Owners of 1-Time Passcode Theft Service Plead Guilty

Original Article ↗ Hacker News Discussion ↗

Scope of the OTP Theft Service and Accountability

  • Many argue law enforcement should target not only the service operators but also the buyers of “theft-as-a-service.”
  • Commenters highlight a broader “underground economy” of cybercrime: exploit kits, ransomware-for-hire, DDoS-for-hire, phishing services, captcha solving, and illicit use of residential IPs.
  • Some note that criminal ecosystems themselves have internal markets and parasitism (frauds scamming other frauds).

Real-World OTP Failures and Banking Practices

  • Example from Argentina: Payoneer users allegedly lost funds due to OTP interception tied to a specific mobile carrier; rumors mention insider SMS selling, with no clear restitution.
  • Several banks still rely heavily or exclusively on SMS-based 2FA; some support hardware keys, but others do not.
  • SMS is criticized as weak, but defenders say it’s easier to support for non-technical users and leverages carrier infrastructure.

Auth Methods: SMS, TOTP, WebAuthn

  • SMS: seen as insecure but widely deployed; vulnerable to interception and social engineering.
  • TOTP (authenticator apps): stronger than SMS but still phishable in real time.
  • WebAuthn: praised as phishing-resistant because credentials bind to domains; hardware keys are best, but software implementations trade some security for usability.
  • Usability concerns: device loss, migration, backups, and smartphone assumptions make “stronger” methods hard at scale.

How This Specific Scam Worked and Mitigations

  • Attack pattern: attackers already had login + phone; robocall victims pretending to be fraud prevention, then tricked them into reading or entering the legit bank OTP.
  • Commenters stress that vague OTP messages (“your verification code is…”) lack context; propose including what action, amount, location, and device is being authorized.
  • General theme: users must be trained not to trust any party that initiates contact and asks for codes, especially by phone.

Law Enforcement, Deterrence, and Public Shaming

  • Some are surprised young UK-based operators thought they’d avoid consequences; others point out they ran for years before being caught.
  • Debate over publishing convicted criminals’ photos: seen as disambiguation, warning, and deterrent vs. concerns about harm if convictions are later overturned.
  • Cross-border cybercrime is described as hard and expensive to prosecute; police are more active when offenders are clearly under their jurisdiction.