When attempting to cash out a credit card dump (the stolen data from a cc, including the card number, expiration date, and the CVV), we often need to bypass security measures to successfully process a fraudulent transaction. One of the key methods of verifying that a transaction is legitimate is Two-Factor Authentication (2FA), which nowadays many banks and payment systems require.

OTP (One-Time Password) is a form of 2FA commonly used by banks to verify transactions. This is typically sent via SMS or email to the cardholder when they attempt a high-risk action, like making a large purchase or transferring money. The OTP acts as a second layer of protection, ensuring that the person initiating the transaction is the legitimate cardholder.

In the case of a credit card dump or CC dump, even though the attacker has the stolen card information, they still need the OTP to complete the transaction. Since the OTP is sent to the legitimate cardholder (via their phone, email, or an authenticator app), we would need access to that information to fulfill the 2FA and finalize the transaction.

Methods to steal or intercept the OTP code

As a result, we have various tactics to steal the OTP from the cardholder, such as:

1) Social Engineering (Impersonating the Bank)

This method relies on social engineering, where we call the victim and pretends to be from their bank or a legitimate service. You could claim that there’s suspicious activity on the account, for example that someone logged in from Russia. What you could also say is that some urgent verification is needed. 

A concrete example, a scammer might say something like, “We are performing a security check on your account, and we need to verify your identity. Please provide the 2FA code that was just sent to your phone to confirm that it’s really you.” Since the victim trusts that the call is from their bank, they often fall for it and provide the OTP, which the scammer then uses to complete the fraudulent transaction. For the best possible result, spoof your call to make it seem like it’s coming from the number of your bank.

2) OTP Bot Through Telegram (Automated Voice Scam)

Another method involves an OTP bot used on platforms like Telegram. In this case, we use a bot to automate the process of calling the victim. The bot calls the victim’s phone and plays a prerecorded, convincing message that sounds like it’s from a legitimate service (often a bank). Usually these bots come with a built-in spoofing service.

The message might say something like:
“This is an automated verification call from your bank. Please listen carefully, as we need to confirm your identity. You will soon receive a one-time password (OTP) via SMS. Please enter the OTP into your phone when prompted.”

Once the OTP arrives on the victim’s phone, the bot asks them to type it in, and the victim, believing the call is legitimate, provides the code. Since the call sounds professional and the victim is expecting an OTP, they don’t suspect anything and unwittingly give away the 2FA code.

3) SIM Swapping (Man-in-the-Middle Attack)

SIM swapping is a more advanced form of attack, and it involves taking control of the victim’s phone number. The attacker typically contacts the victim’s mobile carrier, pretending to be the victim, and convinces the carrier to transfer the victim’s phone number to a new SIM card under the attacker’s control.

Once the attacker has control of the victim’s phone number, they can intercept any SMS-based OTPs sent by the bank or payment service. This method effectively allows the attacker to bypass 2FA, as they receive the OTPs directly on their device, enabling them to to complete the transaction. While you’re at it you can completely clear out any other bank the victim has too!

4) Insider at the Bank

In some cases, the fraudster may rely on an insider, aka inny, someone who works at the bank or financial institution. This could be an employee with access to the bank’s customer service system, transaction monitoring tools, or other sensitive data. An insider might assist the attacker by providing access to the victim’s account or even directly supplying the OTP to the fraudster.

The insider can work with the criminal to manually approve or bypass security checks, making the attack much more seamless. This type of attack is harder to detect, as it involves exploiting trusted individuals within the institution to facilitate the fraud.