Three men have pleaded guilty to operating a subscription-based Web service in the UK that enabled criminals to circumvent One-Time-Passcode (OTP) anti-fraud checks.
Criminals were charged a monthly subscription fee which helped them socially engineer bank account holders into disclosing genuine one-time-passcodes, or give other personally identifiable information.
A basic package costing £30 a week allowed multi-factor authentication to be bypassed on platforms such as HSBC, Monzo, and Lloyds so that criminals could complete fraudulent online transactions.
An elite plan cost £380 a week and granted access to Visa and Mastercard verification sites.
Cyber investigators from the UK's national Crime Agency began probing the website in June 2020 and believe over 12,500 members of the public were targeted between September 2019 and March 2021, when it was taken offline after the trio were arrested.
It is not known how much money the group made from the venture but estimates show it would have been around £30,000 if users purchased the basic plan and up to £7.9 million if they had opted for the elite package.
Anna Smith, operations manager from the NCA’s National Cyber Crime Unit, says: “The trio profited from these serious crimes by running www.OTP.Agency and their convictions are a warning to anyone else offering similar services; the NCA has the ability to disrupt and dismantle websites which pose a threat to people’s livelihoods.
“We would also urge anyone using online banking services to be vigilant."
First introduced in the 2000s as a multi-factor authentication option to strengthen online security, the use of one-time-passcodes is increasingly being called into question.
Banks in Singapore, for example, are to phase out their use in favour of digital tokens for bank account login.
Mastercard is also rolling out a new Payment Passkey service in India as a pilot to replace OTPs with biometric authentication measures.