3 ways hackers are bypassing MFA to commit ATO fraud
16 November 2022

3 ways hackers are bypassing MFA to commit ATO fraud

16 November 2022

In recent years, account takeover attacks have become more prevalent than ever, with fraudsters closing in on the financial services sector with new ways to defeat multi-factor authentication challenges.

In this blog, we’ll look at three emerging methods fraudsters are using to bypass multi-factor authentication and execute account takeover fraud, as well as how businesses can effectively mitigate these emerging threats. 

The problem

Despite the roll out of strong customer authentication, in 2021, 84% of financial services firms experienced account takeover attacks, with global losses estimated at $11.4 billion. According to studies from Juniper, that number is only set to rise, with losses forecast to surpass $206 billion by 2025

Rather than being deterred by the improvements to authentication security, attackers are simply inventing new ways to capture multi-factor authentication (MFA) credentials, such as OTPs, to execute attacks. 

We’ll now look at the techniques listed below that fraudsters are frequently using to bypass MFA security:

  • SIM swapping

  • Reverse proxy server scams 

  • Buy now, pay later attacks

1. SIM Swapping 

SIM swapping is a major concern for financial firms and cryptocurrency exchanges, with attacks becoming more frequent and pervasive, increasing by over 400% the last five years in the United Kingdom. 

To carry out a SIM swapping attack, fraudsters exploit compromised and leaked personal information to impersonate legitimate customers and transfer legitimate phone numbers onto new, fraudulent SIMs.

Once a new SIM is activated on a fraudster's device, they will receive OTPs meant for the customer. They will then often use these to bypass and disable MFA, make fraudulent payments, and launch further attacks on the victim’s accounts and contacts.

According to the European Union Agency for Cybersecurity, there are specific circumstances that open the opportunity for SIM swapping. These include

  • Weak customer authentication processes

  • Negligence or lack of cyber training or hygiene

  • Lack of risk awareness

It goes without saying that these attacks can have serious financial repercussions for victims. Last year, Canadian police arrested a teenager for stealing a staggering $36 million from a single victim through a SIM-swapping attack, and in Europe, criminals leveraged SIM swapping methods to steal over $100 million from US celebrities.

2. Reverse Proxy Scams

Another advanced method being used to capture OTPs are reverse proxy scams. Reverse proxy scams are a type of man-in-the-middle phishing attack that enable fraudsters to steal (MFA) credentials and session cookies from victims without the victim’s knowledge. 

To execute a reverse proxy scam, attackers intercept a victim’s credentials using a proxy web server that essentially acts as a layer between the victim and the website they’re attempting to login to. 

Microsoft announced this year that approximately 10,000 organizations had been targeted with fake Microsoft Office login pages. The campaign led the user to an attacker-controlled proxy site that sat between them and the server they were attempting to log into.

According to Microsoft:

“A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multi factor authentication (MFA).The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.”

Reverse proxy scams like these use a number of advanced steps to capture genuine MFA credentials:

  • Bad actors create look-alike proxy sites that intercept imputed credentials and relay them to the real server. 

  • The real server's response is relayed back to the victim via the proxy site. 

  • The bad actor logs into and captures the session cookie sent by the real website, enabling the cookies so they would not need to be re-authenticated in future sessions.

Unfortunately, these attacks can be especially insidious, as targets are often completely unaware that they’re being hacked, until it’s too late. Exacerbating the problem, bad actors can now purchase “phishing kits” online to execute such attacks – meaning you do not necessarily have to have the technical skills to launch attacks. 

3. Buy now, pay later attacks

The popularity of BNPL platforms, like Klarna and Clearpay, has recently exploded, with BNPL customers now exceeding 360 million globally.

The adoption of BNPL payments has created an unprecedented opportunity for fraudsters, who are taking advantage of weaker security standards adopted by BNPL services and their retail partners.

Bad actors are attracted to BNPL accounts because there’s more opportunity to execute an account takeover attack. 

ATO attacks on BNPL accounts can be executed either by:

  • Taking over the BNPL account directly using a combination of phishing and social engineering techniques.

  • Taking over an account with a retailer or other business that is authorized to charge that account.

The latter method generally requires less effort as online retailers have weaker authentication standards compared to financial platforms and apps – meaning 2FA is often not required. 

Fraudsters can compromise a genuine customer's account either by purchasing compromised credentials online or by running automated credential stuffing or credential cracking attacks. 

According to recent research from Imperva, 64.1% of account takeover (ATO) attacks make use of bad bots (software applications that run automated tasks such as credential stuffing), meaning they can execute these kinds of attacks en masse. 

Passwordless as a defense

Luckily, there’s a simple way for financial firms to protect their customers against these emerging threats, and that’s by eliminating passwords entirely – whether temporary or saved – from login and payment authentication flows altogether.

“What we’re learning is that OTPs don’t really prove that you have anything at all – they merely prove that you know something, thus having the same security weaknesses as passwords. Rather than being deterred by OTPs, fraudsters are simply adapting their approach to phishing so that they are able to capture OTPs in real time” –Gal Steinberg, VP of Products at Keyless. 

“Due to the fact that users must type them in, OTPs remain easily phishable and can be quickly intercepted using these advanced techniques.” he continued.

By eliminating all credentials, whether a password, PIN, or one-time code, businesses can effectively reduce account takeover threats caused by compromised credentials, phishing, and man-in-the-middle attacks to zero. 

Keep your customers safe with Keyless

By replacing passwords and OTPs with our advanced passwordless solutions, Keyless provides the ultimate protection against ATO attacks. Since there’s nothing to steal or phish, we help financial firms protect their bottom line and brand reputation, while simultaneously protecting their customers from the financial repercussions of fraud and cybercrime. 

Get In Touch

Find out how our private-by-design MFA can help your organization prevent ATOs, improve UX, and protect your bottom line.