How fraudsters broke 2FA and 3 ways to counteract

PSD2 created a new security standard - 2-Factor Authentication. Fraudsters quickly broke it, but there are ways to stop them.

Hubert Rachwalski

Chief Executive Officer

27 May 2020


6 min read

PSD2 created a new security standard to be introduced by financial institutions - 2-Factor Authentication. The bar for fraudsters was raised and they needed to up their game. So they did - in two days, to be precise. But there are still some tricks up in fraud prevention providers' sleeves that they cannot defeat. Learn fraudsters' techniques of breaking the rules to then understand how to fight them effectively.

Background: how fraudsters broke 2FA

On September 16, 2019, PSD2 came into force, and on 18th September one of the world's biggest bank’s webpage was counterfeited. How did it happen even with new security standards and 2-Factor Authentication?


Graphic 1. A fraudster tries to register a new URL to be as close as possible to the original webpage URL. Stealing money is not the prime reason for this malicious activity. It’s about acquiring login data and stealing a digital identity. It gives access to other accounts, not only for banking services. And that’s why these "1 dollar" transfers are so lucrative for fraudsters.

Flaws in 2FA - how is it exploited?

This graphic shows step by step how fraudsters counterfeit text messages used as a second factor authentication to obtain access to the user’s bank account.


A targeted phishing campaign requires a lot of work from the fraudster but the final goal is not to obtain only usernames and passwords, but active session tokens known as session cookies that the real websites associate with logged-in accounts. These session cookies can be placed inside a browser to access the accounts they're associated with directly without the need to authenticate in the future. To obtain this, the fraudster only needs another authorization message from the bank. But as we proved it’s not an obstacle.

More pro IT ways of committing fraud - created for 2FA

Setting up a phishing attack requires technical knowledge and involves configuring multiple independent tools. That’s why fraudsters switched to a more sophisticated method. It’s an automated way of harvesting session cookies and users’ passwords stolen directly from their PCs. As a result, the fraudster doesn’t need to create this complex mechanism of two web pages.

There are two tools available freely on the internet - Muraena and NecroBrowser. The first one is used to harvest a password and session cookies from the user. Once a victim lands on a phishing site powered by Muraena, the login process works exactly as on the real website. The user is asked for a 2FA code. After providing it the authentication is completed, and the proxy steals the session cookie which is stored by the browser. This allows the website to automatically provide that browser with access to the account for a session length without asking for the login data again.

NecroBrowser allows you to plug this stolen data into a new session, and a bank or a payment gateway looks like a real session from a user whose session cookie has been stolen. This is happening without the user’s awareness.

What’s interesting is that both tools were created to commit a pen test to check security readiness before PSD2. They have been even configured for particular web pages and they include examples of how to steal cookies. They are widely accessible on the internet so it’s extremely easy for a newcomer to use them and steal the 2nd-factor data.

Learn 3 solutions to improve your security

Those examples illustrate that the fraudster starts the attack with a simple phishing technique and exploits the vulnerabilities of text messages and cookie sessions to achieve the goal. Banks use them as a security measure but actually, they were never invented for this purpose. They are overused in this matter and that’s why it is so easy for a fraudster to break 2FA. It’s crucial for financial institutions to understand that securing transactions through SMS and session cookies is not a way to battle fraudsters.

We know three better ways of how you can protect your business against these fraudulent activities.

1. Security key

It is hardware connected to your device, which thanks to cryptography is able to verify the exact device that you are using. This tool is very hard to circumvent and protects you against big-scale attacks. But there’s a price for such a level of security. The security key is not easy to use (definitely not as easy as SMS), not well known, and quite expensive, because it must be provided to the user (and users do not always have the key with them). And last, but not least, due to the above, it lowers conversion a lot. The question is - is this a price you are willing to pay for extra safety?

2. Something you are

User fingerprints, voice, face geometry, retina or iris can be used to check if the user is really whom he or she claims to be. These features are called non-behavioral data and are recommended by PSD2 as a valid form of user authentication - as an inherence factor.

All of the above seem quite hard to compromise, but fraudsters have already found a way to steal it too. Last year we heard about huge fingerprint and facial recognition breach which affected millions of users. Even a whole marketplace for stolen fingerprints appeared on the darknet. Of course, apart from being problematic for businesses, it creates a huge identity problem for users. Losing non-behavioral data is way worse for users than losing a password because they can’t change it, they are inherent.

3. How you behave

Each user creates an individual, physical interaction between him and his device (e.g., the way of moving the mouse, typing on the keyboard, or moving between tabs). If you analyze this data - with behavioral biometrics, you can get to know the flow of the users and recognize them over each login attempt.

This data is complex to hijack because the user behavior is far more complex. Users do not behave exactly the same - one day they might write slower, and on different days, way faster. But through complex analysis (with Machine Learning) the security system might detect and recognize those specific patterns. This way, even if a user's behavior changes, the system recognizes his or her behavioral flow. It is extremely hard for fraudsters to re-create activity or different moves of their victims. They could, for example, try to record and replay it, but machine learning algorithms would mark that kind of activity as a very suspicious one. You can read more about behavioral biometrics here.

As good as it sounds, it’s important to remember that you need the users’ prior history to train the models. So it will not work over the first login attempt. Therefore you will have to use other types of 2FA at the beginning in order to be able to switch to behavioral biometrics. It's recommended as it will pay off in the future.

Why create a law when the next day it’s circumvented by a fraudster?

With the new laws, it’s all about making it harder for a fraudster and raising the bar, but it’s not easy to do it in the best way when it comes to the internet. Even though 2FA provides more security, the way companies have adjusted to it has already been circumvented. That’s why you need to revise your fraud prevention strategy and use the most advanced technology to fight fraudsters. It’s a constant battle so you need a solution that evolves with or even before fraudsters.


If you liked this article and wish to prevent fraudsters from breaking your 2FA measures, get in touch to learn more about how our solution can benefit your business.

Ready to detect fraud just like Azul?

Ready to detect fraud just like Azul?

Start measuring fraud attacks today and find out if there are bots attacking your site. Arrange a call to discuss a tailored solution or explore our platform for free.

Book a call