Is There a New Kind of Wangiri That Targets Firms Issuing One Time Passwords?

A somewhat mysterious article published by Telemedia Online claims there has been a measurable increase in a new form of wangiri that exploits weaknesses in how businesses issue one time passwords (OTPs).

According to our data, the number of Wangiri 2.0 attacks is gradually rising: In Q2 2021 the number of attacks increased by 20% compared to Q1 2021. The main reason for it is that many enterprises (as well as operators) do not even know about the existence of Wangiri 2.0.

What makes the article mysterious is the failure to explain where this data supposedly comes from. The byline attributes the article to Paul Skeldon, Managing Editor of World Telemedia, which naturally leads to the question of why a man who otherwise describes himself as a freelance writer is providing statistics about a little-known fraud and with no mention of who is detecting this fraud in practice.

Skeldon’s article also suffers from a poor choice of words. If you want people to learn about a new fraud it would help if you avoid giving it the same name as a similar but different fraud that has previously been written about elsewhere. A simple web search confirms that the people behind LANCK Telecom and the AB Handshake Corporation have spent several years using the label ‘wangiri 2.0’ to refer to a scam where a call is made with the intention of using a call center’s IVR system to schedule an automated call back. The fraud described by Skeldon also relies on exploiting the automated systems of the victim organization, but Skeldon’s description specifies that the system issues OTPs by voice call.

Step 1: A fraudster uses different phone numbers of real subscribers to request one-time passwords (PIN-codes) from an enterprise.

When it comes to collecting the money, there is little difference between a scenario where the fraudster has tricked an automated system into making a customer service call and another where the system is tricked into issuing a passcode via a phone call. The fraudster’s preference would hence depend on which scam is more profitable. That will be determined by how many organizations are running vulnerable systems, the speed and cost of tricking the vulnerable systems into instigating a return call, and the duration and value of the call received.

The biggest difference between these frauds is that LANCK identified a scam that always begins by making a call to the corporate victim, whereas Skeldon’s scam might be instigated using an app or by visiting a webpage. This makes Skeldon’s use of the word ‘wangiri’ debatable, as there are no other instances of anyone using this word to describe a fraud which does not require the fraudsters to call their victims. Nevertheless, he has described a real risk that needs to be mitigated by closely examining the rules for which numbers may be dialed in order to issue an OTP, and the frequency with which OTPs are issued but not used by callers from various number ranges.

You will find the Telemedia Online article here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.