So okay, thanks to the exigencies that is COVID-19, I find myself dragged through necessity to setting up and using ``PayNow'', sort of in the same way I got dragged into the whole stupid mess that is WhatsApp (that's another story for another day).
Anyway, I just want to share a potential abuse mechanic of the PayNow onboarding process. After one is set up, the next thing is to register the mobile phone number/NRIC of the recipient. You can basically enter any number there, and eventually you would be brought to a page where you would be required to enter a six-digit OTP that is sent to one's cellphone via SMS.
Now the potential abuse mechanic here is that the registering of a recipient number automatically reveals the name/nickname of the recipient number if the recipient already has a PayNow account linked up with their cellphone number. Considering that the effort here is ``just'' a single SMS OTP, it becomes a quick way to obtain more information that can be used in a targeted approach.
So, instead of just phishing with a generic message, with just a little effort, it is now possible to convert the generic phishing attempt into a spear phishing one.
I wonder what the mitigation can be for such an abuse mechanic?
No comments:
Post a Comment