Admins of MFA bypass service plead guilty to fraud


Three men have pleaded guilty to running OTP.Agency, an online platform that provided social engineering help to obtain one-time passcodes from customers of various banks and services in the U.K.

The codes – temporary passwords also known as OTPs, were part of multi-factor authentication protections and criminals subscribing to the illegal service could use them to access a victim’s bank account and empty it.

Authorities estimate that Callum Picari (22), Vijayasidhurshan Vijayanathan (21), and Aza Siddeeque (19) targeted more than 12,500 people between September 2019 and March 2021, when UK’s National Crime Agency (NCA) shut down the OTP.Agency website.

Picari was the owner and main developer of the platform, while Siddequee was responsible for promoting the site and providing technical support to criminals who purchased subscriptions to the service.

OTP.Agency promised to help deliver OTPs for over 30 online services, including Apple Pay, for weekly subscriptions that ranged between £30, for the basic plan and £380 for the elite one.

A criminal who already had a victim’s login credentials to a service would also need the OTP, which OTP.Agency obtained by making automated, scripted calls to the victim using text-to-speech technology and asking for the temporary password.

“Criminals disguised the ID so it appeared as a real call from the victim’s bank,” the NCA explains in a video.

The basic package enabled bypassing multi-factor authentication for bank accounts at HSBC, Monzo, and Lloyds, while the top-tier unlocked access to Visa and Mastercard verification sites.

The three individuals also ran a Telegram group where they communicated to more than 2,200 members.

Based on the information gathered during the investigation, the NCA believes that the three actors could have made up to £7.9 million.

“It is not known how much money the group made from the venture but estimates show it would have been around £30,000 if users purchased the basic plan and up to £7.9 million if they had opted for the elite package.” – NCA

The trio faces charges of conspiracy to commit fraud and conspiracy to make and supply articles for use in fraud. OTP.Agency’s owner, Picari, is also charged with money laundering.

Per UK law, the first two charges can carry a maximum prison sentence of up to 10 years, while money laundering is punishable by up to 14 years.

The exact sentences will be determined by the Snaresbrook Crown Court during a hearing scheduled for November 2.





Source link