EVERY8D Suspected Hack Sparks OTP Security Concerns, Experts Warn of Single Point of Failure Risk

Taiwan's largest SMS service provider, EVERY8D, is under investigation following a suspected cyberattack that disrupted its services and potentially exposed user data. The incident has ignited a debate about the security of One-Time Password (OTP) verification systems, particularly those relying on SMS.

The Digital Development Administration's Industrial Bureau conducted an on-site administrative inspection of EVERY8D's parent company, Teamplus, on June 2. The agency is working to determine if the company's personal data protection measures comply with legal requirements.

Concerns have been amplified because some EVERY8D clients used the platform to send OTP codes for website logins. Cybersecurity experts like Ho Chun-hsin have pointed out the inherent risks, describing the attack as a "single point of failure." He argued that hackers could potentially intercept sensitive information without needing social engineering or SIM card swapping, simply by accessing the platform directly.

While the Cybersecurity Administration noted that OTP codes are typically time-sensitive, expiring within minutes, Ho expressed skepticism. He suggested that hackers might exploit this window, viewing the short validity as insufficient protection. He also advocated for international standards like FIDO, which utilize more secure Out-of-Band (OOB) authentication methods, as a superior alternative to SMS-based OTPs.

In response to such vulnerabilities, Taiwan's government has been promoting a zero-trust architecture for government agencies since 2021. This framework includes identity and device authentication mechanisms. The Digital Development Ministry has guided 47 major agencies in adopting this architecture, with ongoing efforts to extend it to other central government bodies. The Cybersecurity Institute has also been validating products to support this transition, with numerous authentication products already certified.