Receiving an unprompted one-time passcode (OTP) sent as an email or text should be a cause for concern as it likely means your credentials have been compromised.
One of the initial components of a cyberattack is the theft of legitimate credentials to corporate networks for data theft, which can be stolen in phishing attacks, credential stuffing attacks, via information-stealing malware, or social engineering attacks. The stolen credentials are then used to breach corporate networks for data theft, espionage, and ransomware attacks or to conduct financial fraud in consumers’ online retail accounts.
To prevent successful account breaches, it is recommended to use multi-factor authentication (MFA), which requires users to enter an additional form of verification before being allowed to log in to their accounts. This verification could be a one-time passcode sent as an email or text message that must be inputted into the site, a passcode from an authenticator app, or the presence of a configured hardware security key.
However, unprompted OTP codes are the most risky MFA method to use because if someone gains access to your email or phone number, such as through a SIM swapping attack, they’ll also have access to your OTP codes. This would allow them to reset your password without you knowing until it was too late.
Instead, if a site provides support for authentication apps, hardware security keys, or passkeys, you should use one of these options instead as they’ll require a more secure form of authentication. If you receive an unprompted OTP code, it is recommended to immediately change your password and enable MFA using a more secure method.
By using MFA, even if a threat actor successfully obtains your account credentials, they cannot log in without first passing the multi-factor verification prompt, significantly reducing successful account breaches.
Unsolicited One-Time Password (OTP) Codes
When confronted with an unexpected two-factor authentication (2FA) code, individuals should adopt a proactive approach and operate under the assumption that their login credentials have been compromised. To mitigate potential risks, it is advisable for the account holder to promptly access their Amazon account directly without succumbing to the temptation of clicking on any links contained in text messages or emails. The immediate objective should be to alter the account password to enhance security.
In the event that the compromised password is shared across multiple accounts, a swift response is imperative. It becomes necessary to update the password on all associated platforms without delay, minimizing the likelihood of unauthorized access and potential misuse of personal information.
It is crucial to dispel the misconception that the implementation of 2FA translates to impervious security. While 2FA serves as an additional layer of defense, it is not foolproof. Malicious actors have demonstrated the ability to circumvent Multi-Factor Authentication (MFA) in the past, necessitating a proactive approach to password management. Adopting a complacent attitude towards password changes can create a false sense of security, providing an opportunity for threat actors to exploit vulnerabilities in one’s account.
Moreover, the use of Short Message Service (SMS) and email-based 2FA introduces an additional layer of vulnerability. Despite offering heightened protection, these methods pose inherent risks, especially in scenarios where an attacker gains access to the associated email or phone number, such as through a SIM swapping attack. In such cases, unauthorized access to OTP codes can occur, enabling attackers to reset passwords discreetly and compromising accounts without the user’s immediate awareness.
A more secure alternative lies in leveraging authentication apps, hardware security keys, or passkeys provided by websites that support these options. Opting for these advanced authentication methods enhances security by requiring potential attackers to gain physical access to the user’s device, thereby elevating the threshold for successfully navigating the multi-factor authentication challenge.
When receiving unprompted MFA OTP codes, it is essential to take appropriate measures to ensure the security of your account and personal information. Here are some steps to follow:
- Do not click on the link: If the OTP code was sent as an email, avoid clicking on any links in the message. Instead, manually navigate to the website or service where you are expecting the OTP code.
- Verify the source: Check the sender’s email address or the website where the OTP code is supposed to be sent. Make sure it is legitimate and not a phishing attempt.
- Use a different MFA method: If you suspect that your account has been compromised or you are unsure about the legitimacy of the OTP code, consider using a different MFA method, such as an authenticator app or a hardware security key, instead of relying on the OTP code.
- Contact your administrator: If you believe someone is trying to access your account or there is an issue with the MFA process, contact your organization’s IT help desk or administrator for assistance.
- Check for security apps: If you are not receiving the verification code sent to your mobile device, ensure that no third-party security apps are blocking the message. Disable any security apps on your phone and request another verification code to be sent.
- Clear MFA settings: If you have mistakenly made multiple sign-in attempts and are unable to access your account, wait until you can try again or use a different MFA method for sign-in. If you suspect someone else is trying to access your account, contact your administrator. The error could be caused by malicious activity, misconfigured MFA settings, or other factors.
- Check your account settings: Review your account settings to ensure that MFA is enabled and configured correctly2.
- Contact your organization’s Help desk: If you suspect that your account has been compromised or is being targeted, inform your organization’s Help desk. They can investigate the issue, clear your settings if necessary, and prompt you to register for two-factor verification again the next time you sign in.
- Disable third-party security apps: Some security apps may block text messages and phone calls from unknown sources. Disable any third-party security apps on your phone and request that another verification code be sent.
- Change your password: If you suspect that your password has been compromised, change it to a new, unique password.
- Monitor your account activity: Keep an eye on your account activity and look for any suspicious logins or unauthorized access. If you notice anything unusual, contact your organization’s Help desk immediately.
- Report the issue: If you continue to receive unprompted OTP codes or experience other issues with your account, report the problem to your organization’s Help desk or IT Service Desk for further assistance.
Remember that MFA is an essential security measure that enhances your account security and protects user accounts from unauthorized access. By following these steps, you can ensure that your account remains secure and your personal information remains safe.
Citations:
https://www.bleepingcomputer.com/news/security/what-to-do-when-receiving-unprompted-mfa-otp-codes/
https://twitter.com/BleepinComputer/status/1736418017657884839
https://www.bleepingcomputer.com/news/security/microsoft-authenticator-now-blocks-suspicious-mfa-alerts-by-default/
https://news.ycombinator.com/item?id=37500895
https://techcommunity.microsoft.com/t5/identity-authentication/o365-mfa-sms-deletion-question-about-alternatives/td-p/3858780
https://answers.microsoft.com/en-us/outlook_com/forum/all/mfa-asking-for-code-every-time-on-outlookofficecom/02165ced-6f2d-4794-9f17-9eef41677ff9
https://help.prompt.org.au/article/nrbz0v53rg-mfa-what-is-multi-factor-authentication
https://www.silverfort.com/glossary/mfa-prompt-bombing/
https://support.microsoft.com/en-us/account-billing/common-problems-with-two-step-verification-for-a-work-or-school-account-63acbb9b-16a1-47b9-8619-6a865e8071a5