Three men have pleaded guilty to operating a subscription-based web service in the UK that allowed criminals to bypass One-Time Passcode (OTP) anti-fraud checks.
Criminals paid a monthly subscription fee to socially engineer bank account holders into revealing their genuine one-time passcodes or other personally identifiable information. A basic package, costing £30 a week, facilitated the circumvention of multi-factor authentication on platforms such as HSBC, Monzo, and Lloyds, enabling fraudulent online transactions. An elite plan priced at £380 a week promised access to Visa and Mastercard verification sites, although these systems were not compromised in the scheme.
Cyber investigators from the UK’s National Crime Agency began investigating the website in June 2020 and believe that over 12,500 individuals were targeted between September 2019 and March 2021, when the operation was taken offline following the arrests of the trio. While the exact earnings of the group from this venture remain unclear, estimates suggest that they could have made approximately £30,000 from users choosing the basic plan, and up to £7.9 million from those opting for the elite package.
Anna Smith, operations manager from the NCA’s National Cyber Crime Unit, stated, “The trio profited from these serious crimes by running www.OTP.Agency, and their convictions serve as a warning to anyone else offering similar services. The NCA has the capability to disrupt and dismantle websites that pose a threat to individuals’ livelihoods. We also encourage anyone using online banking services to remain vigilant.”
Since their introduction in the 2000s as a form of multi-factor authentication, the reliability of one-time passcodes has increasingly come under scrutiny. For instance, banks in Singapore are set to phase out OTPs in favor of digital tokens for account logins. Additionally, Mastercard is piloting a new Payment Passkey service in India, which aims to replace OTPs with biometric authentication methods.