A new breed of malicious bots are capable of stealing the one-time passwords (OTPs) from online two-factor authentication systems by calling their victims directly. These fully-configurable intelligent agents can now be purchased over the Internet by would-be scammers.

Two-factor authentication involves adding at least one extra step to the log-in process for an online account. This can take several forms, including a temporary unique code sent by SMS. In theory, this system makes it much harder for hackers to access your accounts, even if they have your password.

According to a recent report from the antivirus solutions provider Kaspersky, hackers have managed to bypass the system, using advanced phishing techniques and automated tools. It all starts with the acquisition of the future victim's login details. This can be done via leaked personal data purchased on the dark web. Scammers then use so-called OTP bots, malicious computer programs specially designed to steal one-time passwords.

The hacker uses the stolen credentials to attempt to log in to the victim's account. The victim then receives a one-time password on their phone. The malicious bot then calls the victim and automatically follows a pre-prepared script to encourage them to share the code. Hackers can also set the bot's language and voice (male or female) in advance. By typing the code on the phone without interrupting the call, it is then transmitted to the hacker, who simply has to enter it to connect to the service in question.

To protect yourself against these scams, take care never to click on links in suspicious SMS messages or emails, and of course never share your one-time passwords. When in doubt, it's best to go directly to the relevant platform to enter your details.

In theory, two-factor authentication can be “cracked”, but it remains one of the safest ways, along with passkeys, to avoid having your online accounts hacked. – AFP Relaxnews