How Fraudsters Bypass MFA to Get into Banks, Brokers and Crypto Wallets

Passwords are dying as a sole security measure, particularly within financial services.

It is widely expected (and in the UK, mandatory) that any institution responsible for finances, from banks to brokers and even crypto wallets, should be implementing multi factor authentication (MFA) to prevent fraudsters gaining access to accounts using automated attacks, even if they know the user’s password.

This blog post outlines several MFA bypass techniques attackers have developed to carry out account takeover attacks on financial services organizations.

What is MFA (multi factor authentication)?

MFA – or multi factor authentication – is a security measure designed to prevent unauthorized access to accounts, even when the attacker has the user’s password. Any login requires an MFA access code (like a one time password) generated on a device belonging to the account owner using a third party MFA provider app like Google Authenticator or Authy. In theory only the account owner can access the code and log in, even if their credentials are compromised by a bad actor.

2FA (two factor authentication) is a type of MFA that uses exactly two factors for login (usually credentials plus a device). The second factor could be a code sent via a text message or to an app. All 2FA is a form of MFA, but not all MFA is two factor authentication as more factors could be required.

Account takeover is still a major concern in financial services

Account takeover (ATO) is the holy grail of fraud attacks in financial services, handing criminals their victims’ financial assets on a platter. The risk of accounts being stolen affects both traditional banks as well as FinTechs, and even crypto wallets.

The first step in most attempts to gain access to bank accounts is credential stuffing. MFA is a way to stop attacks like credential stuffing

How can credential stuffing give access to a user’s account?

First, the attacker acquires a list of credentials (username and password pairs), usually through some form of credential theft. This could either be a data leak from another site published on the dark web, or by buying ‘botnetted’ device fingerprints and session cookies from marketplaces like the Genesis Market.

If only part of credentials is obtained, attackers can use brute force to guess the password based on published lists.

Next, threat actors inject these credentials into the login pages of a targeted company to determine which ones are legitimate. This is usually done at great velocity and volume using bots to automate the process.

Some attacks make millions of login attempts within just a few hours, so even a small success rate at this scale can yield hundreds or thousands of accounts, which is a big win for criminals.

Any validated credentials can then be used for an account takeover attack. Once in, threat actors can access sensitive data, perform a password reset and completely control the user account, even transferring money elsewhere.

How can multi factor authentication stop credential stuffing and account takeover?

MFA is designed to stop ATO attacks by requiring more than just a password (usually something in the account owner’s physical possession) to validate a login, preventing automated attempts.

Unfortunately, attackers can bypass MFA security using a combination of bot and human intervention, either by sidestepping the need to use MFA for account access or using clever tricks to fool account owners into handing over MFA codes.

How do attackers bypass MFA?

Here are some common MFA bypass attack vectors:

Financial aggregator sites

APIs are a huge target for financial fraudsters, as the adoption of Open Banking API to meet PSD2 requirements opened a new attack vector.

APIs are exploitable via financial aggregator sites. Bank customers use services such as Mint, Plaid and Yodlee to manage their finances, aggregating accounts into a ‘single pane of glass’ view. These apps can access account information and even make changes using the bank’s API or a webapp, sometimes without requiring MFA.

A threat actor can perform credential stuffing attacks through a third-party financial aggregator app to bypass MFA controls.

Security questions and social engineering

Some banks make provisions in case their users lose the device used for MFA, or don’t have access to it for some reason. This is a way to bypass MFA using the bank’s own policies.

The most common method of verifying identity in this case is through security questions.  Attackers use social engineering, which can be as simple as quickly looking at social media profiles, to gain answers to common security questions and access accounts without MFA.

Bots can therefore use credential stuffing to bypass MFA and instead answer security questions either by brute force or using publicly available data.

Phishing

MFA bypass attacks often run in parallel with phishing attacks. Phishing is a means to trick users into giving up sensitive information, such as passwords or information useful for passing security questions.

Phishing can also be used to extract codes generated by MFA apps from account owners.

Techniques include trying to convince an individual to visit a fake login page and input the MFA code. The threat actor might also email or phone an individual and impersonate their bank to ask for the MFA code. In this way, rather than bypass MFA, attackers gain access to MFA codes maliciously.

Man-in-the-middle

In a man-in-the-middle (MITM) attack, the threat actor positions themselves between the bank and the customer (often by using malware) and intercepts the messages between them. They can use this to acquire an MFA code, for example by linking to a fake page asking for the MFA code.

SIM swapping

SIM swapping entails intercepting text messages sent to a user’s phone number and having them sent to another handset. This is often done by calling up the user’s SIM provider and impersonating the customer using social engineering to pass security questions.

The threat actor then convinces the operator to swap the phone number to a new SIM card in the attacker’s possession. Once this is set up, the threat actor can use this phone number as the authentication factor to gain access to the user’s account.

Why can’t MFA completely stop bot attacks?

While we have presented a few ways fraudsters get around MFA defenses, it’s true that MFA is stronger than passwords alone, and is still likely to slow down attacks, force a degree of human intervention, or yield fewer stolen accounts.

However, because they can run at such high volumes, bots don’t need a very high success rate to be profitable. Banks are still at risk of having customer accounts stolen by bot attacks, even with MFA in place.

In essence, adding an extra layer of defense has forced criminals to become even more sophisticated in the ongoing cat and mouse chase between security experts and their adversaries.