Scribd
Upload
38 views13 pages

Understanding OTP Flooding Attacks

OTP Flooding is a cyberattack where attackers overwhelm users with repeated One-Time Password (OTP) requests, causing service disruption and potential financial loss. The document discusses the types, causes, impacts, prevention methods, and case studies related to OTP Flooding. It emphasizes the importance of implementing security measures like rate limiting and user awareness to mitigate risks associated with this attack.

Uploaded by

akashprajapati1711
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
38 views13 pages

Understanding OTP Flooding Attacks

OTP Flooding is a cyberattack where attackers overwhelm users with repeated One-Time Password (OTP) requests, causing service disruption and potential financial loss. The document discusses the types, causes, impacts, prevention methods, and case studies related to OTP Flooding. It emphasizes the importance of implementing security measures like rate limiting and user awareness to mitigate risks associated with this attack.

Uploaded by

akashprajapati1711
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

OTP

FLOODING
01 Introduction to OTP FLOODING.

02 Types of OTP Flooding .

03 why this happen ?

04 impacts

05 How to PREVENT FROM OTP FLOODING.

06 Detection & Monitoring

07 CASE STUDY 1.1

08 CASE STUDY 1.2

09 CVSS Base Score Metrics.

10 CONCLUSION

TABLE OF content
OTP Flooding is a cyberattack where attackers
repeatedly request OTPs.
OTPs are sent to a user’s phone number or email
address.
The goal is to overwhelm the user with continuous
OTP messages.
This attack can disrupt services and act as a
Denial-of-Service (DoS).

1. INTRODUCTION TO OTP FLOODING


Email OTP Flooding
SMS OTP Flooding

Voice Call OTP Flooding Multi-Channel OTP Flooding

[Link] of OTP Flooding


. No rate limiting
. No CAPTCHA
. Poor validation logic
. Stateless OTP Implementation
. No OTP Request Cooldown

[Link] this happen ?


. Poor website performance due to high CPU and memory usage

. Leakage of users’ data and loss of customers trust

. Account hacking and fraudulent transactions

. Disruption of business operations

. Risk of account takeover in some cases

. Phone flooded with OTP messages

4. IMPACTS
. Limit OTP requests (e.g., max 3–5 per hour)

. Add CAPTCHA before sending OTP

. Track OTP requests per user/IP

. Alert user after multiple OTP attempts

. Block suspicious IPs

. Add time delay (cooldown) between OTP requests

5. HOW TO PREVENT FROM OTP FLOODING.


. Spike in OTP requests

. Multiple OTPs to same number in short time

. Log monitoring & alerting

[Link] & Monitoring


Paytm OTP Flooding & Scam (India)

🗓️- 2021–2023 (Peak in 2022)


📍- India (multiple states) Maharashtra, Delhi NCR, Karnataka, UP, Telangana
👤- Targeted Users (Regular Paytm / UPI users , Mostly non-technical users)
How the Attack Happened
Attacker triggered multiple OTP requests
Victim received continuous OTP SMS
Fraudster called pretending to be Paytm support
Victim shared OTP due to confusion
Money transferred instantly via UPI

IMPACTS
💸 Financial loss (₹5,000 – ₹2,00,000 per victim)
👮 Cyber-crime complaints filed
🏦 Reserve Bank of India issued public warnings
📢 Stronger OTP controls implemented later

[Link] STUDY 1.1


OTP Flooding Scam Case – Bengaluru
Victim: Muniraju M, 67-year-old farmer
Location: Bhuvanahalli village, near Bengaluru
Date of Incident: July 15
Reported To: Devanahalli Police
What Happened
Victim received multiple OTP SMS messages continuously
Messages appeared to be from:
RummyC, JioCinema, E-Croma, Ajio, Flipkart
Victim did not respond to any OTPs and did not alert the bank
Impact
Next day, ₹7.1 lakh was debited from his bank account
Amount siphoned off through multiple fraudulent transactions
Attack Type
OTP Flooding + Social Engineering Fraud
Source
Information reported by Times of India

[Link] STUDY 1.2


[Link] Base Score Metrics.
OTP Flooding results from weak or missing backend
controls

Attackers abuse unlimited OTP requests to bypass security

Leads to fraud, account takeover, and user confusion

Rate limiting, CAPTCHA, and validation are essential


defenses

Real-time monitoring enables early attack detection

User awareness reduces social engineering risks

[Link]
Thank You!

You might also like