Remote Access Scams: How to Really Prevent Them

Remote access scams are becoming a pressing issue, with one of Australia’s major banks recently alerting its customers about the risks associated with these fraudulent schemes. It would be reasonable to assume that these scams are currently trending for this bank at least to warrant the direct email approach.

It also informed that in 2023 the Australian Competition and Consumer Commission’s (ACCC) Scamwatch reported over 8,000 incidents of remote access scams which resulted in losses of over $15 million.

What Are Remote Access Scams and How Do They Work?

The scam in question involves the scammer ringing the victim, pretending to be from a trusted organization, and getting the victim to install some remote access software so the scammer can purportedly fix a mythical issue with their device remotely.

The Limitations of OTP-Based Multi-Factor Authentication

Amongst the sensible, and largely obvious steps one can take to protect against remote access scams was a recommendation to enable multi-factor authentication, specifically an OTP sent to your mobile device in addition to your password. It was stated that this would protect you should a scammer access your devices or accounts remotely because you have provided them access to do so.

In reality, however, this provides no additional protection at all in this scenario. The scammer, once provided access to the device, will be intending to transfer funds from the victim’s account using either credentials the victim provides over the phone or that the scammer has already obtained through other means. Once the funds are set up to be transferred, if MFA is activated the scammers transaction will generate an OTP which will be sent to the victim’s mobile.

The scammer simply tells the victim he is sending them a confirmation code or similar and asks for them to repeat it back. The scammer inputs it into his browser as requested by the bank and the transaction is authorized. And just like that, the money is gone.

Why OTP-Based Security Is Vulnerable to Exploitation

This is the weakness of OTPs. They are simply a piece of knowledge, and anyone with access to that knowledge can use it, regardless of who they are. The remote access scam is just another way to exploit OTP-based MFA, along with Sim Swaps, SS7 hacking, impersonation attacks and any other method of social engineering designed to obtain that vital piece of knowledge.

Voice Biometrics Strengthens Protection Against Remote Access Scams

However, this bank’s recommendation to activate MFA, based on an OTP, can actually provide additional protection if, and only if, the OTP can be paired with the genuine customer and no other person with knowledge of the OTP can successfully use it. And this is where voice biometrics solves the problem. By typing an OTP into a browser, anyone can do it successfully. By speaking an OTP into a browser supporting voice biometric authentication, only the genuine, registered customer can do it successfully.

Voice biometrics provides the pairing of a piece of knowledge with its rightful owner, rendering that knowledge useless to anyone else. Only biometric authentication can provide real identity assurance and only voice biometrics can provide the simplest of user interfaces that we use every day; speech.