top of page

Methods Fraudsters Use to Beat Two-Factor Authentication

While it is commonly accepted that passwords and the consumers who set them are inherently insecure, organizations put a lot of trust behind two-factor authentication (2FA) solutions. Here are several ways fraudsters have been able to beat this additional layer of security.

Malware. TrickMo malware followed TrickBot, a Trojan that has enabled access for fraudsters to install ransomware on business computers targeting the Windows operating system. Android OS smartphone users infected with TrickBot on their desktop can be targeted with TrickMo which hides in purported mobile banking security app. Once installed, the app bypasses two-factor authentication by intercepting the one-time passcodes (OTPs) via both SMS text message and push notifications.

Many use Google Authenticator to complete 2FA checks but this has fallen victim to attack as well. Another Android-based malware, called Cerberus, stole these 2FA codes from Google Authenticator in a February 2020 attack.

SIM Card Swaps. A less tech-savvy method is called a SIM-swap, where fraudsters impersonate their target and contact their mobile phone provider. They say they’ve gotten a new phone and have the victim’s phone number moved to a SIM card controlled by the fraudster. Now OTPs sent via text message or delivered by an automated phone call go right to the fraudster.

Social Engineering. The least intricate method relies solely on social engineering. When fraudsters are denied access to a consumer’s account until they provide the OTP, they simply call their target and pretend to be the bank or other organization that just sent the OTP. The unsuspecting consumer doesn’t know why they received a text message with a PIN or passcode, so the fraudster says they represent that bank or organization and are performing a security test to confirm ownership of the mobile device. The victim unwittingly hands the OTP to the fraudster, allowing the unauthorized access to continue despite the use of 2FA.

For more information:


bottom of page