Abusing OTP To Hack BML Accounts
2021-09-25 . Written by fishie
IF YOU'ER INTRESTED IN VIDEO VERSION ITS ON MY YOUTUBE
INTRO
now ima just start off by saying this issue is not only limited to bml. the same method can be used on almost any other services that uses OTP.
to find the issue with OTP we have to first look at how the hack works
we are gonna skip past the entry point method which i use in the video cause the entry point is not relevant as many different ways can be used to pull off the same hack to abuse the OTP.
what we are going to look at is the point where a user receives the OTP code. when a user gets an OTP code they dont know what the OTP code is used for. this is one of the main flaws with OTP. if an attack sets up a system which completely emulates the original server then the user is not at fault for falling for such an attack. when OTP was introduced it was a great way to combat phishing. it basically made it useless cause even with the login details no one can get in unless they had access to the OTP. but with OTP being used for everything from login to security reset and the user not being told which code is for what its easy to trick a user into submitting a login OTP when the user thinks that its an OTP to reset the password.
HOW ITS DONE
the way this attack takes place is by first setting up a clone of the original site and then in the backend connecting it to the original site API. and passing on any details you get to the original API. once the original site asks for OTP its sent to the user and the fake site asks the user for the OTP as well. this is a mix of phishing and MITM attack.
login & OTP via api
user -> attacker -> Actual Server
^ |
|_________________________v
OTP CODE
this is basically the same as someone making a fake atm and putting a real atm inside it so they can pretend to be a real atm but also at the same time snooping on user details.
HOW THE BML HACK VERSION WORKS
fake site asks user to login
user logs in
data is sent to fake website
fake website makes an api call to bank with user login details
if valid then sends user to OTP page and send api call to bank requesting Transfer
bank sends user OTP
user gives otp to fake website thinking its to reset password
fake website takes otp and send to bank api to confirm transfer
account is drained and the user doesnt even know it
only trail left behind is the fake website ip which was used to make api call and the account which the money was sent to which can all be setup in a way thats untraceable if the attacker knows what they are doing.
Conclusion
OTP is a pretty good solution to password leaks but when its not handled well it opens itself to the same but more mutated version of phishing attacks we used to have before it was introduced. basically we are going in circle. a security method is introduced which is stronger then the older version. a new and more technical version of a hack is developed to bypass the new security method.
the funny thing with this method is how easy it is to fix cause bml already sends msgs to the user when the card is used with all the details needed. if the same is done for OTP then the issue would fix itself. i mean not really but it would make it a lot harder to pull of this attack.