One-time password (OTP), a commonly used two-factor authentication, is considered an effective deterrent against criminals trying to steal money from your bank account through online transaction. Not any more.
There has been a large number of cases in which criminals duped bank customers into revealing OTP or accessed it by hacking the smartphone. But now they have found another way to bypass the OTP deterrent — by requesting your bank to change your phone number linked to your bank account. A criminal can just walk into a bank, impersonate you, request a change in your registered mobile number and use the new connection to receive OTPs for transactions.
A resident of Janakpuri in Delhi has been duped by criminals who withdrew Rs 11.5 lakh from his current account recently in the same manner, according to a TOI report.
According to police, on August 31, two persons arrived at a bank and one of them impersonated the account holder. They requested a change in the registered mobile number and filled in the prescribed form. Once the new mobile number was registered, they carried out online transfers from the victim’s account using the OTPs sent to the new phone number. The Rs 11.5 lakh withdrawn in this manner was transferred to six different accounts held in a bank in Dwarka and then withdrawn through ATMs and cheques. After the crime, the mobile phone on which the OTPs were sent was switched off.
Police scanned footage of CCTV cameras in the bank and got the bank employees to give details of the accounts used in the fraudulent transactions. Police tracked one of the criminals to Jharkhand through technical surveillance. The role of bank employees is also being probed.
Impersonation is a quick and simple way to carry out an OTP fraud. Another way criminals can dupe a bank customer is to contact mobile operator with fake identity proof and get a duplicate SIM card. The operator deactivates the original SIM and the criminals generate OTP on the new number and conduct online transactions.