In recent weeks, you may have received an SMS from your bank’s official number saying:
“Dear Bank customer, your existing points (29385 points) will expire today. To avoid any consequences, please redeem your rewards in time: link.”
At first glance, the sender's number makes it look convincing, as though it was sent by the bank. But in reality, this SMS is a scam—part of an SMS phishing (smishing) scheme. Fraudsters send these messages using fake BTS (Base Transceiver Stations) to deceive unsuspecting victims. Want to know more? Let’s dive into it!
A Base Transceiver Station (BTS) is a critical component of mobile networks that connects users’ devices to their carrier’s infrastructure. Fake BTS, on the other hand, is an illegally operated device that mimics the function of a real BTS, allowing fraudsters to send SMS directly to nearby phones without going through the official carrier network.
Once a victim’s phone connects to a fake BTS, all communication, including OTP messages and sensitive data can be intercepted by fraudsters. Because fake BTS operates outside legitimate telecom networks, it is extremely difficult to trace, making it an effective tool for spreading malware and stealing financial information.
Cybercriminals leverage fake BTS for various types of attacks, including:
Fake BTS allows attackers to intercept and manipulate OTPs (One-Time Passwords) sent via SMS. By gaining access to OTPs, fraudsters can log into victims’ bank accounts, mobile wallets, and other sensitive platforms.
According to VIDA’s whitepaper, 84% of fraud cases involve OTP-related attacks, making this one of the most vulnerable authentication methods today.
Fake BTS enables scammers to send SMS that appear to come from trusted sources like banks or e-commerce platforms. These messages often contain malicious links or requests for sensitive personal information to trick victims into revealing their credentials.
Attackers also use fake BTS to send messages containing malicious links. If the victim clicks the link, malware is automatically installed on their device. This malware can:
To safeguard yourself and your business from fake BTS attacks, consider these precautionary steps:
Never click links from unknown senders, even if the SMS appears to come from an official bank number. When in doubt, contact your bank directly to verify the message’s authenticity.
SMS OTP is no longer safe and is increasingly vulnerable to fake BTS, SIM swap fraud, and phishing attacks. Many countries are already phasing out SMS OTP in favor of more secure authentication methods:
So, what’s the best alternative to SMS OTP? Biometric authentication and device-based authentication. VIDA offers FaceToken and PhoneToken, which eliminate the need for OTPs and passwords.
FaceToken replaces OTP and passwords with facial recognition authentication. This ensures that only the real account owner can log in.
Equipped with liveness detection, FaceToken verifies that the scanned face is a real person, not a manipulated image, video, or deepfake. Since FaceToken doesn’t rely on SMS OTP, it’s immune to phishing, SIM swap fraud, and fake BTS attacks.PhoneToken links a user’s identity directly to their device using Public Key Infrastructure (PKI).
When users register their account, the system automatically registers their device as well. Only the registered device can be used to log in, ensuring that even if credentials are stolen, fraudsters can’t access the account from another device. It also eliminates reliance on SMS OTP, preventing fake BTS or SIM swap attacks from compromising security.Fake BTS fraud is a rapidly evolving cyber threat capable of stealing OTPs, spreading malware, and hijacking sensitive user data. Since fake BTS operates outside traditional telecom networks, standard security measures are ineffective against these attacks.
The best way to stay protected is to move away from outdated authentication methods like SMS OTP and switch to modern security solutions like biometric and device authentication.
VIDA’s FaceToken and PhoneToken offer secure, seamless authentication, ensuring that only verified users can access their accounts. Stay informed and take proactive steps to protect your data from advanced cyber threats.