MFA Fatigue, SIM Swaps, and Token Theft: How Attackers Beat 2FA
In 2022, an attacker walked through the defenses of a major rideshare company — a corporation with a real security team and MFA on everything — without breaking the MFA at all. They had a contractor's stolen password, and the MFA push prompts kept getting denied. So they simply kept sending them. Dozens of prompts, late into the night, followed by a WhatsApp message posing as IT: approve one and they'll stop. One tired tap later, the attacker was inside.
That's the state of the art in beating two-factor authentication: not cryptography, but exploiting the gap between how 2FA works and how humans behave at 11pm. Turning on 2FA was the right move — I've been telling you to since my SMS piece years ago — but "on" is no longer the whole story. Which second factor, configured how, decides whether these five attacks work on you. Consider this the threat briefing.
Dossier #1: MFA fatigue (push bombing)
The play: the attacker already has your password (breached, phished, stuffed — see the leak runbook). Your approve/deny push prompt is the only obstacle, so they trigger it relentlessly — at dinner, at midnight, at 3am — betting you'll eventually approve out of annoyance, confusion, or a thumb-slip. Sometimes garnished, as above, with a fake IT message supplying the excuse.
You'd notice: MFA prompts you didn't initiate. This is the part people misread — an unexpected prompt feels like the system working, but what it actually announces is your password is already in enemy hands. The prompt is the last wall, under active siege.
The counter: two layers. Behavioral: never approve a prompt you didn't cause, and treat its arrival as a fire alarm — change that password now, from a device you trust. Technical: number matching, where the login screen shows a code you must type into the authenticator. An attacker spamming prompts can't supply the number they can't see; the entire attack dies. Microsoft now enforces it in Authenticator (you met it during the account-lockdown walkthrough); enable the equivalent anywhere it's optional.
Dossier #2: SIM swapping
The play: no malware, no exploit — social engineering against your phone carrier. The attacker, armed with personal details from breaches and social media, convinces a carrier rep to port "their" number to a new SIM. Or bribes an insider; that happens too. Every SMS code and account-recovery call now arrives at their phone, and they walk through your accounts' front doors via "forgot password."
You'd notice: your phone abruptly shows no service for no reason. That's the moment of transfer — and the start of a sprint, because the attacker is racing through your accounts while you're discovering your phone is dead. High-value targets (anyone publicly associated with cryptocurrency holdings learns this fastest) get hit hardest, but the technique is commodity crime now.
The counter: demote the phone number from your security architecture. Remove SMS as a 2FA and recovery method everywhere a stronger option exists — app-based codes at minimum, passkeys ideally. Then call your carrier and add a port-out PIN / number-transfer lock (every major US carrier offers one; it makes the social-engineering call fail). After that, a swapped SIM steals a number that no longer unlocks anything.
Dossier #3: Real-time phishing proxies (adversary-in-the-middle)
The play: the modern phishing kit — tools like Evilginx made it point-and-click — doesn't show you a fake login page. It shows you the real one, proxied through the attacker's server. You enter your password: relayed, works. You enter your authenticator code: relayed, works. You log in successfully, suspecting nothing — and the proxy in the middle keeps the prize: your session cookie, the token proving you've authenticated. The attacker imports it and is you, no password or code required. This is the attack that quietly obsoleted "I have 2FA so phishing can't hurt me" — your OTP code is phishable in real time.
You'd notice: almost nothing — the login genuinely succeeded. Maybe a wrong domain in the address bar, the one tell the proxy can't hide. Afterward: sessions or activity you don't recognize.
The counter: this is the attack passkeys were born to kill. A passkey is cryptographically bound to the legitimate domain — on the proxy's domain, the browser simply has nothing to offer, and there's no code for you to hand over. Supporting layers: password-manager autofill refusing to fire on a wrong domain is an early-warning system, and the domain-reading habits from my AI-phishing piece remain the human backstop.
Dossier #4: Infostealers and session theft
The play: skip the login ceremony altogether. Infostealer malware — typically arriving via cracked software, fake installers, or malicious ads — harvests the browser wholesale: saved passwords and the session cookies for every site you're logged into. Those cookies, sold in bulk on criminal markets, let buyers resume your sessions without ever seeing a login page. Your MFA was excellent; it was also already satisfied.
You'd notice: activity on accounts you "never logged into" from elsewhere; security emails about new sessions; in the worst cases, nothing until money moves.
The counter: this one's won at the endpoint, not the login screen — don't run untrusted executables (the cracked-software economy is an infostealer delivery service), keep Defender's protections actually enabled , and harden the browser holding the cookies. Damage control matters too: the "sign out everywhere" button revokes stolen sessions, which is why it appears in every incident checklist I write.
Dossier #5: The legacy holes — SS7 and OTP bots
The play(s): the telephone network's ancient SS7 signaling protocol allows SMS interception with carrier-level access — nation-state flavored, but real. Downmarket, OTP bots automate a scam call ("this is your bank's fraud line, read us the code we just sent") at industrial scale, talking victims into reciting their own one-time codes.
The counter: both are SMS-and-voice problems, and both evaporate the day codes stop arriving by SMS — Dossier #2's homework already covered you. Plus one absolute rule worth saying plainly: a code is something you type into a website, never something you speak to a caller. No legitimate institution phones you to ask for one. Ever.
The defense stack, ranked
Strip the five dossiers to their lessons and a clear hierarchy emerges. Passkeys beat #1, #3, and #5 outright and shrug at #2 — they're the single highest-leverage upgrade. Number-matching app authentication is the strong runner-up where passkeys aren't offered. SMS is the floor: better than nothing, demoted everywhere possible, with a carrier port lock as the consolation control. And running underneath the whole stack: clean devices and skeptical habits, because #4 ignores your authentication entirely and attacks the machine it lives on. 2FA isn't broken — the 2022 incident that opened this article was defeated by a tired thumb, not by mathematics. Configure the math so the thumb never gets a vote.