OTP IS MOSTLY A 4/6 DIGIT NUMERICAL/ALPHANUMERIC CODE USED AS ANOTHER WAY OF AUTHENTICATING A USER ALONG WITH THE CREDENTIALS.
A one-time password or passcode (OTP) is a string of characters or numbers that authenticates a user for a single login attempt or transaction. An algorithm generates a unique value for each one-time password by factoring in contextual information, like time-based data or previous login events.
People used to just enter their email and pass to login.
It still is there for majority of sites but some have 2FA[OTP] as optional and some have it mandatory.
WHATS THE OTHER WAY ROUND THIS?
There are tons of other ways to bypass OTP but the most popular and bit of HQ is SS7 Attack.
Comment down below the thread if you want me to write those up too.
So Where were we:
SS7 Tunneling/Attack = Same as MITM but operates on telephonic communication rather than data/wifi communication.Those who got no idea what MITM is can go through my previous thread about it.
Now Why is SS7 HQ
Because the global telephonic communication runs on it.
Old Protocal but hasnt been changed much.
The Inside Workaround?
Take an Example: Our Freind Roobbin is having some cash piled up in his bank account…Forget it…FBI gonna bust my ass for this example.
Our freind roobbin got an app in his phone which lets him login to his account after entering the credentials and an OTP generated on Real-Time.
We as usual gets the credentials by
But when we treid to log-in to the app using just the email/pass it generated the OTP[Take an example of Hotstar or BLockChain or anything that requires OTP].
When there is some kinda communication via our phone to any other service over the Network, Our Unique Phone address is stored in HLR[Home Location Register] and it acts as a medium to transmit data…See what i learned in “Wireless Communication” is coming in handy right now .The Enggineering guys would know if they had the subject taken.
Ok to be straight …..Phone sends data to HLR and checks the unique address of our mobile device,
Then from there the HLR sends the request to VLR[Virtual Location Register – It temporarilhy stores our mobile info till connection time out].
SS7 Fakes VLR Address and put the hackers machine address in it.So, basically we are tricking the system into beleiving our address to be the users address we need to get the OTP from.
Now you know what…HLR will transmit the details to the fake VLR and hackers gonna get all the details flowing in and out the the victims mobile phone
Creat Any fake account using These website like facebook,whtsapp,telegram,instagram etc