilty to operating a subscription-based Web service in the UK that enabled criminals to circumvent One-Time-Passcode (OTP) anti-fraud checks.

  0 Be the first to comment

Fraudsters plead guilty to operating OTP scam site

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Criminals were charged a monthly subscription fee which helped them socially engineer bank account holders into disclosing genuine one-time-passcodes, or give other personally identifiable information.

A basic package costing £30 a week allowed multi-factor authentication to be bypassed on platforms such as HSBC, Monzo, and Lloyds so that criminals could complete fraudulent online transactions.

An elite plan cost £380 a week, promising access to Visa and Mastercard verification sites. Mastercard and Visa systems were not compromised as a result of the criminality.

Cyber investigators from the UK's national Crime Agency began probing the website in June 2020 and believe over 12,500 members of the public were targeted between September 2019 and March 2021, when it was taken offline after the trio were arrested.

It is not known how much money the group made from the venture but estimates show it would have been around £30,000 if users purchased the basic plan and up to £7.9 million if they had opted for the elite package.

Anna Smith, operations manager from the NCA’s National Cyber Crime Unit, says: “The trio profited from these serious crimes by running www.OTP.Agency and their convictions are a warning to anyone else offering similar services; the NCA has the ability to disrupt and dismantle websites which pose a threat to people’s livelihoods.

“We would also urge anyone using online banking services to be vigilant."

First introduced in the 2000s as a multi-factor authentication option to strengthen online security, the use of one-time-passcodes is increasingly being called into question.

Banks in Singapore, for example, are to phase out their use in favour of digital tokens for bank account login.

Mastercard is also rolling out a new Payment Passkey service in India as a pilot to replace OTPs with biometric authentication measures.

Sponsored [Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates

Related Company

Comments: (0)

[On-Demand Webinar] Global Workforce Payments: Mastering a world of complexityFinextra Promoted[On-Demand Webinar] Global Workforce Payments: Mastering a world of complexity