How do account takeover (ATO) attacks bypass multi-factor authentication (MFA)?

Fraudsters are experts at adapting to their environment. As businesses implement more sophisticated fraud prevention measures, cybercriminals are constantly looking to outsmart and outmaneuver them. To combat this, more companies are utilizing stronger user authentication methods, such as multi-factor authentication (MFA), to verify their legitimate customers and keep fraudsters at bay.

MFA adds an extra layer of security, such as the use of one-time passwords (OTP), to verify the identity of users. However, account takeover (ATO) attacks can bypass MFA with OTP bots, SIM swapping, and MFA prompt bombing. Even if MFA were 100% effective, it creates friction with users, which can stall sales and slow growth.

Account takeover attacks (ATO) are a type of cyberattack that results in the unauthorized access of an account, typically through the use of stolen credentials. Once an account has been compromised, it may be used to launch additional attacks, make fraudulent purchases or transactions, or steal valuable information. According to Sift’s Q2 2023 Digital Trust & Safety Index, ATO has increased a concerning 427% in Q1 2023—compared to the entirety of 2022. 

In this blog, we will explain three methods fraudsters who perpetrate ATO attacks use to bypass MFA and how businesses can protect themselves.

What is a one-time password (OTP) bot?

One-time password (OTP) bots are an automated fraud service used during ATO attacks to target victims with fake phone calls and SMS messages. These OTP bots use social engineering techniques to steal passwords from victims.

What is SIM-swapping?

Another tactic is subscriber identity module (SIM)-swapping, which is an advanced account takeover (ATO) attack technique that intercepts one-time passwords (OTPs) by temporarily gaining control of a victim’s phone number to receive calls and texts. SIM-swapping uses social engineering to convince the victim’s mobile phone company to transfer the line to a different SIM card. 

For example, fraudsters may pretend to be a user locked out of their account or a mobile phone employee trying to help someone in the store. Attackers have even been known to bribe employees to gain this access.

What is MFA prompt bombing?

MFA prompt bombing is an account takeover (ATO) attack technique that uses social engineering to trick a user into unwittingly granting access to a malicious authentication attempt. These attacks seek to frustrate their targets into accidentally accepting the push notifications of MFA apps by sending them when they are most distracted. 

For example, an attacker may repeatedly send an MFA push notification in the middle of the night, until their target finally accepts the prompt so they can fall back asleep.

Once an account is compromised, fraudsters can disable security settings (e.g., MFA), reset passwords, and change account information (e.g. email address). Fraudsters can then use these compromised accounts (or sell them on the dark web) to make unauthorized purchases and transfers or conduct additional attacks.

How to prevent account takeover attacks (ATO)

Preventing account takeover (ATO) attacks requires multiple layers of defense since multi-factor authentication (MFA) can be bypassed by hackers. Device intelligence, IP address analysis, behavioral analytics, high-risk activity monitoring and SIM swap detection can also prevent ATO.

The democratization of fraud, such as the sale of OTP bots on dark web forums, has lowered the barriers of entry for non-technical attackers. The automation of ATO has enabled it to grow at a much faster rate than manual fraud reviews can keep pace. Furthermore, many businesses are reluctant to require MFA because it is a source of customer friction that can slow sales and growth.

Sift’s Digital Trust & Safety Platform is an automated fraud management platform that prevents ATO. One trillion events from the Sift global data network power its AI-enabled approach. Device intelligence detects unfamiliar devices that are indicative of ATO. Behavioral analytics alert fraud prevention teams to high-risk account activity. Dynamic friction—the ability to enforce MFA based on a risk score—enables organizations to customize the solution according to their risk tolerance. 

With Sift, the end result is that businesses can prevent and detect ATO—with or without MFA.

Visit our Fraud Intelligence Center to discover more fraud schemes.