Why do People Share their OTP's?

OTP’s are an example of what is called 2FA (2-factor authentication), i.e., two independent steps to confirm something. Logging into the bank’s website isn’t safe enough – what if someone else stole your ID and password? And so the RBI mandated 2FA in 2008 – a second check, the OTP, would be sent to your registered mobile number. The odds that someone hacked your bank account (digital theft) and also got your phone (physical theft) were very low.

 

Banks send periodic reminders that one should never reveal the OTP, even to the bank. It is just something to be typed on the website. Yet, in The Art of Conjuring Alternate Realities, Shivam Shankar Singh and Anand Venkatanarayan point out that in Gurgaon, despite its well-off and educated population, OTP sharing by the victim is the most common mode of cyber-crimes. What is going on?

 

First, the authors point out that a large section of the population cannot differentiate between: (1) Public identifiers (name, phone number); (2) Private identifiers (debit card number); and (3) Secrets (OTP, CVV). So many don’t even understand that they shouldn’t be sharing the OTP.

 

Here’s how cybercriminal works. He has already hacked your account, but he needs the OTP to authorize the funds transfer.

 

In the first approach, he calls and threatens the target: your account will get locked due to KYC non-compliance, but you can fix the problem if you share the OTP just sent (which of course, was the OTP the bank sent for confirming the funds transfer)… This approach works best with relatively uneducated folks.

 

In the second approach, the caller plays to the victim’s greed. You are eligible to this reward or cash back, if you just share the OTP, the gift will be sent to you. This way works more with better off folks who are used to cash backs…

 

But there’s another reason why many people are confused about OTP’s. The humble OTP is used for so many different things today, not just bank transactions. And in many of those uses, one has to tell the OTP orally. To the delivery boy before he hands you the item from Amazon or Big Basket. Or to the Uber/Ola driver that you’re the one who booked the cab. There are even gyms that don’t issue I-cards – you just tell your phone number to the guard; he initiates an OTP to be sent; which you then read out to him - identify confirmed, he lets you in.

 

No wonder then many people truly don’t know when they should or shouldn’t share the OTP. And therein lies the opportunity for the cybercriminal.

 

OTP is an excellent security mechanism indeed. Unfortunately, it’s part of an endless cat and mouse game in the (cyber) world.

Comments

Post a Comment

Popular posts from this blog

Student of the Year

Image
As a toddler, my daughter loved Alia Bhatt’s songs, esp. the ones from Student of the Year . (That movie did have many good songs and well-choreographed dances). Fast forward to present day, when she is 12 yo. She rarely watches Hindi movies now, but one of the few ones she likes of late, Raja aur Rani ki Prem Kahani has, yes, Alia Bhatt.   If I had any hopes that there was anything to be read in the name of her toddler-time favorite ( Student of the Year ), they have been dashed. Our conversations come exam time are perfectly captured by this photo and its caption: In fact, the pic below captures how she and I look at her answer sheets – me intently, she with an expression of “It’s over, so why are you even looking at it?”   Of late, we pull her leg and tell her that she isn’t showing any signs of academic prowess, she’d better find a rich guy to marry. Some time later, she showed us this meme on the Internet: “Me No Study, Me No Care Me Go Marry Millionaire If He Die
Read more

The Retort of the "Luxury Person"

Image
Coming up with biting and witty retorts. It’s something we dream of, but rarely manage to pull off. Worse, the more we stew over the offending remark, the more likely we are to come up with that dream retort, as Calvin ruefully points out: During our last holiday at the Taj Resort, seeing my wife carrying towels to our poolside chairs, one of the kids there mistook her for a member of the staff and asked for a towel. When my wife narrated this to us, I did not imagine that my 8 yo daughter would come up with her own retort. But a day later, my daughter recapped the incident, an incident that didn’t even involve her in the first place , and said, “You know what I’d have told that kid who asked for the towel?”. And without waiting for an answer, she told us anyway: “I don’t work here. I too am a luxury person who is living at this resort. Go get your own towel.” We were highly amused by the phrase she had coined: “luxury person”. It certainly captures the kind of holid
Read more

Animal Senses #7: Touch and Remote Touch

Instinctively, we think touch is based on contact. Not entirely true, explains Ed Yong in Immense World – there’s a more important aspect than contact: “These incredible feats are possible through movement. If you rest a fingertip upon a surface, you can get only a limited idea of its features. But as soon you’re allowed to move, everything changes. Hardness becomes apparent with a press. Textures resolve at a stroke.” As you run your fingers over a surface, they hit the tiny peaks and troughs and set off vibrations in the mechanoreceptors at their tips.   At the tip of its snout, the star-nosed mole has many pairs of hairless appendages. It uses them to touch things around itself. Alive or dead? Food or ignore? It does these movements at an insane speed. In the time it takes to blink our eyes, the star-nosed mole can probe, identify and swallow its food. “Light may be the fastest thing in the universe, but light sensors have their limits, and the star-nosed mole’s sense of
Read more