Yesterday’s useful advice from a TV commentator on matters of IT security can be boiled down to this: if someone sends you a one-time passcode and tells you not to share it with anyone, then it’s a good idea not to share it with anyone.

This sounds pretty obvious, but the background to that advice is worth recapping. (I started to write this yesterday, but got sidetracked!)

Having set himself up to receive a scam call regarding an unusual payment from his account, the commentator (I forget his name, but he’s one of the regulars on Scam Interceptors) was told by a scammer that she was going to send him a verification code so that she would know she was sending the refund to the right person/account. What she’d actually done was send a request to his provider to reset his password. The provider had sent a passcode to his email address, with a stern admonition not to share it. If he had shared it, it would have enabled the scammer to take over his account by diving in, changing his password, and taking whatever action suited her.

In this case, the provider was Amazon, but responding to requests to reset a forgotten password with a one-time passcode (OTP) is a very common layer of defence, and this is all too common a way in which scammers may try to circumvent it.

The real message here is don’t trust someone who rang you up out of the blue. If they’re genuine, they won’t object to your ringing them back on a number you know is correct – not, of course, a number that they obligingly give you in the course of the unsolicited phone call!

*** This is a Security Bloggers Network syndicated blog from Check Chain Mail and Hoaxes authored by David Harley. Read the original post at: https://chainmailcheck.wordpress.com/2024/03/01/one-time-passcode-scams/