Skip to main content

Featured

SE'ing Encyclopedia

Updated: 08/09/2022:    If you've ever wanted to know every term and method relative to social engineering, Irrespective of your level of experience, then you've come to the right place. This SEing encyclopedia, has everything you need pertaining to common terms and methods that're used In today's world of exploiting the human firewall. All topics Include a brief description, as well as a few examples of how each term Is used In a sentence- which will be of benefit to those new to the SEing sector. To help refine your search, I've added a table of contents, whereby you can pick and choose exactly what you're looking for. 

Confirm A One-Time Password

 


How To Confirm An OTP Prior To Ordering Your Item

Unless you're a beginner social engineer who's just started hitting companies for refunds and replacements or perhaps wanting to get Into the scene for the very first time, manipulating representatives to perform actions that they're not supposed to do, Is not that difficult for those who operate on an Intermediate and advanced level. Be It persevering with Investigations for a few weeks or a couple of months until the SE succeeds, escalating and re-escalating claims and then pushing reps to their absolute limit to have It approved, or circumventing photographic evidence with the DNA method, at the end of the day, failure Is not an option on almost every occasion.

Sure, there are times when claims are finalized pretty much on the spot by chat bots, or reps/agents who can't be bothered following protocol, but for the most part, every claim Is meticulously assessed to make sure an account credit or a replacement Item Is well and truly warranted. But In order to get the job done, the skill set of the SE'er kicks In by making sure the company and their carrier partner have been thoroughly researched, as well as the method  they've selected Is compatible with the nature of the Item they're looking to SE.

When all that Is done and on the grounds the method has been flawlessly formulated, the attack vector Is executed - with peace of mind It's made a perfect start towards achieving Its goal by way of funds reimbursed back Into the account, or another Item dispatched at the company's expense. Although there's not much advanced social engineers can't handle, there Is one specific element solely related to the DNA method that significantly complicates matters to the point of aborting the DNA altogether - which Is called an "OTP", an abbreviation of "One-Time Password".

It's not only advanced SE'ers who're affected by It, but refunders (who offer their service to Inexperienced SE'ers) are also Impacted by an "OTP" and as a result, they refuse to take It on board, thereby they'd simply choose another traditional method that doesn't Involve the need to deal with It. I've come across countless SE'ers on various social engineering communities to the likes of an Internet forum/board and a Discord server, who keep requesting assistance on "how to confirm whether or not a One-Time Password will be required on receipt of goods" - and that's what prompted me to write this article.

What you'll learn today, Is the definition of an OTP, Inclusive of why companies use It to verify their consignments, and three methodologies used to Identify If a One-Time Password will apply to the order you're expecting to purchase. Confused? Rest assured, I've got you covered - this will make perfect sense In a few minutes or so. Even If you're well-acquainted with an OTP, I strongly suggest absorbing every word from this point onwards - as there will be a few details unbeknownst to you. Okay, let's begin by checking out the Ins and outs of a One-Time Password.


What Is A One-Time Password?

Firstly, I'd like to reiterate that a "One-Time Password" only relates to the DNA method, so make a mental note of It for future SEs. Although an OTP Is not tied to any particular company and carrier service, and may vary depending on locality and other factors not mentioned In this topic, It Is a commonality when SEing "Amazon", thus be sure to always keep It In mind. All right, If (for example) you're social engineering a high value Item such as a QLED 8K HD Smart TV (from Amazon Itself) that costs around 4,000$ using the DNA, an OTP will most likely be needed to confirm the box made Its way to the right address, and was personally received by yourself (the SE'er) or an authorized recipient.

Because the product Is very expensive, It's crucial for the carrier to ensure It's accepted by the account holder or a household member, therefore an OTP will be part of their delivery process. Here's how It basically works. When your order Is placed and ready to be dispatched, or In some cases It's already In transit, the OTP will be sent by the company to your cell phone or to the registered email address on your account and when the carrier arrives, you must tell him the password to receive It.

If you neglect to show the driver the One-Time Password, he has every right to refuse handing over your package, hence will mark It as an undelivered consignment and take It back to the depot to reschedule the delivery time & date. Given the goods can only be accepted with an OTP, the majority of SE'ers do not use the DNA method - for the reason that It will be an arduous task to grab the package without the password. Now there are ways to bypass an OTP (I've done It a few times) and It does take an exceptional set of skills to manipulate the carrier driver, but It's way beyond the scope of this topic to delve Into It, so we'll have a look at the first method on how to determine If an OTP will be required with your order.  


Method One - The Account Checkout Page

Due to the fact It's not possible to discuss each and every company that utilizes a One-Time Password, what you're about to read only pertains to "Amazon" but not In every country/region (more on this shortly), and do remember that It's purely relative to the DNA and does not affect any other traditional method. Okay, using this approach to Identify an OTP Is really quite simple. It Involves logging Into your Amazon account, selecting the Item(s) you'd like to purchase by adding them to your Cart, and then pressing the "Proceed to checkout" button.

Before making a payment with your credit card or otherwise, there "should be" some type of delivery Instructions with your order - namely a signature or a One-Time Password to verify the package when received from the carrier driver. If It's the former (signature), you're good to go with the DNA method - It can easily be avoided or fake signed, but If you experience the latter (OTP), It's your choice whether to manipulate the driver to hand you the package, or forget about It and choose another method. Either way, you know precisely what to expect with your SE.

