Two-Factor Authentication (2FA) has been a hurdle for cybercriminals. Unfortunately, hackers have found a way to bypass this security mechanism by obtaining the security code sent to the user. They use an AI-powered OTP robot to achieve their goals. Let’s dive into the details.
In recent years, Two-Factor Authentication has become a standard on online platforms. This security mechanism adds a second authentication factor to access your accounts. In addition to the traditional password, you must provide a code delivered via SMS, email, or through an application like Google Authenticator. This mechanism protects your account even if your password has been compromised. Many internet users have adopted this additional layer of protection. A 2021 Cisco study shows that nearly 80% of users use 2FA to protect themselves from cyberattacks. Not surprisingly, 2FA is most often set up for accounts considered sensitive, such as bank accounts. In 85% of cases, users choose to receive a code via SMS. According to Cisco, 2FA is an effective protection against « common threats. »
Unfortunately, cybercriminals have found ways to bypass Two-Factor Authentication. According to Kaspersky, hackers have developed phishing tactics to bypass this online security standard. In other words, scammers have devised « methods to get users to reveal » the authentication code usually sent via SMS. With this code and compromised credentials, hackers can access the account. Attackers will first obtain your credentials. They can retrieve data from a database leaked online. Experts have noted a significant increase in data breaches in the early months of the year. According to a Surfshark study, data breaches worldwide increased by 435% in just one quarter.
Hackers can also steal your information during a phishing attack. With the collected data, they will try to log into the targeted account, triggering the sending of a security code via SMS. The user will receive an unsolicited code via text message. A convincing robot to deceive users To obtain this valuable code, cybercriminals use an OTP (One-Time Password) robot. This robot will call the victim on the phone number receiving the login code. The phone number may have been obtained beforehand through a data leak. The robot will pretend to be « a representative of a trusted organization, » according to Kaspersky. It will follow a pre-written script to persuade the target to provide the security code received on their smartphone. Hackers have a variety of different scripts tailored to their needs. « These are the calls scammers rely on because verification codes are only valid for a limited time. And a message can go unanswered for a while, » explains Kaspersky. To lower the victims’ guard, robots can mimic the « tone and urgency of a legitimate call, » « impersonate the identity of different organizations, operate in multiple languages, and even choose between a male and female voice. » Not surprisingly, all voices are generated by generative artificial intelligence. Cybercriminals heavily rely on AI to enhance their tactics.
Organizations whose identity can be impersonated include banks, payment systems, online stores, cloud services, delivery services, cryptocurrency exchange platforms, and email services. They can even impersonate an organization’s phone number. Seeing an official number on their smartphone, users are likely to fall into the cybercriminals’ trap. According to Kaspersky, the robot will then transmit the code to the cybercriminal. With the credentials and security code, the attacker can log into the targeted account. Many OTP robots are available on online criminal markets or Telegram channels frequented by hackers. Offered through a subscription (starting at $140 per week), these offers often come with « 24/7 technical support. » Furthermore, setting up the robot, which often involves Telegram, is straightforward. You don’t need to be a computer expert or code anything to program the robot.