How Fraudsters Bypass MFA to Get into Banks, Brokers and Crypto Wallets

Passwords are dying as a sole security measure, particularly within financial services.

It is widely expected (and in the UK, mandatory) that any institution responsible for finances, from banks to brokers and even crypto wallets, should be implementing multi factor authentication (MFA) to prevent fraudsters gaining access to accounts using automated attacks, even if they know the user’s password.

This blog post outlines several MFA bypass techniques attackers have developed to carry out account takeover attacks on financial services organizations.

What is MFA (multi factor authentication)?

MFA – or multi factor authentication – is a security measure designed to prevent unauthorized access to accounts, even when the attacker has the user’s password. Any login requires an MFA access code (like a one time password) generated on a device belonging to the account owner using a third party MFA provider app like Google Authenticator or Authy. In theory only the account owner can access the code and log in, even if their credentials are compromised by a bad actor.

2FA (two factor authentication) is a type of MFA that uses exactly two factors for login (usually credentials plus a device). The second factor could be a code sent via a text message or to an app. All 2FA is a form of MFA, but not all MFA is two factor authentication as more factors could be required.

How is cryptocurrency stolen?

The nature of blockchain currencies makes them highly susceptible to fraudulent activity. Transactions are difficult if not impossible to trace, making it easy for adversaries to get away with stealing large amounts of virtual cash undetected.

Between October 2020 and March 2021, 7,000 people reported a collective $80 million stolen in cryptocurrency – 12 times the number of reports than in the same period the previous year, with over 1,000% more money stolen.

Here are some of the most prevalent types of cryptocurrency fraud:

Guru cons and investment scams

As people are drawn into the hype around making money through crypto investments, inevitably so-called “crypto gurus” have found a niche selling advice to newcomers. Sadly, fraudsters have taken advantage of the situation. In one scam, more than $2 million was stolen by fraudsters impersonating cryptocurrency advocate Elon Musk. These con artists promised to multiply the victims’ investments, but instead stole the money with no hope of retrieval.

Romance scams

The difficulty in tracing transactions makes cryptocurrency a perfect tool for romance scammers who manipulate their victims into transferring huge sums of cash. The FTC reports that over $185 million has been lost via cryptocurrency transactions in romance scams since 2021 – one in every three dollars lost to the scams overall.

Account takeover

Unlike traditional banking, crypto transactions are hard to reverse or trace. There is little support due to the decentralized nature of the currencies; password recovery mechanisms are less robust than traditional banks, and repatriating stolen accounts is harder as proving yourself to be the legitimate account owner is not straightforward.

These factors make cryptocurrency wallet fraud attractive to ATO attackers where risk and cost are low but potential rewards are extremely high.

Account takeover is still a major concern in financial services

Account takeover (ATO) is the holy grail of fraud attacks in financial services, handing criminals their victims’ financial assets on a platter. The risk of accounts being stolen affects both traditional banks as well as FinTechs and crypto wallets.

The first step in most attempts to gain access to bank accounts is credential stuffing. MFA is a way to stop attacks like credential stuffing.

How can credential stuffing give access to a user’s account?

First, the attacker acquires a list of credentials (username and password pairs), usually through some form of credential theft. This could either be a data leak from another site published on the dark web, or by buying ‘botnetted’ device fingerprints and session cookies from marketplaces like the Genesis Market.

If only part of credentials is obtained, attackers can use brute force to guess the password based on published lists.

Next, threat actors inject these credentials into the login pages of a targeted company to determine which ones are legitimate. This is usually done at great velocity and volume using bots to automate the process.

Some attacks make millions of login attempts within just a few hours, so even a small success rate at this scale can yield hundreds or thousands of accounts, which is a big win for criminals.

Any validated credentials can then be used for an account takeover attack. Once in, threat actors can access sensitive data, perform a password reset and completely control the user account, even transferring money elsewhere.

How can multi factor authentication stop credential stuffing and account takeover?

MFA is designed to stop ATO attacks by requiring more than just a password (usually something in the account owner’s physical possession) to validate a login, preventing automated attempts.

Unfortunately, attackers can bypass MFA security using a combination of bot and human intervention, either by sidestepping the need to use MFA for account access or using clever tricks to fool account owners into handing over MFA codes.

How do attackers bypass MFA?

Here are some common MFA bypass attack vectors:

Financial aggregator sites

APIs are a huge target for financial fraudsters, as the adoption of Open Banking API to meet PSD2 requirements opened a new attack vector.

APIs are exploitable via financial aggregator sites. Bank customers use services such as Mint, Plaid and Yodlee to manage their finances, aggregating accounts into a ‘single pane of glass’ view. These apps can access account information and even make changes using the bank’s API or a webapp, sometimes without requiring MFA.

A threat actor can perform credential stuffing attacks through a third-party financial aggregator app to bypass MFA controls.

Security questions and social engineering

Some banks make provisions in case their users lose the device used for MFA, or don’t have access to it for some reason. This is a way to bypass MFA using the bank’s own policies.

The most common method of verifying identity in this case is through security questions.  Attackers use social engineering, which can be as simple as quickly looking at social media profiles, to gain answers to common security questions and access accounts without MFA.

Bots can therefore use credential stuffing to bypass MFA and instead answer security questions either by brute force or using publicly available data.

Phishing

MFA bypass attacks often run in parallel with phishing attacks. Phishing is a means to trick users into giving up sensitive information, such as passwords or information useful for passing security questions.

Phishing can also be used to extract codes generated by MFA apps from account owners.

Techniques include trying to convince an individual to visit a fake login page and input the MFA code. The threat actor might also email or phone an individual and impersonate their bank to ask for the MFA code. In this way, rather than bypass MFA, attackers gain access to MFA codes maliciously.

Man-in-the-middle

In a man-in-the-middle (MITM) attack, the threat actor positions themselves between the bank and the customer (often by using malware) and intercepts the messages between them. They can use this to acquire an MFA code, for example by linking to a fake page asking for the MFA code.

SIM swapping

SIM swapping entails intercepting text messages sent to a user’s phone number and having them sent to another handset. This is often done by calling up the user’s SIM provider and impersonating the customer using social engineering to pass security questions.

The threat actor then convinces the operator to swap the phone number to a new SIM card in the attacker’s possession. Once this is set up, the threat actor can use this phone number as the authentication factor to gain access to the user’s account.

Why can’t MFA completely stop bot attacks?

While we have presented a few ways fraudsters get around MFA defenses, it’s true that MFA is stronger than passwords alone, and is still likely to slow down attacks, force a degree of human intervention, or yield fewer stolen accounts.

However, because they can run at such high volumes, bots don’t need a very high success rate to be profitable. Banks are still at risk of having customer accounts stolen by bot attacks, even with MFA in place.

In essence, adding an extra layer of defense has forced criminals to become even more sophisticated in the ongoing cat and mouse chase between security experts and their adversaries.