Notice I've quoted "should be" In the paragraph above? That's because Amazon doesn't always provide the delivery Instructions on the checkout page of their website - sometimes (for some reason) the country Is responsible for It. For Instance, I've had reports from less than a handful of fellow social engineers who've said they've ordered a product from an Amazon store located abroad, and an OTP was required on delivery. However, when the exact Item was purchased from Amazon where the SE'er resides, only a signature was needed on receipt of goods.

As you can see, the same product (and Its value) was bought from two Amazon online stores - one was overseas, and the other was situated In the SE'ers country, and even though both shipments were serviced by the same carrier company, a One-Time-Password only applied to one consignment. I'm not saying It happens often, but rather pointing out that the possibility exists, therefore It's good practice to double-check the OTP, which brings me to the next topic below.     


Method Two - Contacting The Company 

The second method I'll Introduce to establish If a password Is mandatory with the delivery, Is very straightforward and pretty much common sense, but to this day, SE'ers whom I liaise with on a few SEing communities, fail to think of such a simplistic task. Now It's not my Intention to belittle social engineers In any way, shape, or form - we all stick together, so my objective Is to demonstrate just how easy It Is to have knowledge of an OTP (prior to paying for your Items), by "contacting the company".

Yes, you've read that right, a good ol' phone call Is all It takes to see If your package will be accepted with or without an OTP, and If the company cannot be contacted as such, opt for another gateway - shoot off an email or (where available) Initiate a live chat session. It makes no difference which one you choose to get In touch - they're all equally effective when you word your communication correctly, and here's how It's done. 

Pretend as though you're a concerned buyer who will be purchasing a product as a "birthday gift", and wants to be absolutely sure It will arrive safely and on time. Then tell the representative, that you'd prefer to meet the driver and give him some sort of verification, just to ensure the goods are marked as delivered on both ends - yours and the company, and ask what options are available. No doubt, the rep/agent will respond with either a "signature" or a "One-Time Password" - and there's your answer! Excluding call/email/chat waiting times, the whole process takes less than a minute. 


Method Three - Performing A Test Run

Of all the methodologies you've had the pleasure of reading thus far, I'd say this Is the most constructive approach to pinpoint If an OTP Is assigned to the Item you're planning to social engineer - specifically for the reason that "a test run Is performed before the real SE", which ultimately concludes how the package Is handed to you by the driver. In other words and put simply, you'll buy your product on a completely separate test account, and then see whether the company/carrier requires a One-Time Password or a signature on delivery. And If you're In luck, the package may be dumped at your doorstep but for the purpose of this guide, we'll assume It's an OTP or a signature.

Of course, all the above Is based on your firm decision to solely use the DNA method, and not being flexible to any other alternatives. Okay, when the package Is on Its way (ordered on your test account) and there's no notification of an OTP via email or phone hence only a signature Is requested, It's blatantly obvious that a One-Time Password Is not needed by the company/carrier with the nature & value of your Item, so the DNA Is ready to be executed. But It won't be done as yet. Instead, return It for a legit refund, "reorder the same product on your primary/main account", and hit the DNA accordingly.

Now you may be thinking: "Why not do It on the primary/main account to begin with?". Well, what If the OTP was In fact generated, and you had no choice but to tell the driver the password to accept the package? Evidently, It puts an end to your SE, so the Item must be returned for a legitimate refund - which you'd want to avoid where possible. Why? Because If refunds are kept to a minimum, "the account Is In good standing" - and that's why the DNA should be performed on your primary account that has credibility, as opposed to the test account that was recently created without a single transaction. 

If you're SEing Amazon, they're exceptionally good at detecting multi-accounting, so It's of the utmost Importance that both your test/fake and primary/real account, have no association whatsoever. Believe me, If there's a single matching detail/credential or anything that Indicates each account belongs to the same person, Amazon will pick It up, and by the time you work out what went wrong, the account will be closed with no chance of getting It back! As such, It's Imperative to change every Identifiable detail when creating the test/fake account as per my following recommendations.

  • Change of full name (family & given name)
  • Change of date of birth (where applicable)
  • Change of full residential address (If need be, use a "drop")
  • Change of email address (no need to explain this)
  • Make sure the email address does not contain anything personal to you
  • Change of phone number (new SIM on a fake account or a Burner service
  • Navigate via a VPN (NordVPN, IPVanish, ExpressVPN will suffice)
  • Use a different device (one that was NEVER used with previous accounts)
  • Change your device MAC address (this free tool does the job well)
  • Use a VCC - Virtual Credit Card (there's heaps of providers online)
  • Use a GC - Gift Card (an alternative to a virtual credit card)
  • Use a different password (nothing similar to previous accounts)
  • Navigate via a private search engine (prevent your online behavior from being tracked)  

In Conclusion

Upon reading every topic In this article, you now have sound knowledge of how a One-Time Password Is used to verify consignments with the DNA method, and you're also well-Informed of three of the very best methods to check If an OTP Is warranted with the product you're looking to social engineer

Naturally, there are other ways to assess Its requirement, but this entire article Is targeted at SE'ers of all shapes & sizes, so Irrespective of whether you've been SEing for 3 weeks or 3 years, you've now attained the expertise to efficiently and effectively confirm If a One-Time Password will apply to the SE you're planning to perform  

Comments