Complaints galore over malicious OTPs: CERT|CC

• Do not disclose account credentials or personal details to third-party SMS providers or anyone else by means of SMS, calls or emails

Sri Lanka CERT|CC said it received a number of complaints regarding One Time Password (OTP) messages from unidentified local private numbers. 

It was reported that some of these SMS service providers had maliciously obtained user account details under the guise of their usual authentication service provider. As a result, some of these social media accounts have been compromised. 

OTP is a service that provides an extra layer of security. This is mostly used when accessing accounts and carrying out financial transactions to identify the real user of the account.  When a service provider sends an OTP to a customer, it comes as an SMS and the displayed sender name of that OTP will be the actual service provider. For instance, if you request an OTP from Google, the sender of it would be Google itself. 

Sri Lanka CERT|CC advises the public not to disclose their account credentials or personal details to third-party SMS providers or anyone else by means of SMS, calls or emails. Furthermore, it informs people to frequently change their account passwords and set up adequate account recovery options.