A ‘High category threat’ warning had been issued by CERT over receiving of One Time Password (OTP) from a local private number, instead of from ANY authenticated service provider.
While issuing a warning today, the Computer Emergency Readiness Team/Co-ordination Centre (CERT|CC) said an OTP is a service which users are provided with an extra layer of security and mostly used when accessing accounts while carrying out financial transactions to identify the real user of the account.
When a user request for an OTP, it comes as an SMS message and the sender of that OTP will be the actual service provider.
“If a user requested an OTP from Google, the sender of that OTP would be Google itself and you will receive a message from Google,” the CERT|CC said.
“If a user receives an OTP from a local private number, instead of from your service provider it means that the message has come through an unauthorized third person who has access to your OTP messages. They usually change its content slightly except the OTP code and send it to the user through a private number.
Accepting wrong OTPs would the loss of access to online accounts such as social media, emails, online banking, etc. and may incur financial losses
The CERT|CC requests users to use authentication application developed by service providers such as Google, Facebook app, Microsoft instead of OTP SMS.
“If an OTP is essential, request it through a voice call other than an SMS message,” they said.
“However, if a certain person received an OTP message through a private number change your password immediately and set proper account recovery options,” an official of CERT said. (Chaturanga Samarawickrama)