Who is sending these mysterious 2FA codes?

I read a recent post titled “That’s not how 2FA works”, it was an interesting read.

This is my own experience of seeing some usual 2FA SMS sent to thousands of users, by an unknown entity.

Most of my Facebook friends are getting OTP codes from privately owned numbers, saying that it’s their OTP code.

If you look at clearly something is not right. You can see that the message is originating from a private number.

The message, even though having an OTP code, the messaged is fuzzed up with random characters and dots. Facebook is spelled as Fsab0ok etc.

My guess is some malicious entities are able to highjack the original OTP, sent by the Facebook servers to the user, and they then send the OTP to the user with a privately owned number.

They fuzz up the message with random characters and misspellings to avoid the message triggering network spam filters. But the question is why?

Either way, there is something wrong. And some unanswered questions,

  • How they are able to high jack the OTP?
  • How were they able to trigger the OTP?
  • Why do they send the OTP to the user?
    • The OTP is triggered when you enter the password, so someone has entered a correct password to get the OTP, whoever entered the password has also highjacked the OTP code, then there is no need to send it back to the user to gain access to the account.
  • Is this some sort of a prank?
  • Is this OTP triggered by an app with the access to sending SMS?
  • Who’s behind this and what’s their motivation?

The number of users getting the message means that this being a prank is highly unlikely.

And when I searched Facebook, I was able to find posts about people complaining receiving unusual OTPs dating to back to early 2020.

Either way there is something seriously wrong with these mysterious OTP sms.

Online services should consider giving up using SMS based 2FA, and suggest an authentication app instead of SMS for 2FA.

And developers should consider pushing users to use an authentication app instead of SMS based 2FA services.

Meanwhile, I’ll try to get to the bottom of this, but I need to find a starting point.