A lot of us end up securing our online accounts using SMS One Time Passwords (OTP) was a second step security measure. Our banks also use SMS OTP to protect online payments.
Fool proof security?
We’d argue that some the phone is with us at all times, it should be secure! But what if someone told you that Hackers could intercept your messages without even having your phone, but just by knowing your number?
They exploit a “bug” in a global protocol called Signaling System 7 introduced in 1975, which is used by all the telecom providers use to setup calls and messages and bill the right subscriber. It’s also how your telecom provider know how to reach your phone when you’re at home or out of the country. Unfortunately, this bug in the protocol has been around for more than 40 years.
Telecom providers have been reluctant to address this problem since they figure that this flaw can be exploited only if a hacker has access to the telecom company’s infrastructure. Recently, a group of hackers attacked German telecom service provider O2-Telefonica, and were able to intercept SMS OTPs and drain accounts from banks around the world.
Here’s a video created by a security researcher which shows he gains access to a Bitcoin account which is protected by SMS OTP.
How can you protect yourself?
Where possible, setup and use a software OTP software like Google Authenticator or Authy. Most online services provide a 2nd-factor security which allows you to use a software authenticator like these.
Since our Indian banking system relies on SMS OTPs to protect our account and money transfers, one security measure is to have a secondary number which you use only to receive OTP messages. Don’t publish or give away this phone number anywhere online or offline. It’s not a fool-proof method, but if no one knows this number they can’t intercept messages. All this is assuming the bank itself doesn’t end up leaking this info out.