Once an OTP is captured, it is “binned” — stored or relayed instantly to the attacker to complete a login or transaction.