Finding the Cracks in the Wall—How Modern Scams Bypass MFA

Written by

Or Katz

March 17, 2021

In my previous blog, I discussed the important role multi-factor authentication (MFA) plays in further securing access to enterprise and consumer services. We also established that although MFA increases authentication security and decreases the risk of account takeover, MFA can, and is, being bypassed in the wild.

In this blog, I will cover the most prevalent techniques being used to bypass MFA factors. I will also explain how different MFA techniques present different risks for compromising user credentials, which can lead to account takeovers.  

Stealing one-time passwords

One of the most common two-factor authentication methods uses "something you own" such as your mobile device, hardware authentication device, or email account. These devices and accounts enable the use of a one-time password (OTP) as the secondary authentication factor, which is generated for a limited period and serves as an additional factor in the authentication process.

While the use of an OTP increases a user's account security posture, it is not bulletproof for attacks that abuse and bypass this authentication method. A good example of techniques that overcome the use of OTP as another factor for authentication can be seen in phishing scams. In such scams, once the victim lands on the phishing website, the first step will be to steal their credentials or "what they know". Once that is done, the scam will be initiated behind the scenes without the victim's knowledge. A direct authentication process against the targeted website or login portal using the stolen credentials will initiate a request for the OTP that will lead to a token being sent to the victim's device.

Figure: An example of a phishing website stealing hardware-based OTP tokens Figure: An example of a phishing website stealing hardware-based OTP tokens

The victim is now connected to the phishing website and unaware that it is a scam. They will willingly provide their OTP token to the phishing website, which gives the scammers the ability to take over their account.

An example of a high-volume phishing scam that bypasses OTP was seen recently by the Akamai threat research team. The campaign included eight U.K. banks that were targeted with more than 7,000 phishing domains. In this campaign, a back-end administration operation was involved, leading to a manual activation of an OTP token each time this step was required by the access flow for the targeted bank.

SIM swapping

Another technique, which is not as prevalent as OTP theft, is mobile phone SIM swapping, also known as SIM hijacking. It is mostly used in targeted and more sophisticated scams. The idea behind this technique is to execute a scam that results in swapping the ownership of the phone number associated with the user's login credentials to the scammer's SIM. A successful swap will enable scammers to intercept all communication and authentication (e.g., voice calls or SMS messages) being delivered to the swapped phone number.

For a SIM swapping scam to be successful the scammers need to be identified as the phone number owner by the service provider in order to request a change in the ownership. This kind of change in ownership will most likely require pre-knowledge from scammers of the targeted phone number owner's personal details, such as social security number, date of birth, or address.

A good example of a recent SIM swapping attack campaign that targeted well-known celebrities, musicians, and social media influencers was reported by the UK National Crime Agency (NCA). The NCA, in collaboration with other agencies, uncovered a network of criminals in the U.K. who were working together to access victims' phone numbers and take control of their applications or accounts by changing their passwords.

Bypass MFA using legacy authentication APIs

Another approach to bypassing MFA is to enter through the back door when the front door is heavily guarded. In many cases, during the process of upgrading authentication solutions and adopting MFA authentication, legacy access solutions might deliberately (or accidentally) remain intact to ensure business continuity for applications that are incompatible with MFA solutions.

Scammers who want to avoid the challenges associated with stealing OTP tokens will find legacy APIs and abuse them by launching attacks such as credential abuse campaigns. Such campaigns typically leverage credentials that were leaked as a result of data breaches, giving threat actors an easy opportunity to harvest compromised accounts by spreading those credentials across the internet to hunt for accounts that are being accessed with the same credentials.

Bypassing push notification authentication

In recent years, mobile push notification technology has been adopted with the promise of making the MFA authentication experience easier for users and more secure. Using mobile device push notification mechanisms improves the overall user experience and as a result, increases the adoption rate of MFA technologies. However, using MFA with mobile push notifications doesn't prevent phishing scams that are similar to the scenario of stealing OTP tokens. Victims who approve fraudulent push notifications that were created using stolen credentials will give scammers full access to their accounts.

Moreover, push notification authentication implementation is a gesture-based notification on mobile devices that only requires minimal user interaction, without the need to copy an OTP code to the accessed website, and that creates even more opportunities for abusing the user authentication process. The best example of this is credential stuffing attacks in which compromised credentials provide threat actors the ability to launch an internet-wide attack to hunt for accounts that are being accessed using the same credentials. In such attacks on websites that include push notification as a secondary authentication, a successful authentication using the stolen credentials will result with push notification being sent to that user. Users who mistakenly or by the force of habit approve such notifications being delivered to their mobile phone will have their account credentials compromised, without even directly participating in a scam.

An example of an attack that abused the push notification limitations was the Twitter hack in 2020 when Twitter employees' VPN accounts became compromised as a result of social engineering attacks. Once hackers had access to the internal applications, they were able to take over the Twitter accounts of politicians, celebrities, and entrepreneurs, as well as the accounts of several cryptocurrency companies. 

According to a report that describes the Twitter security incident in detail, "MFA is critical, but not all MFA methods are created equal. Twitter used application-based MFA, which sent a request for authentication to an employee's smartphone. This is a common form of MFA, but it can be circumvented. During the Twitter hack, the hackers got past MFA by convincing the Twitter employees to authenticate the application-based MFA during the login."   

Sealing the cracks

The use of MFA solutions increases the security posture for users and organizations, yet it is important to acknowledge that some MFA technologies are not fully protecting users from scams that compromise their accounts. This is bad news for individuals, but it can have severe consequences for organizations. All it takes is one employee to accept an illegitimate MFA push and the attacker has full account access. 

In order to reduce the risk from attacks that result in compromised accounts, I recommend the adoption of a multi-layer security authentication strategy that hardens the authentication process while protecting accounts from takeover attacks.

The authentication strategy needs to consider defensive capabilities on both ends: the client and the server. On the client authentication front end, the strategy should adopt authentication which assures that the device being connected is being validated via strong cryptography, eliminating the option for stolen credentials and tokens to be used from unauthenticated devices.

The FIDO2 protocol is an initiative that addresses those challenges and regulates a technology that eliminates the risks of phishing, all forms of password theft, and replay attacks while enabling ease of use and scalability. The technology behind the FIDO2 protocol ensures the use of cryptographic login credentials that are unique across every website, never leave the user's device, and are not stored on a server. FIDO2 is already supported by leading browsers and can be integrated by simple JavaScript API calls from those browsers.

On the server side, technology that protects web applications from abnormal access, overwhelming credential abuse attacks, and account takeovers can help as a complementary defensive layer to the user's authentication and reduce the risk of accounts becoming compromised. 

Authentication is a fundamental capability in security and innovation in associated technology will continue to thrive. At the same time, threat actors will continue to look for the cracks in the wall, finding ways to abuse and bypass authentication services. It is on us to seal those cracks to maintain impervious security, staying one step ahead of hackers by adopting the technology architecture and solutions that will reduce the chances of being exposed to emerging threats.

Learn more about Akamai's MFA solution at

Written by

Or Katz

March 17, 2021